Deshard Stevens is a Chief Information Security Officer (CISO) with over 12 years of experience managing, developing, and implementing business strategies and technical solutions while leading and managing project development, cloud strategy, and information technology teams.
Deshard was the recipient of the 2018 Rising Star Award from the New York City Public Sector CIO Academy. He is certified as a Project Management Professional (PMP), Certified in Risk and Information System Control (CRISC), Certified Data Privacy Solutions Engineer (CDPSE), and holds a Master of Business Administration. In his free time, Deshard is an avid runner.
Please tell us a bit about what you do, how you got there, and what you love about your work:
I am currently the Chief Information Security Officer (CISO) at the New York City Commission on Human Rights, an agency charged with enforcing some of most progressive civil rights laws in the nation. As CISO, I support the agency mission by providing information and technology solutions that foster innovative and operational excellence while ensuring agency compliance with industry best practices and guidelines.
I started working for the Commission in 2016, as the IT Program Director. In that role, I oversaw the implementation of all new technology systems across various departments within the agency. I also worked closely with the CIO to create strategic technology plans that would allow the Commission to be at the forefront of technology in the legal arena. In 2019, I took on the role of Chief Information Officer (CIO). As CIO, I was responsible for the implementation, management, support, and operation of technology-related services for the Commission on Human Rights. In 2021, the CIO role transformed into the CISO role due to the added responsibility of ensuring the agency’s compliance with the information security and cybersecurity requirements as established by NYC’s Citywide Cybersecurity Program and all associated policies, guidance, and standards.
As a leader, why is it important to foster a culture of continuous improvement, and how are you doing so in your current role at the NYC Commission on Human Rights?
Answer: Continuous improvement is about making an ongoing effort to improve an organization’s processes. It is about making incremental changes that would lead to improved efficiency and quality. A culture of continuous improvement starts from the top. A leader must lead by example and show their team that they are committed to a culture of continuous improvement. This type of culture could also lead to an increase in employee satisfaction. Team members are empowered be part of the process, making them feel that they are valued and that their opinion matters.
In my current role, continuous improvement is embedded into the day-to-day activities of my team members. I encourage them to look at our teams existing processes and identify opportunities for improvements. I also challenge my colleagues to do the same as it relates to the different processes they manage, to look for ways to automate and streamline their business processes.
How have you seen cybersecurity change in the last 5 years, and what do you predict the next 5 will bring?
Answer: The threat landscape has changed significantly over the last few years. The Internet of Things (IoT) provides more routes for threat attackers to access an organization’s network and data. Organizations are going from a reactive to a more proactive approach to cybersecurity. There is more of a focus on preventing a cyberattack instead of just responding to the threat when it occurs. Organizations are evaluating their current environment to identify potential areas of weakness and are putting cybersecurity measures and controls in place to help address security gaps and vulnerabilities.
I predict that in the next five years, organizations will make more use of artificial intelligence (AI) in cybersecurity. AI could be used to process large volumes of data in a short period of time, helping to detect and warn users of security issues and vulnerabilities before they can be taken advantage of by threat attackers.
What advice would you give to the younger generation of emerging cyber professionals, and more broadly, those within public service?
Answer: The number one piece of advice I would give to the younger generation of emerging cyber professionals and those within public service is to always keep learning. Technology evolves at a rapid rate and the threat landscape is constantly changing. It is important for you to keep up with these changes to help you become successful in this career. Technical training, academic courses, and even real-life experience can help you further expand your overall knowledge and capabilities within the cybersecurity field.
With the increased vulnerability that comes with a broadly remote workforce, how has your outlook on incident response evolved since the pandemic started?
Answer: The migration to remote work has changed the way our agency approach incident response. Before the pandemic, our incident response plan assumed staff would be working onsite, in a controlled environment that is set up to reduce our risk exposure. With remote work, we now must account for the potential threats that are introduced from staff working on personnel devices and unsecured Wi-Fi networks. We had to find ways to protect unsecure endpoints, such as employing multi-factor authentication for remote access and Office 365. End-user training and education was also a major focus. It was important that we provided staff with the tools and information necessary to reduce cyber risk.
Your session at Government Cyber Insights will explore the most important considerations when developing a cybersecurity incident response plan – is there one consideration that you think has been largely under-valued, and can you explain why it’s more important than people think?
Answer: Responses to a cybersecurity incident are multifaceted, it is hard to say if there is one consideration that has been largely under-valued. For me, I would say that having good documentation and training is important. Having a well written plan that defines the process for responding to an incident will help ensure that everyone involved understands what steps need to happen and what role they play in the response process. Performing tabletop exercises can allow for quick reaction times when a real incident occurs. Practicing these exercises could provide also provide an organization with valuable feedback about their incident response process and help identify any areas or steps that need to be improved.