How CIOs Get Things Done

Dan Mellinger: Today on Security Science, we're learning how a CIO is able to turn big ideas into reality. Thank you for joining us, I'm Dan Mellinger, and today we're discussing the process of turning big ideas into real projects that can achieve some meaningful results. I have the pleasure of speaking with a technology leader today who started on the technical side, so network and systems engineering, and has worked his way up through the ranks, and currently serves as the forward- thinking Chief Information Officer for the City of Tucson, Arizona. Collin Boyce, thanks for joining me today.

Collin Boyce: Good morning, and thank you for having me. I'm excited to be here with the folks from Kenna, with you Dan, I love the product, I've been using it for probably my last two engagements, I've been using the product and been evangelizing, speaking in conferences on how we can use or people can use the Kenna product to advance what they're doing from a cybersecurity perspective. I also want to say congratulations to the Kenna team being scooped up by Cisco, so you're going into the mothership of networking. So congratulations to the Kenna team, I hope it all works out great being part of the Cisco ecosystem.

Dan Mellinger: Absolutely. Thanks so much. I mean, it's been a wild ride and the team's all pretty elated at the outcome. So man, I can say personally what over three years here for me and it's just surreal at this point. I mean, I can't imagine a better company, the more that we've had time to digest from a fit perspective, so we're really trying to drive things home in the market of risk- based vulnerability management. And I will thank you for giving me a good CYA, so this segment I do like to cover our butts here. Collin is a customer of Kenna Security, as he said, so we normally preface when we cover our own research or we like to ground out where the data set was and whatever that context is and a lot of times that's Kenna customers, which disposes this to people like Collin to being more disposed to using RBVM. They typically, we like to say are a little more innovative in their approaches to vulnerability management and likely IT and security more broadly. That's actually why we're bringing Collin on, because he's done some pretty cool stuff in some spaces that maybe you wouldn't expect, so anyway, Collin, let's kick off. You started as systems engineering, right? So you started very much on the technical side where some CIOs may start more on a business side. Do you mind just walking us through your journey and what you learned along the way? What was more technical? Where were some of the skills you had to pick up on the business side?

Collin Boyce: So I will start off and I'll give the funny side of it right, I started off mechanical engineering and electrical engineering at Fairleigh Dickinson University, where I flunked out, twice.

Dan Mellinger: Nice.

Collin Boyce: I flunked out twice. And I have a brother who is a neurosurgeon in Michigan now and he pulls me to the side and he's like," Collin, are you an idiot?" He was like," It's obvious that you like computers. Why don't you go into the comp science?" So I was at inaudible Community College trying to get back into engineering, the hardcore engineering. And I left and started to work for a company called The Brown Companies. And when I got into The Brown Companies, my job was to collect bills but on my interview the guy's computer broke and I fixed the guy's computer on my interview, and while he was calling tech support I sat down and started to fix it. He hung up on tech support and he's like," You got the job." And for those who are not aware, Harry J. Brown, it's like, this guy was ultra rich, right? His dad was this major movie star and I think at one point in time, Universal Studios was on his lot, so he was this real estate mogul and he was just amazing. And so I started building computers and ran my first networks for them and then I got picked up by the VA Medical Center as a contractor, this one was a funny one too, they hired me as a nurse contractor working in the IT department.

Dan Mellinger: Interesting.

