 Hey everyone, welcome to episode 142 of the Civil Engineering Podcast. This is the first podcast that's dedicated helping civil engineering professionals succeed in working life and happy to be with you again after an 18-month work hiatus. For those that don't know who I am, I am Chris Knudsen, I'm a professional and chartered civil engineer and a program and project management professional and used to do a lot of these podcasts, took about 18 months off and focused on work related issues. But Anthony was nice enough to let me come back into doing podcasts. I'm excited to be back here with you again, especially in this current time that we find ourselves in. So as this episode was recorded here in the early part of April 2020, we find ourselves worldwide in this COVID-19 response. And podcast today is going to be with gentlemen Jonathan Hart, who's the president and CEO of H2L Solutions and they specialize in cyber and information security. The reason I brought him on to the podcast was to have a conversation with him around what can we do as professionals, engineering professionals, and also in our engineering firms to make sure that our cyber and information security measures are short up and ready to deal with this new normal that we find ourselves in, which is working from home. And he's going to unpack for us a number of tips, a number of things that each of us can do as individuals while we're working from our home offices, as well as what engineering firms need to be thinking about for cyber and IT security, which my guess is most engineering firms are doing, but nonetheless, this would be really good information for you to listen to anyway, just so you can understand and say, hey, yep, we are or not. So I think you're going to find a lot of useful information that he's going to share with you. You're also going to get exposed to a couple of things related to specifically US federal government contracts if you're involved in that arena as well. So anyway, I think you're going to really find it to be a useful, useful information at the time that we find ourselves operating right now. So let me read a little bit about who Jonathan is, so you understand what his background is, put a little bit of context around it and we'll get into the conversation. So Jonathan is a sought after speaker in cybersecurity and has presented a number of major conferences and other events on the issue of cyber and information security. And it's really a lot of it is around compliance with the US federal government's defense federal acquisition regulation supplement or DFARS, and then the new cybersecurity maturity model, and he unpacks both of those for us in the in the conversation today. He's been an information and technology security professional since 2008. Prior to founding his company H2L, he served as a cyber security engineer in the defense industry. And then he was also in the Alabama National Guard. He did that for 12 years and during that time, graduated from the infantry officer basic course, ran your school, airborne school and did a combat tour in Iraq as an individual officer. He maintains activity a lot of civil and community service organizations, and he's also and he's also a degree, a business management degree holder from the University of Alabama on this field. And he continues to have a strong relationship with that university. And again, very, very knowledgeable and willing to share what he knows about cyber and information security. I think you're going to find this conversation highly useful and highly relevant, especially in the time that we fight ourselves in, but then also for operations as we go into the new normal. So with that, let's dive in today's conversation, Jonathan. All right, now it's time for our civil engineering conversation. Jonathan, welcome to the civil engineering podcast. How are you doing? I'm doing well, Chris. Thank you so much for having me. It's a pleasure to actually see you in real life. Yeah, well, the next best thing to real life, right? This the new world that we live in, the new normal of virtual teleconferencing. For everybody that's listening, Jonathan, and I have, we met virtually almost, gosh, it's been just a little over two years ago, I think we did that first webinar for Society of American Military Engineers, wasn't it? Yeah, yeah, well, yeah, about two years ago. Yeah. Yep. And then we, we just did another one last month. And then we thought that given the fact that even a month ago, I don't think yeah, really, again, it's as we record this, this episode of the podcast, it was literally about a month ago, really March. And that was before any of us really had a really good understanding of what was coming at us with quarantines and work from home notices and whatnot. So all of us pretty much across the globe and anyone who's probably listening to this has been forced into this new reality of virtual, virtual meetings and virtual teleconferencing. And Jonathan, because of your, your deep background in cybersecurity, thought it'd be great to get you on the podcast and we'll have a conversation around, around some of the things that, that individuals who aren't used to working from home in this kind of a virtual environment, some of the things that they need to be thinking about. And then for the engineering companies that are out there, managers and CEOs, some of the things that they need to be thinking about as well, that maybe their IT, IT heads may not be, may not be picking up on. So let's just jump into this. I've got a number of questions because of course, interestingly enough, as we record this, record the, the podcast and the video segment, which those of our viewers who are watching this on YouTube