Cybersecurity Expert Interview: Dr. Joseph Burt- Miller Jr.

Introduce yourself and tell us what you do for your day job. 

My name is Dr. Joseph J. Burt-Miller Jr. I currently serve as Assistant Project Manager at

the Department of Homeland Security. One of my main duties is handling the risk management piece for projects, so interacting with contractors and our risk owners, ensures that our risks are tracked and mitigated. Anything that needs immediate attention I bring to my leadership, my project manager and program manager, etc. Also, to ensure that my project manager can do what he needs to do, I take on the extra responsibilities concerning the project. I can try and keep the fires down so they can keep going. 

I was looking at your LinkedIn, you have a very interesting career history. You spent most of it with the US Government. You started as an Air Force SCADA engineer; what is that?

It’s pretty much a fancy way of describing my time doing HVAC, which I did when I was in the Air Force, where I served for four years. After I left, I started working at the Veterans Affairs hospital in New Jersey. That was my first introduction to the OT side of things, seeing the OT and the IT mixed together. 

I had my Bachelor’s degree in Computer Information Systems at the time. I wasn’t yet aware of all the different concepts, but I did a lot of work with controls. One of the systems we used was called Delta, and it was a control system we used to track temperatures for the different refrigerator units we had throughout the VA hospital. We would use that data to ensure certain medicines stayed within the necessary temperature ranges to keep them viable. 

Looking back, I was doing SCADA work before I knew it. It was interesting and fun, and great skill with regards to HVAC. It helped me when I transitioned to IT, so it’s an experience I’m grateful to have. 

Very cool. That’s got to be a lot of microcontrollers running all those sensors and systems. Your resume also mentions that you have some expertise in biometric identity management. What does that involve?

Biometrics involves iris scanning, fingerprints, and voice recognition. I was a portfolio manager as we worked with different government agencies regarding biometric solutions for their own units. A great example is the work I did with FEMA addressing what biometric solutions they needed. They fell under my portfolio, to reach out regarding their POCs, create and cultivate those relationships and determine how DHS can meet those needs to complete their mission. Another example is CPB, the border patrol needs a solution when they’re trying to track fingerprints or facial scans at the border. When they send their scans, we can intake and run them, and see if there is a match with a history or active warrants. It’s necessary to keep the turnaround time short and get that data back to the agents in the field as they have someone directly in front of them and need that information quickly. That’s how we can best ensure we’re supporting them in their mission. 

After this long and varied career in cybersecurity, when you look around, where would you say we're still stuck? What needs to change? 

When I look through LinkedIn, I would say the common theme is that entry-level needs to be entry-level. I have mentees I meet with regularly and give them advice, making plans to achieve the goals they set up. One mentee, she’s struggling. She finished school and is now applying for jobs. They told her she didn’t have enough experience for one job that she applied for. They wanted someone with experience, but the job she was applying for was entry-level. I understand the mentality that they want people who are coming in to be ready, but I’m not 100% with that because you can’t overlook soft skills. Of course, hard skills are important, but someone may not have the exact experience yet. However, that shouldn't be overlooked if they are determined, willing to learn, and coachable. Those are still great qualities for someone to have. Sometimes you’ll encounter someone who is very knowledgeable and knows their stuff but is difficult to be around because they’re complete jerks. It doesn’t foster a healthy working environment.  

It’s very common in this industry, although I think things are changing. You can be amazing at what you do, but having a bad attitude or unchecked ego is not beneficial for the group or the mission.

As a whole, it brings down morale because someone who has that knowledge might be in a position where they could mentor someone and strengthen the next generation of cybersecurity experts, but when you have that sort of attitude of ‘I know everything - get away from me,’ it makes it hard to work together. It also damages someone’s growth because they might feel apprehensive about asking questions or speaking up. It should be okay to make mistakes; everyone does. The key is to learn from them and not keep making the same ones. At the same time, you should be free to have that environment because that's how we grow.

Looking out at the private sector inside the Department of Defense, you must know that many interesting companies are doing innovative stuff. I imagine there is less control over what you’re bringing into your organization because of the procurement process but is there anything exciting happening?

Not so much within DoD, but I currently like what CISA is doing right now. That's the Cybersecurity and Infrastructure Security Agency. 

Since Director Jen Easterly came on board, there has been a real culture shift. There’s a sense that she’s listening to people's issues, and as a result, things are starting to change. I think that’s good; I think CISA is going in the right direction. She even won a leadership award recently, which is well deserved. The best way I can describe it is,

that they’re making cyber approachable. It demystifies it a bit, even something as simple as if you go to the site and look at her profile picture, there is a stark difference between her and the previous directors. She goes against the grain, and I appreciate that. Her profile inspires a message that you’re coming here to be yourself; this is a welcoming environment to learn, grow and foster your skills. So I do like the direction CISA is currently taking. Also, the initiative of trying to hire more, make changes and compete with the private sector. Depending on which areas you’re working in, you have to weigh it out when it comes to what’s more important. Some places pay more, and some have better benefits, which varies greatly between the private and public sectors. She does recognize the importance of trying to make changes toward creating a better future. She is someone I have my eye on.

Do you think there’s a talent shortage in InfoSec? I guess this kind of goes back to your mentee's experience with the “entry-level” position she applied for. How do you think we should be addressing this as an industry?

