Advanced Threat Protection U.S. 2021


Government Innovator Q&A:
Jenny Hedderman, Esq., State Risk Counsel, Comptroller of the Commonwealth of Massachusetts

Jenny Hedderman, Esq., State Risk Counsel, Comptroller of the Commonwealth of Massachusetts

State Risk Counsel with the Commonwealth of Massachusetts Comptroller’s Office.  An expert and creative strategist in Government legal, finance, Risk Management and internal controls including Cybersecurity.  Created CTR Cyber for cyber internal controls, speaker, Host of CTR Cyber 5 Series (Youtube), Professor and Board Member.

Watch Jenny’s Interview

Read Jenny’s Interview

Q1:

What is your favorite part of your role and being in Cyber Security?

Answer: The ability to make an immediate impact by making cyber internal controls simple and relatable to employees and leadership. 

Q2:

Your Government Keynote: Risk & Reward: Cybersecurity and Privacy Awareness will detail how privacy awareness is a crucial component of cyber protection for the public sector – as it helps define the overall privacy culture in an organization. Mechanisms in place will help educate employees about the importance of protecting personal data and the potential consequences of not doing so. Is there one principal of this that is essential to your department? Can you explain why?

Answer: Employee Cyber Awareness.  The single best investment from a non-technology perspective is in training your staff at every level of the organization about their role in cybersecurity, and keeping it simple.  With employees falling victims to phishing emails at an alarming rate, which can then bypass the best security features, ensuring that your employees are continuously reminded of how they can be victims and simple prevention steps.

Q3:

What is the #1 mistake that you’ve seen government leaders make while planning executing cybersecurity programs? How can those who have made this mistake begin to rectify it?

Answer: The biggest mistake is presuming that cybersecurity is soley an “IT” issue, and then expecting IT staff to work miracles.  Instead, cybersecurity is one of the types of security, like physical security of using badges to gain entry to an office, that everyone needs to use.  Staff are taught not to let anyone in to an office without a badge, but they can be tricked by delivery people, or other individuals to “hold the door open”.  Cybersecurity is just like this, being tricked by an  imposter and opening the door.  If every staff person is properly trained to be on the lookout for imposters, security is much stronger.  Even with the best security systems, if you open the door, that system fails. 

Q4:

Is there a future project you’re working on at the  Comptroller of the Commonwealth of Massachusetts that you’re particularly excited about? What impact do you hope this project will have on the agency & state at large? 

Answer: Cyberawareness Month in October.  Our goal is to present cybersecurity from an “internal controls” perspective rather than from an IT or technology perspective.  Therefore, we have a plan to speak to every employee and simple internal controls that can protect them both at home and at work.   If even a small percentage of employees use these tips at home and at work, it will save millions in breach and disruption costs and protect employes and their families from losses at home. 

Q5:

What advice would you give anyone who is considering a career in the public sector?

Answer: The public sector provides immediate hands on experience and efforts that can have a huge impact to the public that you serve. If you are looking for experience the public sector is a great place to work, and has much more flexibility and benefits that many companies no longer provide.  So it is great place build your career. 

Q6:

What advice would you give anyone considering a career in cybersecurity?

Answer: Do your homework and start where you are.  Cybersecurity is not limited to IT and technology.  A huge part of cybersecurity is leadership, governance, compliance, understanding risk and mitigation and communication skills.  Being able to communicate across all layers of an organization makes you indispensable.  Also being able to translate business goals in to operations that include cybersecurity.  There is a place for everyone with all levels of skills in cybersecurity.  Some jobs have certificate requirements, but apply anyway since they may train you.  Women are especially critically needed in cybersecurity at all levels.  Do  your homework and see what “type” of cybersecurity role you see yourself in and then network with people in those toles, and keep applying!

10