From Pennsylvania Kid to UNLV CISO: A Cybersecurity Career Journey with Vito Rocco | Ep041

Manuel: Welcome everyone. My name is Manuel Martinez and this is another episode of Career Downloads. For each episode, I basically hit the refresh button, bring on a different guest to learn more about their background, their experiences, and really what got them interested in technology and how they managed to navigate their career over time. For today’s episode, I have with me Vito Rocco. So I’m pretty excited about this one. So he is a CISO for UNLV and we’ll get into that conversation but a lot of his background, just the way that he navigated and eventually got into that type of role, I think is very interesting. So I’m looking forward to this conversation. And with that, I’ll go ahead and introduce Vito. How’s it going?

Vito: Great, thanks for having me.

Manuel: I appreciate you coming on and being able to share your experiences.

Vito: Yeah, absolutely. I’m glad to be here.

Manuel: So if you don’t mind, just kind of summarize for us and kind of give us some of your background is kind of where you grew up. And then we’ll kind of follow that story into what got you into technology.

Vito: So I grew up in Pennsylvania, little town north of Pittsburgh, Pennsylvania. And I’m the oldest of six kids. I have five brothers and sisters. And so grew up in a big family. And I sort of always had an interest in technology growing up. These were the days before every household had a computer. But my dad was a teacher. And so he had a computer in his classroom and every summer he got to bring home the computer. And so we had this, it was an Apple IIe computer that was sort of my first intro to technology or IT. And every summer we got to spend a lot of time, mostly playing games, but also I learned a little bit of BASIC, the coding language BASIC on there. And just a little bit about general, in general how to use a computer and how to navigate file systems and things like that, using the five and a quarter inch floppy disks. (both laughing) Yeah. Yeah, so that was kind of my start into it. And we had that computer every summer and my brothers and sisters and I spent a lot of hours on that sort of navigating it.

Manuel: And it’s funny because it probably at that time, it’s something fun, it’s something new, but especially at that time with computers being new, it wasn’t really like, oh, there’s a career in this. So it’s just, you’re just curious and you’re learning that. And I’m sure at some point you’re also, because it sounds, I remember my kind of first experiences with computers too when I got to school, like I remember the Oregon Trail. So like, you had the computer class and you were doing a lot of that.

Vito: Absolutely.

Manuel: It wasn’t a career, but you enjoyed that. And then, that was your first introduction. What kind of transpired from there?

Vito: Yeah, so I mean, I continued to want to learn about it. Like you said, at the time, I wasn’t really thinking of it as a career field or something to do for a living, but it was something that intrigued me and interests me. And so, I wanted to get more into it. And so, using and learning more about the computers. And like, it’s funny you mentioned the Oregon Trail. I just said, I said the other day to my wife, look, you weren’t a kid in the eighties if you didn’t die of dysentery at least once, right? We all died of dysentery at least once. But yeah, things like that were, sort of held my interest around it. And I, maybe I didn’t even realize at the time that I was sort of learning about technology at the same time while playing these entertaining games and these interesting games. And so, from there, as I got older, I sort of kept that interest and that want to learn more about technology. And I started building my own computers in high school, the early days of high school. And I sort of became the tech guy that people would come to and ask questions like, oh, we don’t know how to do this on the computer. Let’s ask Vito about it. And that sort of thing. So I sort of evolved and just kept being intrigued by technology and by computers and kept learning more and more from there.

Manuel: And the need or the want to kind of build computers, was it, did you, I’ve had different people give me different stories. Was it, I wanted something better and faster? Was it really, I just want to see how this works?

Vito: Yeah, it was more the latter for me. Like I want to know how it works, how all the pieces go together, how these things interact with each other. Sort of that like MacGyver mindset. You’ve watched the TV show MacGyver probably, you’re about the same generation as me. So knowing the science behind things and how things work and how you can put different things together to do something that maybe they weren’t intended to do. But I had that same intrigue with computers, like how do all these parts work together? How do I put them together and get them to work the way I want them to work?

Manuel: Obviously just curiosity is helping build this. You’re continuing to go to school at some point. Like you said, we’re probably around the same generation. At one point, it almost starts to become kind of a requirement. Probably around high school time, like you have to, they want your papers typed. So you’ve got to print them out and do a lot of that. What did you think, at least around the high school age, what did you think that you were gonna do? Because again, technology was not it. This is a tool, it’s a fun thing to do. You’re curious, but what did you think was gonna happen?

Vito: Yeah, at that point in my life, I still didn’t really know what I wanted to do. And in the later days of high school, I started looking toward the military, which is where I ended up going eventually. But I didn’t even know then that I would have a career in technology or that I wanted a career in technology. I was thinking about a lot of different career fields in the military and thought about things like the cool jobs that everybody wants to do, special operations or something like that. And I wasn’t really sure how I would make a career out of that military training or service after the military. I wasn’t at the point of even thinking about that yet. But I ended up going into the military and I actually enlisted not in a technical field at all. I enlisted in the field artillery field and I was a forward observer for field artillery for a while. And so I was in there for a couple of years and did some time in that career field and then I had a chance to reclassify. And like I said, this interest I had always had in technology sort of led me to reclassify into a tech field in the military.

Manuel: And during that time, that reclassification process, is it, are they posting jobs? I’m vaguely familiar with how it works. A lot of times there’s like contract terms, right? Like your artillery for, let’s say a four year period and then you can reclassify, right? Is it something similar to that?