Collin Boyce: So there was a lot of bending of the rules and so probably when everything really picked up steam for me was I got into the dot- com boom in New York city. And so what you call, guys called Silicon Valley out in the West Coast, we called it Silicon Alley in New York City. So I worked for a company called the Globe. com, which was kind of social media 1. 0, predecessor to that so Stephen Paternot and those guys, I knew them growing up and inaudible was a mentor to me. A really interesting gentlemen I met there a guy named Len Rose. So if you ever read the book, The Hacker Crackdown, there's a whole chapter dedicated to the antics of Lenn Rose and Len Rose and I are really good friends. Super smart guy, taught me a bunch about cybersecurity. So I had this learning Unix, Solaris, security, really technical background. And I started to pick up routing and switching so hardcore. So went to About. com, helped them with security, went to U- Pack and then I started to branch out of the dotcom verticals and I worked for Morehouse School of Medicine when my wife was going to medical school. And then while at Teleservices, which was a call center... And I'm giving you my resume, the Reader's Digest version of my resume. Worked for finance in MERS of Michigan, and then Emergent BioSolutions, who happen to make the anthrax vaccine, and I stayed there for about a year and I'm like," You know what? Manufacturing isn't for me." And then I went back and started to build cloud products as a Director of Technology for a company called Comlink and then the government sector scooped me up right. Comlink went out of business and I needed to find a job and I became the CIO for the City of Lansing where I did my first Kenna deployment, that's where I met the Kenna team. And then I did my second deployment here, at the City of Tucson. I came to Tucson, Arizona, and I wanted to have that visibility. Stuff that I learnt along the way, right. So what I realized was being extremely technical that I had to work on my communication style. And so people are going to laugh at this, but what I just started to do was at that point in time, I'm a fairly religious guy, I started to preach in churches. I picked up public speaking in churches and what rings out for me, there was an episode of Seinfeld where they said public speaking is people's number one fear and their number two fear is death.

Dan Mellinger: Yep, this is absolutely true.

Collin Boyce: And so people in the audience going," I would rather be dead than doing what he does." And so I picked up public speaking and I tried to pick up a style in public speaking that was winsome and engaging. And so when I speak in conferences, I learnt what I learned here from speaking in church. So first thing I learnt was to develop a communication style where I could be winsome and motivate people to make change in public forums, and that was a huge school to learn. The second thing I learnt moving from the really technical, the abstract moving packets and Unix command minds was I realized that I had to learn how to speak in analogies. And so I use analogies all the time when I'm speaking to folks, so I met with council yesterday and we were talking about a network that we stood up, this LTE network, that's getting a lot of press throughout the country. And I had to explain what we were doing when we talked about optimization in a network and I gave them an example, I said," Remember when you were a kid and you had to go to the TV and adjust the antennas. And you went and looked to see if the picture was clear, that's what optimization is. We're basically adjusting the antennas and we're coming back to make sure that the signal is clear." So people are able to connect. And so I've figured out how to quickly pull together analogies to be able to help people to connect. And then I think the third large thing that I picked up along my career, and I frame it as a quote, when your vision of the community outweighs your love of your community, then your loss. And what I found out was coming from a technical perspective, I became really idealistic and things had to be done, right. And it took me while to realize that right, was subjective. The right thing to do technically, may not be the right thing to do financially, may not be the right thing to do personnel wise, may not be the right thing to do marketing wise. And I realized that I had not, I had to avoid being I would say dogmatic and realize that I have to do what I call a pest analysis right, look at political, economical, social technical, and see how everything lined on top of it. So I'm not doing the right thing just technically, but I'm looking at the full picture and making sure that I'm doing the right thing across the board.

Dan Mellinger: And there's that CIO coming out right there.

Collin Boyce: Yeah. Yeah.

Dan Mellinger: Well, I think your background is super, super interesting and it lays out a lot of the contexts that honestly, I didn't even know heading into this. Right. Bootstrapped from the ground you self- taught in a lot of ways right, you're learning these skills as you're going and got that innovator spirit from that tech scene Silicon alley, right?

Collin Boyce: Yeah. So it's funny right, because it's really, it was that I have a friend who's passed recently. He didn't make it to 40, he was taken... Died with complications with diabetes, Julian Dropin.

Dan Mellinger: Sorry to hear that.

Collin Boyce: And we bought a computer, used computer and I ended up buying another one and Julian started to teach me how to run networks, and I would stay up all night and build networks. And there was a used bookstore in the lower east side of Manhattan. And I would go buy used books and there would be time he was like,"I need to buy computer parts and I need to eat. I'm going to skip eating, just buy computer parts." And I just find myself sleeping and working on computer parts and-

Dan Mellinger: Eating Ramen.

