What is this?
The following is a user guide for me and how I work. It captures what you can expect out of the average week working with me and how I like to work. I intend to accelerate our working relationship with this document, but it is also not intended as a replacement for personal interactions that will enable us to actually get to know each other.
I started down the path to today in 1999, when I began working as a dispatcher at a moderately-sized police department. Like many small organizations, the person most qualified in a task tends to be the one owning that task–for me that was being the IT person. Over the next ten years, I did everything from desktop support to network engineer, server administrator, and full-stack developer and integrator (my biggest achievement at the time was probably making a Clipper application with a dBase backend exchange data nicely with a PHP/mySQL web application).
Along the way, I enlisted in the Air Force Reserve in 2003 as a security forces (military police) member. As happens in the military, folks tend to get bounced around doing additional duties depending on mission requirements. Once again, being the experienced IT person made me the information systems security officer for my unit, which led me to obtain my Security+ certification and started my interest in cybersecurity. I also spent a good amount of time in information and personnel security management for national security programs.
In 2009, I was presented with an opportunity to come work for Texas A&M as a network analyst at the Texas A&M Transportation Institute (TTI), where I worked with a variety of systems in both Windows and Linux environments, as well as the underlying network and VMware infrastructure. In 2012, I was offered the information security officer position where I spent the next 7 years. In that time, I overhauled the agency’s information security program to align with NIST standards (before the State of Texas made it a requirement), streamlined many of the agency’s manual processes especially in the areas of identity and access management to capitalize on automation and consistency, and made use of every available opportunity to reduce the impact of security on the user by implementing measures in the background that were transparent to the user’s experience. I was also fortunate enough to earn my bachelor’s degree in emergency management, a master’s degree in cybersecurity studies, and my CISSP certificate while at TTI.
In 2019, I joined the Texas A&M System Office of Cybersecurity as the assistant system chief information security officer. Here, I maintain the overarching System-level operational security program, function as the executive liaison for the System Office and SOC to the System members, and represent the System on various committees related to cybersecurity. While in this position, I have earned my CISSP-ISSMP endorsement and am pursuing other industry certifications.
In my personal life, I am a husband and father to a five-year-old daughter. My wife and daughter love Disney World, so we travel there often. Then in my (not so) spare time, I am also a pilot and volunteer with Civil Air Patrol.
I will be working a combination of from home, in the office, and on the road, but I also routinely work in the evening and during the weekend. You may receive emails or Slack messages from me after hours, but unless it is marked as urgent you should not feel obligated to read or respond to any emails or messages you receive from me outside of your normal hours (and I apologize in advance for any notifications that the emails or Slack messages may generate).
If I am working from outside the office, you can expect me to be as available as I would be if I was in the office. Very few things are more important than talking to you, so even if you do not see me in the office, feel free to send me a message on Slack. Also, feel free to put a meeting on my calendar. My Tuesdays through Thursdays are generally timeboxed, but you are welcome to send me a meeting invite during those times if the openings on Monday or Friday do not work for you.
Personal principles / My role
My primary job is to set up this team for success and autonomy by ensuring everyone has the necessary tools and resources to be successful. I do this by understanding any challenges or obstacles that team members may be experiencing and engaging the necessary people inside and outside the organization to overcome those obstacles. I also build and maintain relationships with our external stakeholders and ensure that the team understands the needs and expectations of the stakeholders and delivers the best service possible to those stakeholders.
My secondary job is to take on projects that have a System-wide impact–what we refer to as Cybersecurity Shared Services. I may engage groups within the SOC/SCS team to help support those projects, but with the expectation that you will tell me if your involvement will impact your primary duties and responsibilities.
I assume that you are very good at your job, I am not good at your job, and you will let me know if anything is interfering with you doing your job. I will support you in any way I can to help you carry out your duties and firefight issues, but please communicate to me when those needs arise.
I begin with 30 minutes every other week with my direct reports. This time is intended to discuss topics of substance, not to provide updates. In the first 10 minutes, we can talk about anything that you are interested in talking about (examples include how you’re doing personally and professionally, what you need to be successful, what you wish could be different, how you feel about our team and your teammates, what your career goals are, etc). In the second 10 minutes, we will talk about your large-scale projects and other impactful initiatives within the team. The last 10 minutes are reserved for discussing your career development and team strategies.
I am open to variety in frequency, length, and format of 1:1 meetings if there is anything that you wish to adjust. I will also have a shared project (probably in Asana) for us to prepare meeting topics beforehand so that we can make the most of our time.
I go to a lot of meetings. I deliberately run with my calendar publicly visible for the team. If you have a question about a meeting on my calendar, ask me. If a meeting is private or confidential, its title and attendees will be hidden from your view. Most of my meetings are neither private nor confidential.
My definition of a meeting includes an agenda and/or intended purpose (probably in Asana), the proper number of productive attendees, and a responsible party running the meeting to a schedule. If it is not clear to me why I am in a meeting, I will ask for clarification on my attendance.
If you send me a presentation deck a reasonable amount of time before a meeting, I will read it before the meeting and will have my questions ready. If I have not read the deck, I will tell you.
If a meeting completes its intended purpose before it is scheduled to end, let’s give the time back to everyone. If it is clear the intended goal will not be achieved in the allotted time, let’s stop the meeting before time is up and determine how to finish the meeting later.
I am a strong believer in the Directly Responsible Individual (or DRI) principle; that for any given task or project, there is always one person named as being directly responsible for its outcome. Each project should exist in Asana, with the project owner identified in the Asana project. Likewise, all tasks should belong to a project (either a specific time-bound project, or a standing project such as the action items from the staff meeting) and also have the DRI set as the task assignee.
There are some areas where the DRI is naturally a team lead, supervisor, or manager, but many times the DRI designation will fall to the team member who has been assigned a task or project. Everyone contributes to the success of the DRI principle by being an accountable teammate and keeping transparency in the progress of tasks and projects.
There is a formal feedback cycle that occurs annually. During our first time through this cycle, we will draft a proposed set of goals for the next review period. However, I try to provide feedback as soon after seeing the topic of the feedback as possible without interrupting operations. If you would like specific feedback on something, please let me know. I am happy to provide an outside perspective whenever I can.