Vito: Yeah, so a lot of it is based on contract terms. A lot of it’s also based on the needs in the military and certain career fields are higher need or they have trouble getting more people for that. Certain career fields, you have to have a certain ASVAB score, which is the test we all take to get into the military. You have to have a certain level of ASVAB score and so it’s harder to get more people into those career fields because not everyone scores at that level. And so based on a lot of different factors, but if there’s a need there, in this case, technology was becoming a bigger thing in the military. It was starting to pick up, we were starting to see more and more needs around IT and information security and those types of things. And so they were having trouble getting people into those career fields. And so there was an opportunity there. We’re looking for people who have tech background, who have tech skills, who have an interest in learning these things. And it worked out for me because I fit the bill on all of this.

Manuel: And I’m sure at that time, did you get to travel a lot prior, like being at the front in the artillery? I’m sure the newness of that at the same time had probably worn off because part of the reason is, hey, the cool military, hey, I wanna do these types of roles. I’ve talked to other people, I don’t know if you got to travel, but a little bit of that traveling. And eventually you’re like, maybe this isn’t for me. I kinda wanna do tech.

Vito: Well, yeah, not just the traveling, but sort of, I went into the artillery because it’s like, whoo, whoo, that’s the hard charging thing to do. I wanna be on the front lines, I wanna go into battle. And then you get a little taste of that and you realize, that’s not all it’s cracked up to be, right? Maybe I wanna sit at a desk, maybe I wanna sit at a computer a little more. And so that’s sort of, I think as you grow up and you mature a little bit, that your perspective on things kinda changes.

Manuel: Going into the tech field, they did, I’m assuming the training and as part of that process. So what exactly did you start doing to start off with?

Vito: Yeah, so one thing, however you feel about the military, if you like it or hate it, there’s one thing I think we can pretty much all agree on is that the US military trains their people better than anybody else in the world. They will train you for whatever your job is, whether that’s cyber security or whether you’re a truck driver or a cook, they will train you to do that job to the absolute peak of your ability there. So they have plenty of training available. They have good training available. So when I first started in the tech field, it was, these were before the days of Army Cyber Command or anything like that. And these tech jobs were part of the Signal Corps actually. So I was a computer systems specialist, I think was the MOS 25 Bravo. And so I got a lot of training initially around sort of system administration and Microsoft certifications and those type of things. And that’s kind of where I started doing that sort of sys admin type work. And then as there became more opportunities and more prevalence around cyber security, I was able to move into some of that training and then move into some of those job positions. And I got out of the military in 2012. And so those were the very early days of Army Cyber Command. But nowadays, young people going into the military have so many more opportunities in cyber. And I’m a little jealous of the people going into the military today and some of the new MOSs that have been created specifically around cyber and focused on cyber. But I sort of took a roundabout way to get to cyber security.

Manuel: As that systems engineer, and again, it just me not knowing and being curious, are you the systems engineer for a base? Are you doing it for the wider military? Because I’m guessing that there’s sections within there. So I’m just curious, what size of environment were you kind of managing? Kind of what are the size of the groups? Like how does that work out?

Vito: Yeah, that’s a great question. And so sort of the same way you see in a corporate structure where you have like maybe an associate system administrator and then they move up to a journey level and then a senior or something like that, sort of that’s how rank works in the military also. And as you move up in that MOS, you move up in rank as well. And as you get higher and more experienced, you’re probably handling a wider scope of responsibility. So you may start out doing IT or doing systems administration for a small unit, a company or a battalion size unit. And then as you get more experienced and you move up in rank, you may move up to a brigade or a division size unit. And then eventually there are people doing this for all army and handling the sort of the big installations around the country, which are then within those broken down into smaller units.

Manuel: So that’s pretty cool, like thinking about it now because to kind of in the corporate structure to be able to do that, sure, you can move up and, like you said, in rank or in title and move up and say, I might start as a junior, now I’m the senior sys admin, but you’re also at the same time that you’re doing that, unless the company is growing at that same rate, your environment’s not growing unless you’re going somewhere else. So that’s kind of unique.

Vito: Right, it is. And I mean, when you think about what a massive machine the US Army is and the US military especially, but even just the army itself, there aren’t many companies that compare to the scale of that. You might see companies like a GE or a Boeing or something like that, that are massive companies that have sort of on the same scale, but there’s not many companies that measure up to the scale of the military.

Manuel: So that’s gotta be a very unique experience then, because as your skill sets growing, so is the environment. So it’s almost, I don’t know if your skill set is growing because the environment’s growing or if the environment’s growing for you as your skill sets growing, because I mean, I can just think of when I was trying to learn and for example, scripting of multiple machines, like I could do it at scale in a lab, okay, maybe I had two or three machines, right? Because you didn’t wanna do it at a production or even within production, okay, maybe I work for this company and maybe there’s 50 employees, maybe there’s a hundred, which for a single person you can deal with and you’re like, ah, it’s okay to have mistakes, but now as you’re starting to grow, I’m like, all right, well now we’re dealing with thousands, hundreds of thousands, like that’s interesting.

Vito: Yeah, and the way the military breaks those things down and all they’re going from a squad to a platoon, to a company, to a battalion, they’re broken down so that they can scale and you can manage. And even at the whole army size, if you’re responsible for the whole army, you may be handling five or six divisions and then within those divisions, there’s a number of each one has a number of brigades and then a number of battalions within each of those brigades. And so they’re broken down into more manageable bites there, but it’s still, it’s a massive number of people when you start to think about it.

Manuel: So then you’re building up all the skillset, you’re moving up and you mentioned at some point you kind of start moving out as that’s cybersecurity area. Yeah. So what was that kind of transition or what made you kind of start looking that route?