may or may not know, we're doing it off of Zoom, which has taken a little bit of flack here recently in the press. I think given the fact that a lot of folks now have moved into using different types of video teleconferencing systems like this and email systems, I kind of be interested to hear from you. What are, you know, what are some of the key cybersecurity considerations that some of the home workers really need to be thinking about? Right. So, you know, the first thing that we always said, when this first happened, we ourselves HGO Solutions had to set up our firewall as a service solution and make sure that all of our employees now that they're working at home connected through the VPN HGO Solutions firewall and not connect through with their work laptops, you know, not connect through their homes, the internet and use their homes, their Wi-Fi, their homes, internet source to do government and HGO Solutions work. So that's probably the biggest thing is, you know, hopefully most, you know, companies have a firewall that has VPN access or they have a firewall as a service in the cloud where they can connect to. So it holistically will protect that internet section and connectivity connection whenever they're doing work at home. So that's probably one of the biggest things is making sure you have a secure connection to the internet that goes back to your company's internet source and it is actually protected and monitored by your security personnel. Okay. All right. So VPN important. I think most engineering firms that are out there have that system. Let's say for independent consultants that are out there, certainly not asking you to plug anyone given source, but I would presume that there's a number of different VPN offers or providers that are out there that independent consultants might want to consider if they haven't already done it. Right. There are and you can go and, you know, if you just Google those, I would highly advise you Google those, look for reviews, look for reputable VPNs. Sometimes, you know, you're not sure what you're getting, because some of those are free. Right. I would say there's always something fishy about a free VPN. You might want to look at something that you have to actually buy. That way they're not selling your information. They're not tracking your connection and what you're going through and sending through the internet. That being said, if you are an independent consultant, since the times are kind of changed right now, you could reach out to your top client that you're working with and just ask if they could give you VPN access through their firewall, through their infrastructure's firewall and their company's firewall. And that way, you know, not only does that entity that you're supporting, the majority of your time feel better about your connection. It solves the problem of other companies that you'll be working for as well. That's a really great idea. That's a really good idea about how you might be able to work around that one. I know that I've got just for my homework VPN, I'm sitting here looking at the screen in front of me. I can see I got my VPN up and running and I got the work computer over to the right here and then we've got that's going through a VPN as well. So seems to be the new normal. I'd be curious to hear, you know, Jonathan, are there any other actions that that an individual may want to be thinking about to shore up their home cyber security defenses beyond a VPN? Or do you think is that kind of the biggest one? Yeah, the VPN is the biggest one. We're working at home making sure you're connected to your company's network because most of the security resources are within your company's infrastructure or should be within your company's infrastructure already if you're supporting the defense industrial base and DOD systems. And so that's the it's going to be monitored. And it's going to be watched for malicious activity where it would be ransomware, phishing attempts, malware, things like that. And so that's the number one, at least from our perspective, HGL solutions. That's our number one recommendation. Make sure that you are connecting to your company's VPN. Make sure that you're connected to your VPN through your phone, through your company's VPN as well. And that will reduce the threat platform a lot. Okay, all right, those are good, all good tips. I mean, these are the ones that I remember reading about these and you hear about them almost every year, a couple of the clients who work for on the US government side, we've got to go through and do their, you know, their annual cybersecurity computer based training. And this is stuff that always comes up. I think, you know, phishing emails and things like that. Now, all of this stuff becomes even ultra more important. Since all of us are relying on our, you know, our home and our business computer systems back in our residence. And here's another point, you know, so I think, you know, that this pandemic is horrible. And it's really opened the eyes of a lot of people. And when I say that specifically, there was a huge push from the government to make sure that their defense industrial base, their contractors, their suppliers, we're at a certain threshold of cybersecurity posture, right? Yep. And that got that was pushed back by industry, industry didn't want to do that. They said, you know, it's too hard to do, it's going to cost too much money. But, you know, the government, the Department of Defense didn't give up and they slowly made progress. As we saw with D47012, and now that we're seeing with CMC, since most of those companies did follow suit, and most of those companies did actually implement those security standards, now they