How To Be a CSO for the FBISF Security Leader on His Role, Career Advice
The word 'security' takes on a whole new level of importance when you take a job in federal law enforcement, says Joshua Belk, CSO of the FBI's San Francisco division.
Working as a CSO in law enforcement is much different than filling a security role for a private sector business, says Belk, a former military security specialist. Instead of seeking ROI, one must focus on helping to catch criminals.
"In our job, it's really about catching the bad guy and helping the victims," Belk says. "If you can understand that as an information security professional, then I think you're going to be successful."
In an interview with Information Security Media Group about security careers in law enforcement, Belk discusses:
- His career path to the FBI;
- The unique demands on security pros in law enforcement;
- Career advice for security pros eyeing opportunities in criminal justice.
Belk currently serves as the chief security officer for the Federal Bureau of Investigation, San Francisco Division. His career in the FBI began in the Sacramento Division in 2008, where he served as the first associate chief security officer in the division before being promoted in 2010 to CSO in San Francisco. Prior to the FBI, he served as a security specialist in the U.S. Air Force and for the Defense Microelectronic Activity. He has more than 15 years of experience in the security field, having worked with various foreign governments, militaries and private sector companies in security matters.
Role at the FBI
TOM FIELD: Could you talk a bit about your current role and what your path was to get here?
JOSHUA BELK: My current role is [as] the chief security officer in the San Francisco Field Office, and that includes pretty much all aspects of security. Information security is one of the aspects that we cover, along with physical and personnel security. And in order for someone to matriculate to being a chief security officer in the FBI, they should have a pretty strong background in at least two of those disciplines. So we're looking for people who have a strong background in physical or personnel, but more importantly, we've started putting an emphasis on the information security side.
FIELD: How did you get where you are today, and what would you say were your most important skills or experience leading you to where you are now?
BELK: The important thing here is that there are really two ways, and I'll explain the way that I made it. It seems more and more that you either come from one discipline or another, and my personal background was more involved with the physical security and personnel security. The other way is to be a true information security person. I had some time with other government agencies in the military and that translated well into security with the FBI. That was probably about six years ago, and since then, I've championed information security and made it my daily effort to become better at what the threats are facing us every day. It's something that, in the future, I think we're going to see more people in a professional manner learning what information security is and how it effects each business, [and] also the government.
The Business of Law Enforcement
FIELD: What would you offer up as some examples of the role that security plays today in what you might call the business of law enforcement?
BELK: The reality is, they still are two very different disciplines. The crossover from law enforcement to security is the interviewing. There's a lot of times where, in my current position, we're interviewing with different personnel. It could be employees, it could be folks that are in the private sector, and it's in an effort to complete whatever goals that we have set out. The law enforcement professional is someone who is an investigator who's dealing with the public, outward facing. In the security business part, you're really looking at keeping the investigators on track in terms of information security and maintaining the security standards within the organization. It seems that sometimes that might go head to head, but it's quite different. You're dealing with the people who are facing the public, but instead we're dealing with the people that are inside and working to keep them within the guidelines as in any organization. I think that's the interesting part; the security piece for the FBI is something that is easily translated to any private sector company.
FIELD: You've got information security on one hand, you've got law enforcement and crime on the other. How do you manage to keep up with the changing demands of both?
BELK: I see this as less complicated than it might seem. Technology is advancing daily, and the threats are emerging constantly. What's happened to society is that we're seeing these problems evolve, you know an employee that works for us, as an employee that works for you, is facing the same problems. They have their own Internet at home. They have their own financial institutions that they are dealing with, and we're all at risk regardless of where we work for these crimes of identity theft, for crimes of having your computer infiltrated or everyone has had a virus by now. They've had to deal with the frustration of having their computer fixed or having something done with their own information.
So today people are aware that these things exist. It's not something new. So we've all been effected, and that makes it much easier for me to have those conversations with the folks who are investigating those crimes, but also the employees who are supporting those law enforcement investigators. And the strictest way to look at it is, we have to stay abreast of what crimes are going on out there. There are certain fraud [trends], and those are changing constantly, so it becomes my job to make sure that I'm messaging that to our employees so that they're aware of it. Your agencies are looking at it, but the truth is we all don't know what each other are doing every day. We're facing different issues, and so it becomes my job to step in the middle and make sure that everyone is aware of the risks that are out there from a criminal side, which is just part of the security education that we offer.
FIELD: For somebody entering law enforcement and information security today, what would you say are the necessary skills and experience?
BELK: ... To be a truly successful information security professional or a security professional anywhere, you have to understand your audience. And for those that are working in law enforcement, they understand that there is a different attitude among ... the employee population in law enforcement. They have a much more mission-focused, goal-oriented attitude in dealing with providing a public service. It's different from private-sector business where there is a bottom line, there's some kind of profit to be made. In our job, it's really about catching the bad guy and protecting the victims. So if you can understand that as an information security professional, that the goal is really to achieve the mission or the objective, then I think you're going to be successful.
There are obviously certain certifications that are out there, I think they're pretty well known that CISSP or the ethical hacker certifications are some things that would make someone very strong in the information security discipline. But translating that to the employee population is really the underlying goal of anyone in this career, and that's very difficult if you don't understand law enforcement.
So the people who started in law enforcement, they already get that. They already understand the dynamics, the personalities and the mindset of someone who is caring a badge and gun every day, going out facing the public and dealing with people who are willing to break the law and then trying to relate to that person is the goal. I think that while I gained my experience in the military, that those experiences could be gained in any law enforcement organization. But since there are two different tracks, the person who is performing information security really has to go above and beyond and make sure that they're staying in touch with what the current issues are in information security while understanding the culture.
Aiming to be an FBI CSO
FIELD: What would you see as a likely career path for someone who wants to be a CSO with one of the bureau divisions?
BELK: The position right below mine is called the associate chief security officer, and that is a professional role. With the way the government hires certain positions and security disciplines, any security specialist could eventually matriculate to that position and then become a CSO in one of our divisions or in another agency. ... We've seen a lot of folks like myself who were an associate security officer first because it gives you a chance to understand the agency, understand the issues and get a deeper experience in a couple of the disciplines before you move up to kind of champion the overall security program. Folks coming out of college or those who are coming out of the military, or even private sector, should look for positions that allow them to get somewhere in the middle and then move up among the security specialists ranks. I say that because they really need time to adjust.
The private and public sector are so different in the mentality and unfortunately, things move a little bit slower for us, but they are more deliberate. So it takes time to really understand the process and some of the guidelines that we have are a bit stricter. We have the option to forgo certain criteria that have been laid out for us because we are working for the taxpayer at the end of the day and we have to follow certain guidelines, whereas a company has the option to maybe forgo some things and accept the risk in a different way. It's two mindsets, and if they come in and get a few years under their belt, then they can move up and be very successful.
Advice to Newcomers
FIELD: What's the most important piece of advice you could offer someone entering their career in security?
BELK: Professional curiosity, and I say that meaning read, eat, sleep security and understand what the issues are. And if they understand all of that, the thing that they can do then is work on understanding their audience. No matter where they go, if you can understand your audience and relate security from a technical aspect to someone who doesn't understand technical things, you'll be successful anywhere.