Vito: Well, again, driven by sort of that curiosity and that innate need that I had to just learn new things and learn more about things that were developing and becoming more prevalent. And there were a couple of schools that were offered, go and learn about cybersecurity. And I had a couple of chances to attend training and attend these schools. And I found that I really had an interest in it, had something of a talent for it. And that there was so much challenge around cybersecurity. And it was at that point that I kind of saw, I kind of saw that as the future. Like there’s gonna be a lot more of this to do as we go. And turns out I was right. But yeah, I think that maybe when I went into cybersecurity this is the first time I really started seeing IT and cybersecurity as a career after the military. And knowing that companies are gonna need these skills, knowing that employers are gonna need these skills, that’s where I really started looking at it like, hey, I can do this when I get out of the military. I can make money beyond the military with these skills.

Manuel: Within there, so I know that the military’s teaching a lot, how are you going to these skills? But what are the opportunities for you to either learn on your own or with peers? Do they give you access? Again, just kind of coming from the corporate side. Sometimes you can get your employer to pay for training. Sometimes they have lab environments. Sometimes production may or may not be the lab environment. I mean, not speaking from experience. But I’m just curious, like how are you, how do you have the ability to grow your skillset outside of what they’re teaching you and what you’re working on day to day?

Vito: Yeah, I like what you said there, first of all. I always like to say that every company has a test environment. Some are just lucky enough to have it separate from production. So yeah, that happens for sure. But yeah, so they offer the formal training and there’s a lot of training, a lot of schools, a lot of online virtual learning that the military gives you access to. But at some point you have to have that motivation, that intrinsic want to learn on your own too. And as I remember as a young man in the military, going back to my barracks room at night or the apartment when I lived off base and building home labs and doing CTFs and downloading virtual images that were vulnerable and scanning them for vulnerabilities and exploiting things and sort of learning on my own. And so I would do cybersecurity all day at work and then I was that nerd who went home at night and did more cybersecurity. But yeah, you have to sort of want to learn on your own I think in order to really move your skills forward.

Manuel: So it doesn’t sound like it’s that different from a corporate environment, right? Like it’s really, they give you the resources or even if they don’t, I mean in both situations, it’s really on you to kind of progress and do as much or as little as you want.

Vito: Yeah, and I mean, just like any other job, like you can come in and do your nine to five and collect a paycheck at the end of the day and do that same job for the next 30 years probably. Or you can develop in your own time, build your skills, move up, increase in responsibility, increase in money, increase whatever you wanna do, but that has to be on you, that has to be on you to be motivated to learn and to pursue those things. So yeah, it’s no different than anywhere else, I don’t think.

Manuel: And now that ability to wanna learn and you kind of saw a little bit of like, hey, this could be something I can do outside of just doing it for the military. Was that also a reason for you to continue that education and say, hey, I’m gonna take advantage of everything I have here and transfer it?

Vito: Absolutely, yeah. I mean, I saw that as a huge benefit of being in the military. They were paying for these certification tests that cost a couple hundred to several hundred dollars each test and I got Microsoft certifications and I got my CISSP and I got some Cisco certs and some other security certs around that, some of the CompTIA stuff. The military paid for all of that. If you were willing to go and do the training and go and take the test, they’d pay for it. They had no qualms about that. And so yeah, I was very motivated to take advantage of as much of that as I could before I got out of the military because you may be lucky enough to have a civilian employer that pays for those things, but not everyone does, yeah.

Manuel: So how long did you spend in that role or I guess in the military when you moved over to the tech, the whole sys admin to cybersecurity, like what was the timeframe for that? And then how did you kind of envision your transition out?

Vito: Yeah, so I spent probably about the last eight years that I was in the military in sort of cybersecurity roles, various roles within cybersecurity. And I did a number of different things within the cybersecurity umbrella. For a short time, I did like digital forensics and I worked for CID, the Criminal Investigative Division, actually investigating crimes within the military and doing digital forensics and things like that. I did some red teaming stuff for a while with a red team within the army. And we were sort of testing security on bases and both physical security and network security. So some of that stuff. And then I, so that was about the last eight years of my military career. And I kind of got to a point in the military where I was maxed out on rank and I wasn’t gonna get promoted unless I made a significant move or spent several more years there. And I talked to my wife about it at the time. And we were like, “It’s probably time for a change.” And so I got out of the military. Again, no complaints about my military time. No, I don’t have anything bad to say about the military. It was great for me, but it was just time to move on to something else. And so I decided to move on and see what I could do with those skills that I acquired in the military and move out into the civilian world.

Manuel: And you said something there, doing kind of the digital forensics, doing the red teaming, a lot of that. Were there areas, I think a lot of times people hear cybersecurity and they’re just like, “Oh, okay, well cybersecurity is this.” Same thing with like, “Oh, I wanna get into tech and IT.” Well, it’s this huge, right? I do systems administration cloud, that’s this part of everything. But even within there, that’s huge. Cybersecurity is the same way. Were there certain areas that as you did it, you’re like, “I don’t really like this.” So for example, at one point I thought I wanted to be a network engineer. I did it, I enjoyed it to a point, but then I really realized this isn’t for me.

Vito: Yeah.

Manuel: Did you kind of have a lot of that or something similar as you’re doing these different realms within cybersecurity? Like, is there something that you’re like, “I don’t like this, man, I really like this.”