have access to their, or they can give access to their workers of, you know, VPN access at home, and not only do their company CEOs and CTOs and CEOs understand the importance, but also the workforce understands the importance of why they need to make sure that they're connected through their VPN in order for, in order to protect that work they're doing for that, for that company. Yeah, that's a good point. And for those individuals that are out there that are working for engineering firms, especially back in the United States, who, who maybe don't work on US government federal work, you know, maybe you're working in the transportation section, you know, market or you're working in a water market or something like that, but you don't actually do federal work. If your company does federal work, they're going to have all those all of those different protocols in place, even if you're not even involved in it. So you may be maybe oblivious to you, but those systems are still there and that that's one of the reasons why you're being affected by that. I want to move away maybe for a moment from the individual kind of move to the company perspective and for engineering managers that are out there in different engineering companies, AE companies. So we've talked about individual responsibilities and things we need to be thinking about. Are there things that that company managers need to be thinking about with regards to additional items or activities that they may want to take to make sure that their staff in this new remote environment is going to be up to scratch when it comes to the cybersecurity side of the house. So a lot of their staff is is working at home. And that's you know, it's a good thing. So going back as long as their staff are connected to the VPN, their staff are doing what they're supposed to be doing at home, that's great. But from a company perspective within the entity itself, we need to make sure that the A&E world is new. When I say new, it's new to this 7012 and CMC program that that is being pushed. I want to say new is probably, you know, Sammy didn't really or Sammy didn't really get it until about two years ago. And then they created a group inside of SAME that decided to address this for all the A&E firms because you know, you have problems with with subcontractors. A&E firms and construction companies use so many subcontractors and all and these in these cybersecurity requirements flow down to these subcontractors. And so it became a huge kind of a pyramid when one prime would get this in their contract and now every single subcontractor underneath them would have to be compliant as well. And sometimes you're talking about mom and pop shops. So the biggest thing that I've seen a lot of A&E firms actually changing the way that they're sharing their information. So you'd have to share the design drawings, the documents, you know, things like that with your other subcontractors. Well, sometimes they would just shoot those, you know, in an email or create an unprotected, you know, shared drive that everyone could access. And then no one's really monitoring that information and who's taking it and then, you know, where is it being left, who make you giving it to unreliable sources or untrustworthy sources. And so what we're seeing now that we're when we're teaming up with these other A&E firms, they're actually giving us access controlled sharing drives and their data sharing and their file and data sharing compartments are actually, you know, password protected, being monitored by the A&E firms and making sure that if you take that, there's a reason as to why. In some cases, those firms are actually redacting information that is not needed for certain subcontractors, which is helping, you know, basically helping the whole objective of this program that the government is pushing out, which is protecting our information and not just, you know, giving out freely to everyone. Yeah, that's a good point. Now, some of our listeners, there could be a good number of them, may not be familiar with what you were just talking about CMMC and some of the other items that you're talking about. Can you take it, just take a few minutes and kind of explain for the listeners what that program is? Because again, I mean, even myself, I wasn't fully aware of what it really all was until probably about a year ago. And hence the reason we had you come back on about a month ago and give that presentation. It's constantly changing. And again, a lot of folks may not even be aware of what it is, but I think that there's a little bit of importance in it for everyone, again, especially at the new environment that we're in. Well, and I will say before I jump into that real quick, Chris, so this CMC program, which stands for Cybersecurity, Maturity, Model, Certification Program, you know, it is going to kind of be the de facto standard, not only for the Department of Defense supply chain, but eventually once it goes into the FAR, the federal supply chain. And so whether you're, if you're just an A&E firm doing DOD work for USACE or NAFAC, you know, right now, you're going to be hit by CMC. If you're an A&E firm that's doing work for, say, the Department of Interior or different federal agency, you might not get it yet, but you are going to get it eventually. And so, you know, I'd also like to bring up the fact that, you know, the CMC program is, that program is new, but the guts of it are not new. The guts of it have been out there since 2013. And so real quick, basically in 2013, the DEFAR, the Defense Federal Acquisition Requirement Supplement, what was added in the DEFAR's clause 252204-7012, which was protecting and safeguarding covered defense information. Basically, what