Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

#ISC2Congress: Interview: Steven Hernandez, CISO, U.S, Department of Health and Human Services

Let me introduce you to Steven Hernandez, a man whose job title makes me want to take a nap. His full title is the CISO for the Office of Inspector General (OIG) at the U.S. Department of Health and Human Services (HHS) and director of OIG's Information Assurance Division. He also has a lot of letters after his name; extra-long nap needed.

I meet Steven at the (ISC)2 Congress in Austin, Texas. We sit down right at the end of the day when my jetlag is simmering and I’ve been in back-to-back interviews. This is usually a recipe for a tough slog, but Steven is charismatic, warm and engaging, and I thoroughly enjoy our conversation.

Prior to joining the HHS Inspector General’s office, Hernandez held senior information assurance positions at the U.S. Department of Education, the U.S. Department of Agriculture and at a National Security Administration Centre of Academic Excellence Research Institute. In short, ‘he knows his stuff’.

The U.S. Department of Health and Human Services, he tells me, is a one trillion dollar portfolio, which his team is tasked with protecting from fraud, waste and abuse. “We need to leverage technology to get efficiency out of our workforce, and we need to make sure programs run efficiently and that tax dollars are well spent. My job is to make sure that information is protected from attacks and accidental leak. The American public has to continue their trust in the work that we do.”

His job is big, he admits, and he maintains that the only thing that keeps him sane is his “very good team. They do the majority of the work and let me focus on strategy and vision”, he says.

Recruiting an A Team with a Tight Budget

I ask how he recruits and keeps such a good team given the lower wages that are on offer in the public sector. It’s challenging, he admits, not just the pay aspect, but the time it takes to hire. “It can take me six to 12 months to go through the hiring process and clearances. Sometimes it takes so long that by the time I get sign off, the candidate has taken another job.”

There’s not a lot of good talent out there, sighs Hernandez, so smart organizations know that it’s imperative to keep good employees happy. “I focus a lot of effort on making sure my own people are happy – getting them the right training, the best resources, and making sure they have a good work/life balance.”

“I focus a lot of effort on making sure my own people are happy – getting them the right training, the best resources, and making sure they have a good work/life balance”

Hernandez’s advice for hiring new people is to look within your own organization and to offer sabbaticals which work as a ‘try before you buy’ for both employee and employer.

Unsurprisingly perhaps, given his CISSP, he values certification highly when hiring.  

“Some think it’s a useless money making scheme, but I really value it. If we can’t provide a credential that’s providing societal value then we shouldn’t be doing it. The (ISC)2 certifications allow me to get my team up to a common body of knowledge. We can then operate at a higher level of efficiency.” More than anything, adds Hernandez, “it narrows down my options when hiring, and gives me assurance that I’ll be hiring someone with a similar view of information security.”

The Pros and Cons of Millennial Cybersecurity Pros

Hernandez works with millennials that add a “different management perspective to his team.” He praises their interest and passion in their work, in making things better and in leveraging their knowledge to improve the workplace. Additionally, their comfort with technology is a big advantage, he adds.

The more challenging aspect, he says, is that “they know the rules of how to play the game and are prepared to play the game to maximize their outcome.” They expect constant gratification and instant promotion, he explains. “My management’s generation expect career progression every three to five years and that shortened a bit in my generation. The millennials however want instant career progression right to the top of the ladder. They have big dreams, big ambitions.

“When millennials put that drive behind ‘the mission’, they are amazing, but the challenge is that as soon as they see clouds in the blue sky, they look elsewhere very quickly.”

"When millennials put that drive behind ‘the mission’, they are amazing, but the challenge is that as soon as they see clouds in the blue sky, they look elsewhere very quickly”

So how can employers keep hold of the millennials in their workforce? “The key is to take a step back and give a lot of feedback. It’s a generation of gamification, so how do we, as managers, add an element of gamification? We also need to give constant feedback; little moments of constant affirmation.” He talks about how large organizations like IBM and PwC have ditched their annual performance reviews in favor of real-time feedback. “We need to be more agile with our millennials because they are the future.”

Despite the slow speed at which the public sector moves, be it with HR, procurement or market pay, the public sector will always attract good people because it’s an “awesome mission that people want to work for.”

Steven Hernandez, the public sector is lucky to have you. 

What’s Hot on Infosecurity Magazine?