Vito: Yeah, absolutely. And it’s interesting that you say that because I used to be able to, in the early days when I started in cybersecurity, you could kind of be a security generalist and get a little bit of everything. And now it’s evolved to the point where cybersecurity is so specialized and there’s so many little niche areas that you can specialize in. And you really have to sort of maybe get a taste of a bunch of those and figure out what you wanna specialize in and then really focus on that area. But I got a chance to do quite a few of those areas. And there were definitely ones that I like better than others. I’m not a big fan of the whole auditing and compliance sort of side of cybersecurity, which is ironic because as a CISO, I sort of oversee that now, the compliance and the risk. But that’s definitely not my favorite. I’ll always be a tech guy at heart. I like to say I’ll always be a hacker at heart. I like the technical security stuff. I like the red team stuff. I like penetration testing, physical penetration testing, network penetration testing. So that stuff is fun and exciting, but it’s kind of like the sexy side of cybersecurity. Everyone wants to be a pen tester. Everyone wants to break into stuff and get into stuff. But there’s a lot of other areas of cybersecurity that are really important and can be really interesting. And each one appeals to people a little differently, just depending on your personality or how you see these things.

Manuel: And it’s gonna go back to that curiosity is asking people within cyber, like what do you do? What do you think is available? What’s not available? And I think that’s something a lot of people don’t realize you have to do at any stage. Like even I’ve been in this for 20 years, that they’re still like, oh, tell me more about that. Like, what is that like? Oh, that sounds interesting. And then you start to ask more and more questions like, ooh, that part sounded interesting. Everything else sounds terrible. I’ll move on to the next one.

Vito: Yes, and asking those questions and being curious about those things, I think is a great way to do that. If you’re a young person just starting out in your career, I’d encourage you to try some of these things. If you have a chance to do an internship in a certain area of cybersecurity or work on a project in a certain area of cybersecurity, those are great ways to see if that might be something you wanna do as a career, every day, nine to five, Monday to Friday or not.

Manuel: You decide that you’re not gonna stay in the military. What was that transition like? Did you start to kind of look as you were leaving? Was it afterwards? Did you utilize programs? Just curious, what were your experience was like?

Vito: I think I had a pretty easy compared to some other people I’ve talked to, friends and colleagues coming out of the military. But yeah, I started to look as I was getting out of the military, just started dropping applications for things that sounded interesting in the realm of security. And I actually landed a consulting job shortly after I came out of the military, working with various clients on cybersecurity projects that they were doing. And I found out very quickly that I think consulting is a young person’s game. (both laughing) I did not wanna be traveling six days a week, flying out on Sunday afternoon, flying back late Friday night and seeing my wife for a little bit on Saturday before I had to pack up and do laundry and fly out again the next day. And so I was like, this isn’t gonna work long term. And so I only did that for about six months or so until I found the job at UNLV. And UNLV at the time they were hiring for a security person. It was an information security analyst job and it was the only person in cybersecurity. And so I sort of started there as the sole cybersecurity person and have built the program up from there to the point where there was a need for a CISO. And a couple of years ago now, they put out the job posting for CISO and I had to apply and interview and luckily got the job. But yeah, it’s been a journey.

Manuel: So I just have one question on the consulting side of it. So obviously a young man’s game, right? Because being able to travel and but from a learning standpoint, and I’m gonna say comparative to what you were doing in the military, for someone who’s maybe younger or starting out, there’s probably a lot of opportunity to learn. You’re seeing different environments, but at that time, apart from the travel, do you think that you would have been able to grow your skillset in that type of role at that point in time, right? I’m not saying that you can’t, I’m just saying for you at that time, would there have been growth?

Vito: I don’t know if there would have been growth or not. There certainly would have been some new learning and if you believe all learning is growth, then there would have been some growth to that effect. They’re coming out of the military and only seeing the military for most of my cybersecurity career, going into the commercial sector and seeing some of the different commercial sectors that are out there was quite a culture shock to me. Going into a hospitality customer who was still running NT4 on their servers. I was like, you’re doing what? And so it’s a bit of a shock to see how different industries do things different and where their priorities lie because that just wasn’t a priority for this hotel customer because it ran their key card system, it worked. They knew if they didn’t touch it, nothing was gonna break and that was sort of their priority, making sure that they could make keys and the NT4 system did what they needed to do and so there was no thought to upgrading it or moving forward. And so seeing different sorts of industries and where their priorities lie with cybersecurity, that was eye opening to me and so I think there definitely would have been some learning along that path as I worked with more different customers and probably some growth of my skills and my knowledge from that alone.

Manuel: Apart from being a culture shock, I’m pretty sure that it was a quicker acclimation than had you gone into a specific role and taking time, now you’re consulting, you’re going to multiple places. So you’re getting that culture shock all at once and seeing like, oh my gosh, it is not only is it very different from the military but even within the corporate sector, each industry is different, each business is different.

Vito: And I think that’s the great thing about consulting and again why maybe it should be a young man’s game is you get exposed to a lot of things very quickly, a lot of different things. You’re not going into one environment and being focused on that company or that environment. You’re seeing how all different companies do the same type of things, how they get to the finish line with different cars here with different vehicles. But yeah, it allows you sort of that overview of a lot of different things in a very short period of time. So I mean, I think that’s a great thing about doing a consulting gig.

Manuel: I agree because I did spend some time doing something like that where folks a lot of hospitality and casinos and I worked in the gaming industry, I was like, oh yeah, I’ve got this. But then you realize how each organization does it differently, how their priorities are different. So I think it did, I would say it’s probably midway through my career. So I had been doing this for a little while but that was really like, oh, it was very eye opening but I did gain a lot of experience and say, oh, okay, well, I think that’s around the time I started to learn to question a little bit more. Why do you do it this way? And then because I was quick at first to just, I was used to doing it like two or three other companies did this, oh, hey, you should do this and this and that and they’re like, no, we can’t. Well, what do you mean you can’t? So then I started to learn to ask questions, oh, well, why do you do this? Sometimes there’s a specific reason and sometimes I go, well, that’s what we’ve always done it. Okay, well now I know that I can start to make those types of suggestions. So you get out of there, you go and you apply at UNLV and you are the lone security person. So what were you doing there initially in that role?