Collin Boyce: Eating Ramen or sleep sandwiches, right. You go to sleep and when someone's offered to take you out or you go speak at a church and someone invites you to lunch, you were going to lunch because you didn't know when they're going to get your next meal. But I would buy all these books, and I started to amass all of these books from the C program language, to Unix, to networking. And I would read them from cover to cover and do every example inside of these books in order to get my skill set up. And probably one of the most incredible experiences I would say is when I worked at TheGlobe. com, I needed to... We were looking to inaudible to host all of these websites. And I decided what I was going to do was I was going to write code to process the data that was being kicked out from inaudible. So I wanted to do it, so I came home and this time I wasn't as healthy as I am today with two liter bottles of Coca- Cola. And I read this book the C programming language, the programmers normally call it K& R. And I read it from cover to cover, did every example on the weekend and came in Monday morning and started to write code for the company. And it was one of these experiences, right. I came from a tech background, but everything about computers, I loved, I always wanted to continue to learn and to grow in this. So there's nothing that I've found in this industry that I haven't dabbled with because I just want to learn, and so I've remained curious and I've remained a learner.

Dan Mellinger: So, number four is stay curious, keep learning and it sounds number five is doing beats everything else, right. Like public speaking right, you're like," I don't know how to do this. I don't know how to communicate. I'm going to go find ways to go expose myself and do this skill, build this skill, it's like a muscle."

Collin Boyce: Absolutely. Right. I've never met somebody who learnt how to drive a car, sitting in the passenger seat.

Dan Mellinger: There's the analogy.

Collin Boyce: Right, there's the analogy, right? You've got to be in the driver's seat right. You've got to get off the bench. I played semi- pro basketball. You got to get off the bench and get in the game and you got to take a chance. And when you start to take those chances and you push yourself harder than you've been pushed before, that's how you get to the next level.

Dan Mellinger: Yeah, get those reps in. Well here, I want to ground this out a little bit because there's a ton of good examples that you've provided, and then I think there's a really interesting story. So you're in the public sector that's for better or worse, we don't typically associate public sector work with innovation, speed, right. We think more of the opposite red tape, bureaucracy, five- year roll outs, inefficiency, but you alluded to this project before. During COVID you basically found a way to take unused spectrum right, wireless spectrum and provide the city with reliable internet access, right?

Collin Boyce: You're right. So the government sector is not known for efficiency and matter of fact, when I was offered the job by Virg Bernero who eventually became a friend, he was the mayor of Lansing and an interesting one, right. He's the angry mayor is his nickname. When he offered me the job, I don't know, do I really want to go to government because I'm about innovation and moving fast and government is the polar opposite of doing that. What I discovered is that you have to break these projects down. So I'm using this wireless project. I had to break it down into small bite sized chunks that people can understand and Virg shared something with me when I first met him. He said," Collin, when you are tired of talking about something, it's now starting to sink in with the people you're talking to." So we wanted to connect and get citizens access to the internet, but we also wanted to jumpstart what we call our smart city initiative, right. We want to be able to provide conductivity for traffic signals and buses and eventually live streaming body cams and even cell phone service, right. We're talking about doing all of that stuff. And we said," Hey, look, this project is a win because we can provide connectivity to citizens." We have roughly about 800, 900 citizens connecting right now and we're expanding on that, so more citizens are connecting devices. We want to fuel our smart city initiative, so we were working on that. And then the other thing was we wanted to control the cost of what's happening inside of the city. So our telecommunications costs goes up 20 to 30% every year. And why that happens is all of the smart city connectivity stuff that we want to do, running fiber and new locations that are coming up, that just makes our bill go up and we wanted to control those costs. And this gave us the opportunity to be able to control the cost, and it's a win- win right, the part of what makes this cool is you can't let the product become aged in our world because you have citizens connected to it and you have your smart city connected to it, so we have to continue to maintain it. And so yeah, we use this new spectrum CBRS, connected about 800 citizens, and they're able to telework. We have employees that are using it and we're actively now working at connecting traffic signals to the same infrastructure, and I know your audience can't see it. And I know there's going to be someone to go," Well, what's next right?" The next thing that we're working on is I'm pulling out a cell phone, we're installing SIM cards in the cell phone and the cell phone will be connected to the same network. And so we will be able to place calls like we're on the city's network, so the PBX. Instead of giving people a phone on their desk, we can give them a cell phone that will have a five, two, O, their desk number, and they can provision and make calls from anywhere and roam with this number just about everywhere in the country. So it takes what we're doing just one step further.