that was saying is, UAD contractors, if you're going to do work with the government, you have to implement these security standards in order to do work with us. That has been morphed, and I could talk for two hours, but I'm going to do the accelerated version, that is since morphed since 2013 until what we have now, which is called, you know, the CMC program, and it's actually became a third party certification program. And so there's five different levels that your company can get certified at, and it's going to be based on what type of work you want to go after. And when I say what type of work you're going to go after, it really depends on what kind of information that the government wants you to protect will determine what level your company needs to be certified at. I think level one, there's I think 20, I think there's 17 at level one, 17 security controls you have to implement within your company's infrastructure. Level two, I think there's 40-something security controls that you have to implement in your IT infrastructure. Level three, there's 130-something that you have to implement within your infrastructure. And then level fours and five, I think the total number is 200-something controls. That might be off a little bit, might be more than that. But basically, it's all published out there, you can research it, you can go to the CMC website, you can see the version 1.0, you can see all the different ratings, well not rating structures, but the different security controls that they are asking, they being in the Department of Defense, are asking the contractors to implement within their infrastructures in order to get that certification. There is a not-for-profit accreditation body or board that has been set up that is now going to create the standards of evaluation for those companies. It's going to monitor the third-party certification companies that are going to come out and actually do those certifications for your company. And we should see all of that officially start in the October timeframe of 2020. Okay, all right, wow, all right. And again, like you mentioned, a lot of this, all this information, not a lot of it, all of this information is out on the internet, so folks can go out there and we'll make sure that we get for listeners out there, we'll make sure that we have the links, we'll go into the show notes and we can go get access and go out and read up on this CMMC. I think that the key from what Jonathan just shared with us is that again, even if you're not doing work for the Department of Defense, AE, architectural engineering or construction work for the Department of Defense, eventually your company, if you're doing work for the Bureau of Land Management or Indian Affairs or, you know, Forestry Department or something completely unrelated, you're going to be affected by this eventually. And I will say as a project manager, program manager in an AE firm that's doing work on, you know, federal, US federal projects, you absolutely have to have an understanding of the IT and the cybersecurity aspects because these are, they're just, they're important, you got to have them there because it's going to come up as part of the flow down terms and conditions of the contract and if you're not fit for purpose in your supply chain isn't, you're going to have, you're going to be in violation of those terms and conditions and that can cause you all kinds of grief and problems going forward. Jonathan, thanks a lot for that rundown and again, you're an absolute expert on this stuff and we'll get, we'll get to a point where we can share some information on how people can get connected with you but appreciate the, appreciate the additional information on that one. So, you know, we were talking just before we started recording this, everyone, about the fact that as we record this, we're now in this new environment. I don't want to say new normal but I can pretty much guarantee that whatever life was like prior to this, it's not going to go back to the same going forward. I think a lot of people are realizing that this work from home environment, you know, maybe some firms are deciding that, hey, maybe we don't have to have as many people as many people in the office any longer, we can start looking at trying to, you know, get people out in a way. You know, Jonathan, I'd be curious if you have any thoughts about, you know, as we look to the future, I know a lot of people right now as we record this are fixated on the here and now but there is a future out there. Things are going to happen and they're going to move along. I'd be curious to hear your thoughts about where you see the IT industry going with, you know, specifically with regards to homeworking, businesses and, you know, the cyber aspects or the things that you think are going to be changing as we come out of the other side of this and go into whatever that new normal is going to look like. Right. Well, I'll speak specifically to the cybersecurity industry because obviously I own a cybersecurity company. I can tell you what we've seen thus far and how we've actually changed how we're working and it's actually effective. You know, we do a lot of third-party assessments for, you know, DOD companies and we would usually always go to onsite, sit there onsite, do the questionnaires, do the assessment, go to the workstations, execute that with the client onsite and meet the client and shake their hands and, you know, old school, you know, before the pandemic happened, you know, normal business operations, right? And since, you know, the quarantine and the, you know, shelter in place and the social distancing stuff has taken effect, we've not, we've had to change the way we do our business. And so it took a little bit of learning, but we now do all of our assessments virtually and we'll set up, you know, within Zoom or another means of communication and we'll walk through the same things that we were, we had been doing face to face, but virtually and we've developed our questionnaires and things like that and we'll give them prior to the actual assessment starting, we'll give them to the customer. And what we've seen is actually we have more time on our end to actually do a better job from a virtual perspective than when we're on actually onsite. So we might, you know, if this new normal doesn't pan out and it actually goes back to the old way, we might actually try to take some of the lessons learned that we've instilled and actually take those forward. I do think that, you know, the world is going to be a more aware place on how these, you know, things can affect everybody from a work perspective. And so I think that you will see some people coming out with some different, you know, maybe inventions or ways and means of executing work that were not normal before this actually happened. Yeah, that's a good point. And I think, you know, it's one that especially on the productivity standpoint, I think a lot of people now, especially if they weren't used to working from home, are discovering exactly how efficient maybe they were when they're actually in the office with all kinds of opportunities for distractions. And like you said, you know, just even traveling to the job site, especially if you're in a consultancy, you know, piece of the business like yourself, and even for, you know, for architectural engineers, if you're on the consultancy side, not maybe the construction side where you're used to doing charrettes and face-to-face meetings, those are gone now. So I know even on the AE side, you know, the company that I'm with, you know, we're looking at starting to explore other ways we can do charrettes better, but do them virtually and still be able to move projects forward, even though we're not able to all collectively come together. So it will be interesting to see what comes out of this 12 months time, 18 months, and where we are. But I think for those that are out there, not that, you know, either you or I are probably able to prognosticate too much, but I would be willing to say that, you know, all the firms that are out there need to be thinking about this as it goes forward, that this isn't, you know, this isn't just a once and done, it's probably something to be planning for in the foreseeable future. So Jonathan, we're kind of coming up here towards the end of the main segment of the show. I do have one more important question, which is really the important, I think probably the more important one for you. How can people get connected with you and learn more about what you're doing yourself and then your company, H2L Solutions, how can they get with you? Right. So you can always go to our website, www.h2lsolutions.com. From there, you can go to our LinkedIn or Facebook pages. Our LinkedIn page is very active. We have a very good following on LinkedIn. You can also email me at Jonathan.hard at h2lsolutions.com. Love to help out any way possible, and I can go into more details on any kind of cyber security needs that anyone might want to know. Okay, great. I appreciate that. Thanks, Jonathan. We'll make sure we have all those details in the show notes for today's show, and people will be able to get out there and get in touch with you. And I will put a voucher for Jonathan. He does mean it. We've, again, in my work that I do with the Society of American Military Engineers, we've had Jonathan on a couple of times to do webinars for our people, and I will tell you that of the webinars that I've run through that organization, the ones that you've done have been the ones that have had the most people listening to them. So the AEC industry, at least through SAME is listening. There's a lot of good information that's out there, and I'm glad you could make it with us on the show here today. So stick around. We'll be right back. I hope you are enjoying this episode of the Civil Engineering Podcast, which is produced by the Engineering Management Institute. Please be sure to subscribe to our YouTube channel here for more podcast episodes and for all of our Engineering Manager 8020 shorts videos that we publish weekly where we interview successful engineering managers. Now it's time to jump into our Civil Engineering Hot Seat segment. All right. Now it's time for the CE Hot Segment. Jonathan, you're back. We're going to go at this here. You got three questions. I'm going to toss at you. We didn't prep these in advance, so it's going to be fun. These are always fun to see what kind of answers we get back, make you think here for the day. So the first question that I'm going to throw at you is, especially this is probably really important now that we're in this quarantine thing and all of us are living at home and not able to go outside. So I'd be curious to know, do you have any specific rituals that you practice each day? So for instance, this could be like, you get up in the morning and meditate. You do PT every morning at the same time. Things that you do consistently each day because you've identified that as, hey, if I don't do this, I'm off on my game. My level performance isn't where it should be. You know, I used to wake up and do eight minutes meditation. I would read and then go to work. Now I wake up and I check my, and this was before I owned my company. Now I wake up and I immediately check my email and dive straight into it and answer all my emails, answer all my social media responses before I go into work. But some of the things I actually do, I quite enjoy other than being a slave to work, which is fun, by the way, being your own boss is amazing. I do make like, you know, walking sticks and like Harry Potter wands and things like that. Really, really intricate, detailed. And it's just fun. It's very relaxing. All right. It gets great. Outstanding. Maybe you should get back into, in the meditating again. So you give that a crack. I should. No, I really should. I've been actually thinking about that very, very, very, very much. So yeah, this is a great, I will say that at least from my side, the whole quarantine thing and that they work from home, no travel. It's almost like a time to reset and go, okay, let's clean out the, you know, clean up the spring cleaning here and start over again. All right. Second question, the deuce. What's one book that you would recommend to others that you've read that had a major impact on you? And what was that impact? Oh, the book. So I'll go back to my all time favorite book is The Pillars of the Earth by Ken Follett. It is not a business book by any means, but the impact on me, it kind of opened up my eyes to just like how imaginative writers can be and how that's my, this is the first book that I ever read where I could not put it down. I could not literally put it down. I read it in a few days. I'd stay up to like four or five in the morning reading it. I just got absorbed in the story, his writing style. And it really kind of opened my eyes up that I used to hate reading before that. I really did. And I just found it on my grandfather's shelf one day when I was like, you know, 13 or 14. And, you know, Ken Follett actually is a very graphic writer. He's very amazing writer. But there are some a couple of scenes in there where he, you know, between, you know, two people. So I told my grandfather I was reading it. He took it in the black magic marker out all of this little redaction. But, but, you know, that that is a, that's an amazing book. If no one's read it, I highly recommend that during this time where we're all, you know, separated and kind of like you're saying reset, you know, sometimes it's really good to unplug from the business world. And sometimes it's really, really healthy to just engage in something that's relaxing that you'd like to do. So if you'd like to read, I would, I would suggest highly that you read, get a book by Ken Follett. He's an amazing writer. And I believe he lives in the United Kingdom. If I'm not okay, I could be wrong about that. But I'm pretty sure he is. All right. Well, that's good. I appreciate that. That's always, that's always good. We add that to the list of over the year of all the different books that we get recommended. I bet that we're not on there. I guarantee you that it's probably not on there. So, all right. I got one more question for you. This is the final question. It's the critical civil engineering advice, career, career advice question. And that is if you got into, into an elevator with a civil engineer or with, with, with just someone else and you were going to give them 30, 30 to 40 seconds of professional advice on, on lessons that you've learned, and especially in the business realm that you're in, what would be that piece of advice that you'd share with that person on that elevator ride? So I would say always be open to learning new things and never judge anyone. Like what goes around comes around. And when I started HL Solutions, I didn't know anything. And so I was always in learning mode. I'm still in learning mode and I'll never burn a connection. Always be willing to help people. Even when I didn't have anything, when I first started, always be willing to help. But another thing, if it was, you know, a civil engineer on there, and they wanted to be like an awesome, amazing civil engineer, I'd also say, go learn a little bit about cybersecurity and how that, and especially the industrial control system cyber, you become knowledgeable on that because that is hot right now. And that's a huge need within this country for our power grids or waters to everything. And if you, as a civil engineer, understand cybersecurity and can link engineering with your cybersecurity capabilities, the world is your paint your picture or whatever. I mean, you've got it made. You really do. All right. That's really useful advice. And especially in this new realm that we find ourselves in where everything is all the good and the bad of the cybersecurity world that's around us is coming out to bear. So Jonathan, thanks a lot. Those were great answers. We put you on the hot seat. We came out the other side. I appreciate it. Those were good inputs. Thanks, everyone, for being with us today. Really hope you enjoyed it. You know, listeners, you can connect with Anthony and myself through the website. You can also find the show notes from today's show at civilengineeringpodcast.com. You're going to find all the resources there under the episode. You'll be able to find the links that were discussed. Some additional links we didn't discuss. We'll put those in there, as well as the books and all the other key points from today's episode. Please go check that out. And until the next time, I wish you all the best in your civil engineering career. Thanks, Jonathan. Thanks, Chris. I hope you enjoyed this episode of the Civil Engineering podcast on YouTube produced by the Engineering Management Institute. We're always looking for new ways to help engineers become effective managers and leaders. You can view all of our content on our website at engineeringmanagementinstitute.org and be sure to subscribe to our YouTube channel here for our weekly videos. Until next time, please continue to engineer your own success.