Vito: So they were just coming off of a security assessment that had been done by NSHE, by the Nevada System of Higher Education, who is sort of the parent organization of all the institutions, all the higher education institutions in Nevada. And there had been a lot of findings on that security audit. And so a lot of my job was focused around sort of putting in place measures or remediations to address those findings. We also had a number of data breaches, small data breaches over the last couple of years that I was sort of cleaning up and doing notifications for and making sure we were in compliance with those. So between those two things, that’s what took up most of my first year there is just sort of catching up and sort of moving us forward on security a little bit.

Manuel: And probably around that time is when cybersecurity is probably starting to get a little bit more attention. Obviously they did the findings and say, “Hey, you have to fix this.” Would it be safe to say that they’re also starting to, you know, like cybersecurity as a whole is starting to grow and people are starting to pay more attention and say, “Okay, we need to fix these things, but maybe we should be thinking bigger.” Or is that something that you brought in?

Vito: No, I think that mindset was starting to grow there already and I think a large part of that is what prompted the job position that I applied for. You know, even creating that position and posting it out there, they started to realize, “Yes, we need a little more focus on cybersecurity.” And I mean, higher ed’s a very unique environment. When I talked to my friends on the commercial side and they asked me what cybersecurity is like in higher ed, I say, “Imagine every day you took 30,000 hackers and you gave them credentials to your network.” Because it’s finding that balance between being secure and also allowing the culture of higher education, which is openness and collaboration and collegiality, you know, sharing with everybody. And a lot of people believe they should have access to everything within the university. And so finding that right balance, I think, is the big challenge in higher education. And that’s sort of what intrigues me so much about doing cybersecurity and why it’s been such a unique challenge over the last 12 years I’ve been there now.

Manuel: I’m glad you kind of reminded me of that because it is a different culture. I worked in corporate and when I went and did my time at higher ed, I was like, “Why are we giving them this access?” Well, you know, academic freedom and you know, a number of those things. And I’m like, “But why?” And it took me a little while to understand how that works. And there is, there’s that balance. There’s times where they will fight back and say, “No, you’re not.” And other times we’re like, “Well, how else are we gonna grow?” So it’s a challenge. I don’t envy what you have to do.

Vito: Yeah, for sure. I mean, you’ve heard the sort of carrot and the stick analogies. Well, we’re not a stick culture at all. You know, you can’t, where in the military. You said, “You will do this.” And people had to do it. When you say you will do this to a tenured faculty member, that just doesn’t fly. And you know, the president is never gonna side with the CISO over a tenured faculty member that’s bringing in research dollars and all those things. And so you really need to start being an advocate for cybersecurity. Start convincing people why it’s a good idea for them. You know, why these things are helping your research or your teaching and learning, or they’re helping you do your job there. And that’s really our job there is to support the faculty, to educate the students. That’s the mission of UNLV. And so everything that we do in cybersecurity needs to be in support of those things. And if we can’t show a faculty member or a staff member or a student how the measures we put in place for cybersecurity support the things that they’re doing, then they’re not gonna do it. And realistically, they shouldn’t do it because it’s our job to be supporting what they’re doing.

Manuel: And you mentioned educate and communication. Well, there’s two questions, but I’m gonna focus on one. So communicating with them and being able to properly articulate and to your point, right? You can’t just say, “Hey, do this.” You have to convince. It’s wording, it’s probably presentations. How or where did you develop that skill on communicating and presenting? Is that something that you learned there a little bit through the military? Because I know sometimes they offer leadership. So I’m just curious, that skillset, where did that come from?

Vito: Well, it’s something I’m still developing. I would like to say I’ve perfected it, but I’m nowhere near in reality. But yeah, I think part of it came from working in higher ed and learning how to communicate with people there. Part of it came from the military, the leadership courses, and presenting things to a higher ranking officer to a higher office there. But I mean, I’ve sort of always, I’ve always been someone who could talk to people or communicate pretty well with people. When I was younger, I was in musical theater, and so I was often up on stage in front of people. And so I’m not uncomfortable standing in front of a crowd and delivering information or delivering an address to somebody. So I think it’s something that constantly develops, and I hope I’m getting better at it every day, but it just has to, it just sort of has to develop as your career develops.

Manuel: That’s interesting, the musical theater and being able to be comfortable talking in front of people. I never did theater, but I remember having to do presentations and programming. That’s the key, I think you’re doing a lot of those types of things, and in English class, giving presentations, similar to you, it didn’t bother me. And I understand that some people, again, it’s a fear, it’s more an uncomfortable. Apart from that, the ability to do presentations, you mentioned you’re having to do that within the military. Are they teaching you to do that? Is that something, we’re always constantly learning, but is that something you’re developing kind of on your own? I’m just curious how you get through that. So I went to college and I remember that was one of the things, and even in high school, you do a little bit of that, but it’s more like speeches based on a paper. It was in college where I had to learn to start putting together PowerPoints and how do you get the information across and not lose the students and the teacher, primarily for your grade. But how did you kind of come about that?

Vito: The military does teach you some of that, and as you go through some of their leadership training, as you advance, and I was on the enlisted side, so as you advance into the upper levels of the non-commissioned officer on the enlisted side, you go to schools that are specifically developed around leadership training. And so there’ll be classes within those schools that are like develop a persuasive argument and deliver it in 15 minutes and ask for a decision, that sort of thing. And so you get to practice those and why you want to make this decision, and you’re standing there and I might be delivering it to another classmate, but you’re acting as the general or something like that. And so I’m delivering this argument to the general and telling him why he should see it my way and give me a decision that favors what I’m going for. But yeah, you always have that sort of training and development and they put you in a position to succeed when you have to get into those rooms and do briefings like that.

