From Law Enforcement Officer to Chief Information Security Officer

The Cybersecurity Readiness Podcast Series

Feb 1 2023 • 33 mins

In this episode, Brian Penders, Chief Information Security Officer, at the University of North Carolina Chapel Hill Medical School, shares his exciting but challenging journey from working as an engineering lab technician in the US nuclear submarine to being a law enforcement officer with the Vermont State Police and then gravitating to his current role of Chief Information Security Officer at a major academic institution. He sheds light on the principles driving the high-reliability organizational culture in the US Nuclear Navy Propulsion Program and how those experiences influenced and shaped his growth as a cybersecurity leader.


Time Stamps

02:24 — Take us behind the scenes and share some highlights. What were the drivers? What were the motivators? What can listeners take away from your experience?

09:02 -- Let me first focus on that high-reliability, organizational culture that was established in the US nuclear Navy, and you have lived in that culture. Share a bit about what it is like and what could be some takeaways that are relatable or applicable in the world of cybersecurity governance?

16:08 — Are there any unique challenges that a medical school faces compared to the other units? And if so, how do you go about dealing with them?

19:34 — Research finds that in general, organizations don't do a very good job of rehearsing their incident response plan, sometimes they don't even have a good plan in place. Brian, as a practitioner, what's feasible and what's ideal?

21:36 — Is it fair to assume that institutions are rehearsing how to recover from a ransomware attack?

22:20 -- Is this rehearsal of proactively or reactively, responding to ransomware attacks, taking place at only certain levels, and not at all organizational levels?

23:48 -- So moving on to cybersecurity governance, best practices, there are several out there, would you like to highlight a few that you are really big on?

27:03 -- What's the reality around passwordless authentication?

28:58 -- I'd like to give you the opportunity to share some final thoughts with the listeners.


Memorable Brian Penders Quotes/Statements

"The Navy taught me how to learn, and that was more valuable to me at the time than anything I learned about nuclear engineering."

"Incident response is really a great way to learn the environment and build partnerships across an organization."

"The Navy taught me how to learn. The way admiral Rickover thought through individuals gaining technical knowledge was really amazing. It was based on if you could not draw and explain something to a group of experts sufficiently, then you are not going to move forward."

"If I had 30 seconds with a group, I would tell them to keep their software updated."

"We need to get out of the business of the shared secret. Passwordless authentication is the new and up-and-coming defense to credential theft."

"We have found that folks from liberal arts and humanities can be extremely valuable to supplement and sometimes lead our cybersecurity teams. I'm generalizing, but they're good problem-solvers. They're able to see the big picture, and they're excellent communicators, all amazing skills."


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: