Interview with Doug Landoll: Navigating A Cyber Security Career
In a digital time when cyber security hacks are weekly news stories, Doug Landoll has stayed ahead of the curve. As a security risk assessment expert and CEO of an information security company, Landoll has had several years’ experience adapting to the changing tides of the IT industry and the various threats to digital information, both public and private.
Sparked by a love of working with computers, Landoll earned his Bachelor of Science degree in computer science at James Madison University. He then went on to earn his executive Masters of Business Administration (MBA) from Red McCombs School of Business at the University of Texas in Austin. In addition to his degrees earned, Landoll earned a certification in CISSP (Certified Information Security Professional)—one of the most recognized certifications in the information security industry.
Over the years, Doug Landoll has worked at several companies in different roles, from Trusted Product Evaluator at the National Security Agency; to a Practice Director of Risk & Compliance Management at an information security company; to eventually founding Lantego, a company of information security compliance experts where he is the CEO. He’s authored a security risk assessment handbook that is used by professionals in the IT field and in the classrooms of those earning an IT degree. And because of his expertise, he’s been featured in several publications concerning information security topics and speaks at IT conferences, such as this year’s Information Systems Audit and Control Association conference.
Read our full interview with Doug Landoll to find out how he got into IT and the field of cyber security and how the navigates the ever-developing challenges of the digital age.
Tell us more about your background and education. What led you to work in IT and cyber security?
I always loved working with computers and enjoyed the mathematics background and analytical aspect of it all, but I never really enjoyed programming. Back when I went to school, programming seemed to be the only option in the field. Somehow I just knew I would find something in this field so I kept on with my education. A BS in Computer Science allowed me to pursue work in this field and discover that there were a wide variety of positions. I was introduced to the field of computer security (which I really did not know existed) when the intelligence community recruited me in my senior year of college. Once I caught that bug, I have never looked back. I love this field of study.
Did you hold any past positions that have played a significant role in where you are today?
I held several positions that influenced where I am today. I led several technical teams while serving in the intelligence community, analyzing security vulnerabilities of commercial systems. I led consulting practices within large organizations and grew them with additional services and members. But the most rewarding and influential positions I have held is founding and running my own company. I have done this four times now: founding, growing, and eventually selling information security consulting practices. I now enjoy working for myself and concentrating on information security risk assessments, policy development, and the education of others pursuing a career in information security.
Please describe cyber security and what your company, Lantego, does for someone who’s unfamiliar with the field.
Cyber security can be thought in two distinct missions: Builders and Busters. Builders design, assemble, configure, and operate secure networks and applications. Their job is to ensure that they create the most resilient and secure systems to protect an organization’s assets with the resources they have. Busters review, assess, and test these systems looking for any design, implementation, or operational flaws or vulnerabilities in the system. Their job is to find these vulnerabilities, prioritize them, and suggest how to fix them in the most efficient and effective way possible.
Lantego specializes in assessments. Gap assessments are a review of the current security controls with respect to an industry standard such as HIPAA (Health Insurance Portability and Accountability Act) security and privacy or the Payment Card Industry Data Security Standard (PCI DSS). Security risk assessments go one step farther and assess the likelihood that vulnerability could be exploited and the impact it would have on the organization. This allows us to prioritize our findings. Lantego also develops information security policies and processes for state agencies and commercial organizations when they are lacking appropriate administrative controls. Many organizations seek independent consultants for assessments and policy development because of the need for an independent review and the lack of specialized resources to create policy.
What keeps you excited and interested in the work you do?
I keep excited about my work because there is always something new to work on. Last year, I rewrote the information security policy set for the State of Arizona and worked directly with the State CIO (chief information officer) and State CISO (Chief Information Security Officer) in a project that affected all 145+ agencies in the state. At the same time, I performed HIPAA security risk assessments for hospitals in Virginia, resourcePageQuoteTennessee, Texas, and Arizona. The variety of environments, business models, system implementation, and security requirements keeps me on my toes and the work always interesting.
Expand on your different roles in the IT industry (risk assessment expert, author, voice in social media).
One of the most influential efforts I ever pursued in the writing of my first book: The Security Risk Assessment Handbook. I knew a lot about risk assessments at the time but the research I did to create a textbook expanded my knowledge beyond what I would have ever received from simply performing the risk assessments.
As a recognized expert on security risk assessments, I am able to provide some insight on the process, the state of security in the industry, and how we can continue to improve our security postures as the threat environment continues to mature. Just as regulations and threats continue to evolve so too does my own risk assessment process every time I perform another risk assessment.
I share my thoughts, findings, and experiences through social media and conferences. As a profession, it is important that we share our experiences and continue to mature our tools and processes to secure the infrastructure that protects data assets.
Is your book, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, used for students pursuing an IT degree? If so, what information do they find most helpful?
My book was written specifically for the practitioner. Anyone who intends to understand how to perform an information security risk assessment (or even use the results of one) will gain a practical understanding of how to conduct a complete assessment. The book is used in many colleges and universities as either required or supplemental reading. What the student will gain is practical advice on how to actually perform an information security risk assessment. Most students are surprised by the detail of instruction in the book. I wrote the book because there was no such instruction available elsewhere.
How has your entrepreneurial spirit helped you become an expert in the cyber security field?
My entrepreneurial spirit has allowed me to pursue business plans and offer information security services that my previous employers or “the big guys” did not see coming or did not see enough profit in. I am able to create new services quickly and effectively when I see a potential need. For example, last year I created a new class on the NIST Cyber Security Framework to coincide with NIST’s release of this new framework. I was able to gain several new clients who quickly adopted the standard and were unable to find training anywhere else.
I am also able to specialize in areas that I feel are most needed and underserved. For example, this year I launched my “Black Diamond Initiative”. This is what I call expert-only services. Most organizations have the expertise in-house to develop and deliver most of their information security program elements… with two notable exceptions. The first exception is an objective and independent review of the controls they put in place (i.e., an information security risk assessment). The second exception is education and training. When organizations reach out to consultancies for either an assessment or certification training the most important element is the expertise of the actual consultant that gets assigned. Assessing risk or educating your people is no place to cut corners, so organizations should demand an expert – that’s what Lantego delivers. We only provide experts in the field (i.e., someone who has performed scores of risk assessments or trained thousands of CISSP candidates).
What do you find are the most challenging aspects of cyber security as a field?
Keeping up with changes. No one can be an expert in the entire field of information security. You need to pick your areas of expertise and then be diligent about keeping up. There is always a new tool, regulation, technique, breach, conference, or threat that your customers expect you not only to know about but to have an opinion and a solution.
Has the field of cyber security field changed since you entered it? If so, how?
The field has expanded greatly and will continue to do so for the foreseeable future. It used to be that we all considered ourselves information security engineers. Now we are clearly divided as builders or busters, and then again in many different specialties such as forensics, web application code review, regulation compliance, and many more. The good news is that there is a lot of discovery yet to happen and this is a very exciting field.
In your opinion, is it an ideal time to go into IT or to become an IT specialist, and if so, why?
There are many types of jobs in both IT and IT specialties. If you have a desire to learn and push yourself, and if the thought of your field constantly expanding excites you, then I would advise you to pursue a specialty. It is not for everyone but for those that truly enjoy the challenge, you will find a career you truly enjoy.
Which skills do you think a person should build if they want to pursue a career in IT and cyber security?
Inherent skills include a thirst for knowledge, a desire to solve puzzles, and an analytical mind. If you have those, then throw yourself into the study of the basics: computer science, data analysis, programming, system design, privacy and security law. Once you understand the basics, pursue a position in a large company that allows you the freedom of lateral movement and encourages you to try new things. Pay attention to your interests and seek out experts. Let them know that you want to learn more about what they do. Continue this until you find your own special interest and then dig in.
What advice would you give to students pursuing a degree in IT or cyber security? How can students prepare themselves for the challenges?
Get involved in the cyber security community early. Many organizations such as ISSA (Information Systems Security Association), ISACA (Information Systems Audit and Control Association), and ISC2 (International Information Systems Security Certification Consortium) have student chapters; most security conferences have student rates and potentially even scholarships for qualified students. Attend meetings, go to conferences, even submit a paper. The earlier you get involved, the sooner you will be exposed to those areas that excite you and network with those that can help your career.
The experts interviewed for this article may be compensated to provide opinions on products, services, websites and various other topics. Even though the expert may receive compensation for this interview, the views, opinions, and positions expressed by the expert are his or hers alone, are not endorsed by, and do not necessarily reflect the views, opinions, and positions of EducationDynamics, LLC. EducationDynamics, LLC make no representations as to the accuracy, completeness, timeliness, suitability, or validity of any information in this article and will not be liable for any errors, omissions, or delays in or resulting from this information or any losses or damages arising from its display or use.