Manuel: And what do you think is the value of something like that, especially now for people that are getting into cybersecurity? I always knew it was important, but the more you start to move up, the more you realize how important it is. So from your standpoint, now where you’re at having to go through and as you’re moving up, and especially now as a CISO, to be able to be taken seriously and to kind of show that authority, I mean, you could dress, show up dressed up in a suit, but if your presentation is terrible, if you’re not communicating, you start to lose a lot of that. The opposite is also true. You could have shown up in sweats and a t-shirt and if you do something amazing, they’re like, “Wait a minute.” There’s that mismatch, so I’m just curious from your standpoint, what do you see from a communication standpoint, like the importance of that?

Vito: I think it’s extremely important and I think knowing your audience and knowing how to communicate with your audience is the biggest part of that. Like I said, at heart, I’m a technical guy. I can, but if I walk into a boardroom, the president’s cabinet or the board of regents and start throwing a bunch of technical jargon at them, they’re gonna glaze over. They’re not gonna listen. They’re not gonna have any interest in what I’m saying. So I need to be able to take that technical knowledge that I have and relate it to the business of the university. Why is this affecting our students teaching and learning? Why is this affecting our community engagement or our research, the things that they care about at the university? And that’s really how you win favor for cybersecurity initiatives. You have to tie it back to the business and in order to do that, you have to be able to communicate with an audience in a language that they understand and that they will relate to.

Manuel: So you’re doing these presentations, you’re getting, you’re starting to, I’m assuming, build a name for yourself within the university. You mentioned at some point that there became an opening for the CISO position. So how did that come about? And was it just, hey, we’re gonna open it and since you’re here, we’re gonna let you apply? Was it open to everybody? What did that look like?

Vito: Yeah, so the security team was slowly growing. We had hired a couple additional people and moved some team members over from another team and realigned their responsibilities. And so that team was slowly getting larger. We’re still a very small team, but it was larger than the team of one that I came in with. And so they are, our senior leaders in IT recognize that there was a need for leadership around security, for somebody to sort of look at things from a more strategic perspective, develop a vision for security moving forward. And so they developed the job description for a CISO. They posted that openly. It was posted nationwide, anybody could apply for it. And so I applied for it. They were just at about, at the stage to do initial interviews for that. And that was right around March, 2020. And we all know what happened then. And so they put a freeze on hiring there. They shortly after that in like May of 2020, they named me Interim CISO until they could again open the job position and do the interviews and hire. So I served as Interim CISO for about another year. And then they reopened the hiring, reposted the position. Again, I applied, got my resume together and applied for the job. I got an interview. I went through the whole interview process. I wasn’t the only one there. There were other candidates as well. And at the end, they informed me that they wanted to offer me the job. And so I managed to get the job that I had been doing for the last year or so.

Manuel: And you laugh, but I know that there’s times where that doesn’t happen.

Vito: Sure, absolutely. I’m very blessed.

Manuel: But then also a lot of that is also the body of work that you’ve built. Because sure they’re interviewing you, the external candidate, but there probably had to have been at least a little bit of an extra weight to say, well, we kind of know what he’s already doing.

Vito: Right, and I think that’s where it sort of benefits me. Right, in no time would I say I was entitled to the position or that I deserve to have the position, but you know what I’m about already. I’ve been here, you’ve been working with me, you’ve seen what I’ve done here at UNLV. And so you know what I’m capable of and what I can do here. If that’s what you’re looking for, then maybe I’m the right candidate for it. And so I think it does give some advantage to have been there and have people there know you.

Manuel: And it’s also a disadvantage. I’ve seen the exact opposite happen. Because they do know you. And they’re like, no, you’re not gonna do this because we know the position opened all of a sudden for the next two weeks or whatever it is. There’s a big change, but the two years before that, we haven’t seen that. So again, to your point, it’s not that you deserved it, but again, it does help to say, oh, we kind of already have an idea of what we’re dealing with. The devil you know versus the devil you don’t know.

Vito: Right, yeah.

Manuel: What was that transition like for you? What was the experience of going from, I’m assuming most of these people were kind of your peers or as the team is growing, were you kind of from the get-go more of a lead? Because it’s a transition to go from people that are relatively your peers to now going through within the same organization to now you’re their leadership.

Vito: I had been in a senior position before then. And so I was sort of the de facto leader anyway of that group. And so it wasn’t a huge transition for me. I kind of, in my head, I always sort of saw myself as the CISO, as the security leader at UNLV. And so it wasn’t a huge leap to just change titles and put a different placard on my door or whatever. Because I had already sort of been acting as the lead security person there. It wasn’t like there was another CISO and they left and then I was coming in. I was just moving into the first CISO position.

Manuel: And we didn’t touch on that at the beginning, but now that you’re in the CISO role, so what are kind of some of the roles and responsibilities? So what is it that a CISO really does?

Vito: Yeah, great question. I guess we should have hit that earlier. So CISO, we’ve been using the acronym all along, but CISO stands for Chief Information Security Officer. And so typically at most places and certainly at UNLV, they are the senior person within information security, within cybersecurity at that organization. Typically I’ll speak for my own job. I am responsible for a sort of security strategy and vision for the university. I also oversee several different areas of operational security or security operations, which encompasses things like vulnerability management, continuous monitoring, SOC, SIM, computer forensics, E-Discovery, security awareness training, all of those things. And then I have another branch of folks that handle sort of the business continuity, disaster recovery, risk compliance, those types of things. So I oversee both of those groups as well. But in short, I’m basically the person responsible for security at UNLV for cybersecurity.