Dan Mellinger: Interesting. And so just at a ground level, just so I'm clear, you guys basically use the city's existing fiber infrastructure, right? So you already have fiber running to the big city buildings and offices and all that stuff in Tucson, and you guys essentially leverage that to provide radio towers for wifi, essentially, right?

Collin Boyce: Yes. The ACC provided a citizen band and this band that we're using was the band that was supposed to be used with navy ships, so if they have to do any recovery. But I'm in the middle of Arizona, so I think running into Navy ships that need to do a recovery in the desert-

Dan Mellinger: Highly unlikely.

Collin Boyce: Is going to be unlikely. So yeah, we're in pretty good territory here.

Dan Mellinger: Interesting. I mean, that just seems like such a innovative and unique use case right, so you're taking infrastructure that exists and spectrum that exists and may not be used to its full capability and," Hey, let's take this, help it power wireless connectivity for our smart city initiatives." But also provide what I think you connected more than 32,000 of the cities, 200,000 households, right?

Collin Boyce: Yeah.

Dan Mellinger: With the internet access.

Collin Boyce: Well, there's 800 households, but we're capable of connecting 32, 000 of them at the moment.

Dan Mellinger: Got it.

Collin Boyce: And we're waiting for them to come in. What we are doing also is connecting traffic signals and then we're using the same network to provide wifi in some of the public parks. So it's high connectivity everywhere. And the awesome part about it is this will allow citizens to be able to go just about anywhere and get access to the data they would get from a library. That's one of the struggles we have right, when we built this, it was should the government be doing this? And my argument on this side was" Well libraries provide books. And Amazon also provides books." We never think of the libraries competition to Amazon, and what we're providing is pretty much internet content that you would go and get on a library shelf at no cost to citizens so they are able to connect.

Dan Mellinger: Access to information.

Collin Boyce: Access to information, and so that's really the secret sauce.

Dan Mellinger: That's super interesting. And you know what stuck out to me like we're talking about government and perception and efficiency right, you did this in what, three and a half months?

Collin Boyce: Yeah. Yeah. So it was a really quick turnaround project. And I know we may talk about cybersecurity with this, but the goal is to bring visibility to the problem, which was my first step we brought visibility to the issue. And then come up with a plan and structure that plan around easy wins. If your plan doesn't have easy wins and this first step to get out, the gate is difficult, people are going to lose interest and it's going to be too hard. So for us to get somewhere close to 70 to 80% of the network up and running, it was using the existing materials that we have and taking advantage of it. And then the next part of it was the more difficult part, but when you take the medium stuff that's difficult, the medium difficulty, it makes the super hard become easy because now you have a cadence and an idea of how to work around that.

Dan Mellinger: Momentum.

Collin Boyce: Yeah. Thank you.

Dan Mellinger: Yeah. Interesting. Yeah. I find the same thing with large projects, right? You structure it for some early wins right out of the gate, get some traction, get your reps in going back to the basketball analogy right, and then you, you up level. Now let's do some harder stuff right, we've got this down. We can go a little bit harder than we could before, and then by the time you're done, the hard stuff seems easy, right?

Collin Boyce: Yeah. Otherwise you'll take the easy and make it hard and make the hard impossible.

Dan Mellinger: Yes. I've seen that happen quite a few times as well. So full disclosure, when I was in my senior year of college, I actually worked for the California Senate doing public affairs. And I thought I wanted to be a lobbyist at the time and be involved in the public sector from a comm standpoint and the amount of red tape, I got disillusioned in like two and a half months. I was like," Nope, I'm leaving. I'm going back to private. And this is not what I want to do with my career." And so just facing off against that kind of bureaucracy itself can be super daunting. So, how did you come into that with just the frame of mind that you can actually get this done in that amount of time?

Collin Boyce: So the funny part is no one believed I can get it done. I sat down-

Dan Mellinger: I wouldn't have believed you if you told me this at the beginning.