I do think there is a shortage of companies willing to teach. I don’t know what happened to everyone’s patience. Regarding lack of talent, I don’t work in HR and can’t give you accurate numbers when it comes to that. But I know many people are trying to get in and not getting opportunities.So that makes me question, if there's such a big shortage, why aren’t you hiring? There are people doing boot camps, classes, certifications, degrees, and what have you, and they're still not getting in. Make that make sense to me. 

The initiative shown by people who go out there and get those certifications should show a real commitment and willingness to learn, so why not make it possible for these people, right?

Those same people who may not have experience, or are pivoting from a different career field into cyber and tech or IT, they’re putting in the work and are dedicated to the field. They just want an opportunity. A chance to show what they’re capable of as they may not have these particular skills now, but they have the work ethic that shows they can do it. When I hear there is a shortage of talent, I get confused. It makes me question things.

Do you have any hobbies outside tech? 

I think a lot of folks during the shutdown portions of the pandemic started to notice wider waistlines, so lately, I’ve been taking charge of my health, taking more walks, and being more active. I don’t know if you’d call it a hobby, but it’s an activity that I’ve been more consistent with. 

I like to read and have been building my library, where I can chill out, and listen to music. Of course, I have my cyber collection, but also enjoy philosophy, social justice, and even some politics. I enjoy serving that intellectual side of myself and exploring new ideas and perspectives.  

I love sports. I’m from Mount Vernon, NY, so I especially love my New York teams; the Yankees, the Giants, and the Knicks. I know the Knicks and Giants are not doing much as of late, but I still love them.

Is there anything that keeps you up at night?

If people are going to stay true to say we’re having this shortage, but folks who are trying aren’t getting opportunities, what do you want them to do? A couple of mentees I have right now, and I feel for them. I know they’re trying and working hard, but even with a couple getting interviews, they’re not getting over the hump. I’d like to see that change. I think there is a bit of gatekeeping in place too, which is unfortunate. If we grow and get better, we will need a more diverse thought process and a more diverse workforce. That is something that stays on my mind recently.  

It’s a huge problem what you’re identifying. If people are getting certified, doing boot camps, and still not getting in, then something is wrong with the pipeline. 

And those boot camps aren’t cheap, and some you have to be careful not to be taken advantage of. If you put yourself in the position of the job seeker who is trying to get in, after a few rejections, you might start to feel desperate, and there is the chance of overpaying for certain things because they’re trying so hard to get in. It’s such a shame. I tell my mentees not to buy any books because now there are so many free or low-cost resources out there.

One person I’m doing a lot of work with right now is named Professor Roger Whyte. He’s part of the Black Cybersecurity Association, and I’m part of it as well. Currently, we’re working on a campaign demonstrating how to create a cybersecurity home lab. He created the step-by-step process, and I’m helping to bring it to life. I’m going through his steps, collaborating together, making recordings, and putting it out there for folks trying to bolster their resume and learn. Creating a home lab and practicing at home is a great way to get the experience employers are looking for. I call the group that I lead through this the Study Hall. 

It’s a good group on Discord that meet regularly. We’re currently studying for the CYSA certification. Previously we did the PMP, and we all earned our certification. While working on my doctorate, I learned that having a good group, and a common mindset of supportive individuals helps with motivation. There were days when impostor syndrome was overwhelming, and I wasn’t sure I would finish. What got me through was creating that group, and we’re still going. Now we include folks from different schools, pursuing different degrees but the common goal is to finish. A lot of people get psyched out but having the support and encouragement of your peers creates accountability that helps.  

Do you have advice for people early on in their careers or considering getting into cybersec?

There’s a long standing debate of whether one should go for a degree or do certifications. For myself, the way my brain is wired, I like to learn. I’m a lifelong learner and so getting the degrees was the most appealing route for me. When you’re starting out, try not to focus too much on those things. If you’re going for a government job, 99% of the postings on USAJOBS require at least a Security+. There are others but the common denominator is Security+. I even say get the A+ cert because that also gives a good foundation of different computer components and how they intertwine and interact with each other. That is a good one to get, but if you want a “fast-track way”, focus on the Security+ cert. Along with that, brush up your LinkedIn profile. We saw a lot of that during the shutdown, myself included.

Recruiters are using it a lot more so make sure your profile is good. Join some groups, engage with people that have positions you wish to attain, or who are working in the fields you want to work in, get your name out there and market yourself. Once you get the certification and that first job, leverage your training department. Tell them you want to go with a particular degree and ask if they’ll pay for it. In many instances, as long as it aligns with what you’re doing career-wise, they’ll okay it and pay for it. It’s a win-win where you’re saving money, gaining knowledge, and potentially leveling up to an executive position down the road because you’ll have that higher education. To get in, you don’t necessarily need those higher degrees but to advance while you’re in, it becomes important. 

I know that there are people out there I would like to mentor, and that is often a good way to progress, to seek out a mentor. They can definitely get you to places you may not get to on your own initially, they can help speed up the process in many ways. Look for the coaches, they’ve been there and done it, they have the soft skills which are important to pass on. Even myself, having my doctorate, I don’t see myself as knowing everything, there are still things for me to learn. To be in the mindset of being teachable and coachable creates longevity in your career because you have that willingness to open up and learn. And in turn, always reach back and help those behind you because you were once in that position as well, so don’t get too big and forget where you came from. 

Do you have any predictions for the future?

I predict a much more diverse cyber workforce. I see a lot of work being done by groups such as the one I mentioned, the BCA, as well as some for women. One in particular is WiCyS. I’m starting to see a lot more initiatives, programs and training, many of which are free or low cost.