Manuel: So then you help develop, I won’t say that you’re the only one, but along with the CIO and the university in this case, kind of set policies and procedures around that as well. It’s part of that strategic vision to say, okay, here’s what we need, here’s the tools internally, but then also as an organization, here’s what we should or shouldn’t be doing to kind of make sure that as an entity of UNLV, that we are positioned to be, to not be vulnerable to attacks or…

Vito: Yeah, exactly. And a big part of my job, like you said, is developing policy, developing procedure, sort of guiding us toward looking at some of the emerging threats and things that are becoming more prevalent on the horizon and sort of guiding us in the right direction to address those things.

Manuel: From an education and a learning standpoint, what’s different or how do you go about doing it? So if I come in as a cybersecurity analyst, I know how to, the training or the types of research that I might be doing is on tools and specific things to my area, but as a CISO, you’ve got a broader picture to look at. There’s no, as far as I know, you can’t go to Cisco and say, hey, Cisco, I’m interested in your CISO training. So how do you go about building that, or continuing to build that knowledge and that skillset in that role?

Vito: Yeah, so remember all that technical stuff I said I was really interested in? I don’t get to do any of that anymore. But no, there is, it’s a whole different skillset and a lot more around management and leadership of people and sort of gaining strategic plans planning, strategic thinking, gaining support for your ideas, those things. There are some trainings out there around those type of things. And I’ve taken a few of those around strategic planning or strategic thinking. SANS does some great courses around sort of the leadership side of security. So there are things out there where you can learn that, but a lot of it is also sort of the forged in fire learning. And you learn things as you go, or you learn things from your peer. Some of my leadership has been great mentors and great resources for me to lean on and learn from, because they’ve either been doing this longer in IT or they’ve been at UNLV longer and know the system and how things work there. So it’s great to lean on our CIO or our former VP for IT who retired. She was a great resource as well. But learning those things from the people who have been there is great.

Manuel: I’m assuming here kind of building your network still also comes into play because I’ve done it in my role. So I have my peers and I have people that are also peers, but maybe not within my organization. Is that something that you leverage? I mean, I’m assuming you’ve kind of built a network and having other CISOs at other universities, but then also thinking outside of universities and saying, okay, well, I need to talk to senior leadership at just corporate environments, maybe even the military, because you have those ties. So are you kind of pulling those resources as well?

Vito: Absolutely, yeah. And the great thing about Southern Nevada and the Las Vegas Metro area is we have a great tight knit community. Everybody kind of knows everybody. If you’re in IT or if you’re in cybersecurity, you know a lot of the same people. We attend a lot of the same professional organizations. You and I met at a SIM event. So SIM and ISSA and ISACA and AITP, these are all professional organizations that people get together and network and just get to know each other. And so yeah, being able to join some of those professional organizations, talk to some of my peers in different industries, in the same industry has been great. And being able to know those people to the extent that I can pick up a telephone and call them and say, hey, we’re seeing this. How did you guys address this? Or what did you do here? Or, hey, do you have a solution for this? Or what product are you using for this? It’s great to have that network built that you can talk to other people and see how they’re addressing things.

Manuel: And I think that’s something that at times some people would think that, oh, knowledge sharing, if I don’t share it, it’s job security, right? Usually that’s people that are usually starting out. But in that role, I would think that it’s even more beneficial and probably a lot more critical to be able to knowledge share because if you’re not sharing information, it’s one thing to be a consumer of information. Like, hey, what did you do? What did you do? What did you do? But it has to reciprocate when they call you and say, hey, what did you do? Well, I don’t wanna tell you because now you’re gonna know my environment. So I think there’s kind of that, I don’t know what the word is, but that fake curtain or that fake something, I can’t think of the wording, but I kinda wanna demystify that, hey, you can share information without saying, hey, here’s the specific vulnerability that you can access our environment, but how would you go dispelling some of those myths of not knowledge sharing?

Vito: Yeah, and that’s something that’s something that gets on my nerves. I don’t see it a lot in, thankfully, in Southern Nevada, but I have been other places where there’s sort of that gatekeeping mentality. And I don’t understand that at all. I don’t know where it comes from. We’re all working toward the same goals. We’re all trying to make things more secure. We’re all trying to make things a little better for our organization. Now, I understand that you can’t share every specific detail of everything you’ve done, but there are definitely ways to share information without giving people details. And there are a lot of groups, and I attend that use sort of the Chatham House rules of things, like we’ll talk about things. And if you repeat it, you don’t attribute it to any other company. You don’t say, hey, Manny from AWS told me such and such and such. But you can say, oh, here’s what some of our peers are doing in the industry. And you get that information without sort of spreading it, or people have to worry that it came from them. And so I think that’s important. I think it’s important to honor those sort of rules, those Chatham House and other types of meeting rules like that to build the trust within the community. Because if you’re gonna be the guy who’s out there blabbing everyone’s secrets, then no one’s gonna wanna share it with you, right? And so making yourself trustworthy, I think is the first step to that. And then people feel comfortable that they can share with you.

Manuel: And I didn’t touch on this earlier, but one of the things that I’ve been asking a lot of guests lately is, I don’t know if you’re a big reader or not, if there’s a book or a book or two that you really recommend that you would say, hey, I recommend people. And it doesn’t have to be necessarily just on technology. Maybe it’s a leadership, maybe it’s just, hey, I read this book and it just made me think differently about just career or just my life in general, just.