Collin Boyce: Yeah. Yeah. I sat down with the vendor and we reached out to a vendor in September of last year and we told them what we were trying to do. And this guy, he was a sales guy right, so he wants to make money. It's like," Look, we have about$ 5 million, we want to do this project." And on the interview, five minutes in. And he's like," What you're telling me to do is impossible. It takes us a year just to plan the network and then probably another year to do the implementation. So you're talking about two a year project and you're trying to get it done in three, four or five months?" He's like," It's impossible." And in the interview, I'm like," Well, thank you for coming out and I'll talk to you later." And I hung up the phone. And the people who bought him to the table, it was like," Well, we were surprised you just hung up the phone." And I'm like," Look, the project starts off first with, do you believe that you can do what we're asking you to do? And if you can't believe it, then you're not the partner I need." I'm a runner, right? The first part of being able to run a marathon... And I ran 12 of them, eight of them in one year. The first step in running a marathon is you got to believe that you can finish the rest. If you can't believe that you can finish it don't bother, don't bother. And the reality is I believed that we can finish the race. And so I was only going to surround people who believed it was possible and their pride would not allow them to fail. So they were going to try their hardest.

Dan Mellinger: That makes perfect, perfect sense. Yeah. That's super interesting. So you also need that kind of support from the partners and the people on the team, right?

Collin Boyce: Yeah. Yeah. Because if I could connect with one or two people and every vendor then is, or a person involved in the project and they have that energy that they're going to push, then I know I'm going to meet the finish line name. And I may not meet it exactly where I want to and I'm going to be close.

Dan Mellinger: Yeah. And you'll make that movement. Speaking of actually, I think you mentioned you had a budget of five million, which honestly doesn't seem like a lot for a project like this actually, it seems pretty small.

Collin Boyce: It is pretty small, but here you're going to laugh at this. When we first started, we started the project not with a$ 5 million budget. We started with a$ 5 million budget to cover 19 square miles of the city. And then we had another plan to add another eight square miles starting at this part of the year. So we were going to rewrite around 27 square miles and spending$ 10 million to do it. We were able to circle back and do 37 square miles of the city on that same$ 5 million by pivoting the technology we used.

Dan Mellinger: Jesus. How?

Collin Boyce: Moving from standard wireless to CBRS. Being one of the first people to do it, we seized the opportunity of being one of the first people in the country doing this at a municipal level and we negotiated with our vendors.

Dan Mellinger: Yeah. This is going to be a proof of concept, you're going to get some traction outside of this, right?

Collin Boyce: Yes. And so I took the risk and here's how I justified the risk in my mind. Well, A, it was Kenna's dollars right, it was from the Coronavirus fund. So it wasn't city dollars, but we knew that people cared about it, but I redefined success. Everyone was," Do you have five million or 5, 000 people to connect it at the same time?"" Well, no, we didn't have 5, 000 people to connect it." But here's what I said to myself. I said," Look, if I can spend$ 5 million and build out a network that can fuel the smart city initiative that we want to do in the city, we are better than we were last year, this time."

Dan Mellinger: Yeah. And that's a build for the future.

Collin Boyce: Is am I building for the future? And by doing that, we were able to, to do this. Candidly, I approached just about every project like that. I take the approach of, if I fail, what is it that we lose at the end of that project. And if we just get better at the end of the project, then it's worth doing it, and that's how you fund innovation. And I encourage people, understand the difference between innovation and change because all innovation brings change, but not all change brings innovation.

Dan Mellinger: That is true.

Collin Boyce: And so this is truly innovative right, we were doing inaudible the entire project and making changes as we go along.

Dan Mellinger: That is super, super compelling. Well, I mean, that seems like a pretty good place to kind of stop at this point, right. I mean, congratulations to all you've done thus far. I hear you guys are going to be rolling out phase two and three of this, but ultimately you guys are building for the future, right? So anything you want to speak too, to that before we hop off today?

Collin Boyce: Well, I'm surprised we didn't get to speak very much about what I've done with Kenna but.

Dan Mellinger: All good. I think that the story on how you're getting stuff done is a very strong lesson right, that can be taken and applied to most, not just technology right, but these kinds of security projects and all that good stuff, right. You take this top down view and break things into meaningful data points that you can measure and get done and achieve, and build that momentum. And that speaks to how Kenna, what our product does, right? Take a top- down view, break things down into metrics that you can measure, get these meaningful wins down, and ultimately you can end up changing a culture internally at the company.

