Jeanette Manfra, the Department of Homeland Security’s top cybersecurity official, has helped lead the department’s outreach to the private sector in a push to be in lockstep with critical-infrastructure companies on cyberdefense. Integral to that effort is a nascent initiative to address vulnerabilities in the supply chain. She hits on those points, reflects on her service in the Army, and talks about the participation of women in the cybersecurity industry.
CS: DHS has chosen to tackle one of the most vexing cybersecurity challenges out there in helping secure the supply chain of critical infrastructure companies. How can you make tangible progress on this?
Jeanette Manfra: It just can’t be the government off in one corner having its understanding of supply chain risk, and then industry off in their different spaces making their decisions. We need to have a common understanding, and then we need to have an understanding on what national risk looks like. The government then needs to, frankly, start making some decisions about now that we have this understanding, what are we going to do to reduce those vulnerabilities … and then getting towards a more longer-term, more secure supply chain.
My organization has had various different versions of supply chain risk management programs over the years. … I’ve seen people attempt to model the ICT supply chain environment and it’s incredibly complicated. And so I guess my concern was that if we’re going to do supply chain, we have to recognize that this is going to be a major investment of resources and time, and it’s going to be a long-term effort. It can’t be something that you just do with a couple of people sitting off in a room with a line item somewhere in our budget.
CS: There are a lot of qualified women in cybersecurity, but they tend to be underrepresented in the leadership ranks of the private and public sectors. As a high-ranking cybersecurity official in the U.S. government, how do you approach this issue?
JM: I do think it’s good to have diverse voices out there. I don’t tend to sort of think about the fact that I’m a woman speaking. I think that I’m an expert speaking, and generally I think that’s usually how the audience feels, too.
I’ll be honest, I think most of the data shows that the government is more diverse in this area than industry.
There are a lot of great voices on the industry side as well that are out there. There are definitely informal groups of women in cybersecurity where we all sort of know who each other are and get together every now and then.
What I have heard, particularly in talking with women, is that it makes a difference to them to see that there are women that are in these positions.
CS: Before joining DHS, you were a communications specialist in the Army and a military intelligence officer. How do you apply what you learned in the military to your work at DHS?
JM: I enlisted first in the Army Reserve as a communications specialist. … That knowledge is somewhat out of date, but that’s actually where I first started to realize my love for a lot of the subject matter.
And then when I was commissioned as an officer, I was with the First Infantry Division in Germany and we were deployed … to Iraq as part of Operation Iraqi Freedom.
A lot of what I learned about leadership and managing operations and managing teams really kind of came in my time in the Army … I left as a captain, and so I had an opportunity to both be in a small team leadership position [and part of] a little bit of a larger team.
I don’t think a lot of 22-, 23-year-olds get the level of responsibility that you would as a second lieutenant in the military. And I don’t think I realized how lucky I was to have that until you get out and you see that for a lot of people in industry or government, you’re not in a leadership position until you’ve probably been in for eight, 10 years, possibly.
CS: So your time in the Army sparked your interest in communications and cybersecurity?
JM: I grew up around it. My dad was a programmer and then kind of turned into a systems engineer. And my mom was in IT. … It was unusual in the ’80s, but I did grow up around computers, and so I was always interested in computers and technology.
My job, when I enlisted in the Army, it was in the Signal Corps, and my job was … I guess what you would call first-line management and repair of all the communications and IT systems. And so I learned how to do everything from being a LAN administrator to repairing radios in the field, to setting up tactical satellites.
My heart, to be honest, [was] always with the operational side of things. The security part really came later. When I was an intelligence officer I started to really, I think, become more interested in the national security aspect of things.
And then when I landed at DHS … somebody saw my resume and saw that I had both the comms and the security side, and pitched me on cybersecurity. And here I am.