Vito: I used to read a lot and lately I just haven’t found as much time to read. Most of the things I’ve read lately have been around leadership. A lot of Brene Brown stuff is great. If you haven’t read her, sort of the authentic leadership type things. How to Win Friends and Influence People is classic, but in learning how to deal with people and how to talk to people in a way that they care about what you’re saying and by caring about what they’re saying. So those are some in general and I’m struggling to come up with a lot of specific titles right now, but yeah, I think we can always all learn about communication, leadership. If you’re not reading technical books that you need for your job field, whatever, there’s always something you can learn from a book about communication.

Manuel: Lastly, I want to kind of open it up to you if there’s anything that you want to talk about that maybe I haven’t asked you or if you kind of want to just summarize your career, just anything I want to give you the opportunity to talk about anything that maybe I haven’t brought up.

Vito: Sure, I don’t know that I have anything real specific to talk to. Again, I just want to reiterate that there’s a lot of different career paths within security and if you’re a young person interested in cybersecurity or somebody who’s midway into their career and looking to make a change into cybersecurity, we need you. We need skilled people in cybersecurity. There is a shortage nationwide of professionals. And so I would welcome you into the security community. I encourage you to try as much as you can in security, get exposed to different areas, find what you like, find what you don’t like, like we talked about. But basically there’s a lot here for you. It’s a great career field. It’s always challenging. It’s always something different. It’s always evolving the both the defense landscape and the tools and the threat landscape and the attackers are always changing. So if that’s something that sounds like it’s interesting to you, then I encourage you to give security a try.

Manuel: Since you have quite a bit of experience around cybersecurity, I have kind of my take, but I would like to know kind of your opinion on this is what do you see benefit in having a base knowledge of IT in general? Because I do a lot of mentoring. I’ve had people that just kind of ask in general like hey, I want to get into cybersecurity. Again, me, I’m familiar and I know how to secure what I’m in charge of, but to say hey, the different areas of cybersecurity, but one of the things that I always recommend to them is hey, you should have a base understanding of how things work. And when I say how things work is you don’t need to be a network architect, but understand how networking works. Storage, okay, what are RAID levels how does storage work, how does data get written? Same thing with servers, just basic OS and hardware, because to me, if you don’t understand fundamentally how those things operate, I don’t know that you will understand how to secure them. Or again, I’ve dealt with security analysts that have come to me and say hey, a lot of times they just, their tool spits out, here’s the vulnerabilities, you need to take care of this. And I’m like no, no, okay, yes, yes, no, maybe, let’s talk about this one. And they’re like, but it says it’s vulnerable, but yeah, but you have to understand that this doesn’t apply to us. Yes, this port is open, SSH is open on my ESX VMware servers, but it’s on an isolated network. Yes, you have access to do that, but there’s a reason we have to do this, but no, my tool says, so I’m just curious, your take on that.

Vito: Yeah, absolutely, great question. And when I started in cybersecurity, when I was coming up, this is where I get to shake my fist and be like back in my day, back in my day. So there weren’t really any entry level cybersecurity jobs, it wasn’t an entry level job. You started as either a systems analyst or a network analyst typically, and once you had knowledge of how those things work, you sort of moved into a job in cybersecurity, if that was your interest. And so I do think that’s so important. I think cybersecurity has gotten so much bigger now, we’re seeing more and more people come right into these entry level jobs with no experience in IT whatsoever. They’ve never set up an active directory, they’ve never had to subnet, they’ve never, things like that. And just like you said, knowing how these things work and how all these parts interact with each other, I think is absolutely vital for cybersecurity and understanding even if there is a vulnerability, like you pointed out, what’s the actual risk there? What are we dealing with? Do we have other mitigating controls that make that vulnerability not such a big deal? Or are you just going off the CVSS score and you see it’s a 10 on CVSS, so you need to mitigate it right away. One of the questions I always pose, talking about that and sort of knowing IT and knowing what’s going on, I will say to my analysts, if we have a 10 CVSS and it’s on a static web server that’s serving up a single webpage, and then we have a seven CVSS that’s on our primary domain controller, which of those is more critical? Is the 10 more critical or is the seven more critical? And obviously I would say that the seven is more critical. It’s a bigger asset, but knowing IT and knowing what those machines do or how they fit into the bigger picture, I think is vital for actually developing a realistic picture of risk within your organization.

Manuel: And I appreciate you sharing that just because again, as people, one of the things that I’m trying to do with this is just bring awareness to areas and people like, hey, I can’t find an entry level cybersecurity role or hey, I see that there’s all these roles, and I think people sometimes put, not that they put blinders on, but it’s almost like tunnel vision, like, okay, this is it, this is my only way in, and it’s really understanding, like, no, you can start off as a help desk analyst, like help desk, as much as I hated taking those phone calls, I learned so much.

Vito: You learned, yeah.

Manuel: And it’s really making people aware that, hey, there’s no one way, like just because cybersecurity is what you wanna do, that doesn’t mean that there’s this direct path. Like, you can do this, you can do that, and eventually work your way in. So I just kinda wanna get your thoughts. That’s my understanding, but again, somebody who actually does that.

Vito: Yeah, 100%, and the more you learn about IT and the more you learn about technology in general, the better cybersecurity analyst you’re gonna be in the end. And so any of that knowledge you can gain is gonna benefit you.

Manuel: Well, again, I appreciate your time, I appreciate you sharing all your knowledge and experience with me specifically, and then even with everybody watching and listening. Yeah, I can’t thank you enough.

Vito: Well, thank you so much for having me. It was a pleasure talking to you.

Manuel: And for everybody watching and listening, thank you again for continuing to plug in and download the knowledge, and until next time, thank you.