Collin Boyce: Yeah. And I would agree with you in that the first thing that I've discovered with this, and even in this first project, right. What we're doing, with the one we're talking about is bringing visibility. And what Kenna does for us, when we did the deployment was we brought visibility. And you'll laugh at this, the first part of bringing visibility for us was just pointing out that there's a gap. We got a new tool that's pointing out that you're not doing your job the way you thought you were doing it. And people scrambled to fix their problems because now they're aware of their problems and the same thing we did in the city right, when we were aware of the problem, how big the digital divide was, we did something to help address it.

Dan Mellinger: Yeah. Well what I find interesting is it's not, you're really good at pairing this kind of technical know- how and solving problems via the technology with this kind of social business process people aspect, right. And that's a big piece of what we do, right, at Kenna Security we provide the tool, but what we've learned in the 10 years we've done business is it's really about the people and the process and the culture and the maturity level, right. And that stuff needs to change ultimately for people to get really proactive around vulnerability management, right? It's a very, very difficult thing to wrap your head around. It's truly different than how people have done it over the course of the last 20 years, right. But it really needs to come from a Collin right, who can see kind of the forest through the trees and ultimately rally a team around getting these wins, really engaging with the technical aspects and understanding what they're doing and why it matters. And then ultimately you can make true innovative change, not just change for changes sake, right?

Collin Boyce: So I love the element that you threw out there about finding purpose, why are we here? Why are we doing this? And I will add not only is finding purpose, but it's finding easy wins. What I discovered when I first did my first deployment of Kenna was yeah, you have the availability and we have the monitoring, but it's more than just prioritizing the risk. What I found was I took the Kenna tool and I programmed into it what's configuration problems, and what are easy wins that we can patch? And what I found was, A, you got to treat the configuration problems as projects, and you can patch to your inaudible. You won't fit a configuration problem with a patch right, you've got to fix configuration problems. But when we found like the largest problems, that is hitting the entire environment, the most amount of the environment, and they're easy wins, and people are able to push a button and see that score drop, then they start to catch fire." Oh, this isn't that hard." Remember, 80% of what you do is easy to do, and then the last 20% is where the work is, right? So in Kenna Security, what we found was there was things that we could do, 80% of it was really easy. Like Cisco switches that had SSH Version 1 on it. Well, that was just one command line push, well we're done.

Dan Mellinger: That was easy.

Collin Boyce: That was easy. Firmware updates, that was easy. The problem was when you had to swap out a switch because there was no longer firmware updates and you have to trace cables. Those last 20% is where you have to focus your energy on, but the easy wins pave the roads as I said earlier, for the medium wins and it takes what's impossible and makes it possible.

Dan Mellinger: Man, Collin, right back to the beginning of where we started, ultimately turning these impossible ideas into reality. I couldn't have scripted this better honestly so.

Collin Boyce: And finding relative or finding good touch points that people can relate to as analogies. Something as silly as talking about their rabbit ears in a television, to help them to understand wireless or helping people understand something about network security by talking about plumbing and pipes and pipes, having a leak. Those things, those small things, and spending some time figuring out analogies and how to connect people to those analogies, to visualize what we're doing, that's really where the bread and butter is at the executive level if you want to get to the next level, because they're never going to understand what you're talking about until you can paint it with something that's relatable to their universe.

Dan Mellinger: Absolutely. Well, that is amazing. I think you've provided a ton of good insights and I mean, honestly, strategies as people try to turn their security or technical abilities into a longer career and people who may want to get into management and apply these to successful projects. And honestly, just getting people to think big. So Collin, thanks so much for hopping on. To all of our listeners, you should be able to go on and get some( ISC) ² credits by the way, from listening to Collin, give his advice and help you be a better technical manager. So feel free to go on the KennaSecurity. com/ blog. Find this episode and go enter your ISC email and number, and you'll get some cool credits at the end of the month. Collin, thanks for joining me today.

Collin Boyce: It's been a pleasure. Anytime, I'm available. This has been a lot of fun.

Dan Mellinger: This is a ton of fun. I actually have relatives in Tucson, so I'm going to hit you up next time I'm down there. I'll take you to lunch.

Collin Boyce: For sure. And congratulations on the Cisco partnership or acquisition.

Dan Mellinger: Acquisition, yeah. Thanks again, Collin.