Rachael Lyon:
Welcome to To the Point cybersecurity podcast. Each week, join Jonathan Knepper and Rachel Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point.

Rachael Lyon:
Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachel Lyon here with my cohost, Jon Neffer. Today, I'm excited to welcome back our part two discussion with Maria Brodt, a former US Deputy Federal Chief Information Officer and former CIO of the Small Business Administration. So without further ado, let's get to the point.

Jonathan Knepher:
Yeah. I I like that. And I think I I completely agree with you. Right? Like, the you you have to end up being sufficiently generalized to understand all the things around your specialty. But, like, taking that to the next level, like, tangible advice for people wanting to get into this field, like, what should aspiring cyber professionals be doing to best prepare to get into these roles, you know, both in the private sector as well as the government?

Maria Roat:
Yeah, I think that's a great question because I think in the private sector, right, you're hired for a specific job, right, to do a thing. And when you're hired in the government, you are gonna get some exposure to other things as well that you might not get if you're in a large organization in the private sector. You know? And and I think in the government, you know, they're probably better at, large organizational change. Right? We talked earlier about cybersecurity and policies and, like, the zero trust executive order from, you know, four years ago, the data strategy before that. And I think if you're working in the government, you're gonna have exposure to that large organizational change, where in the private sector, you might not as much. Because even as a junior person, you're gonna have things that impact your job when policies change. You might not be aware of it because your boss is gonna tell you do something if you're very junior or young. You might not know.

Maria Roat:
In the private sector, you were hired for a job, and it's gonna take time sometimes to to understand that if there's large organizational changes and things like that because you were hired to do a thing, and it's gonna take a little bit of time and maturity. I think it applies in both both government and the private sector. And because, you know, even as a cyber professional, right, the unique demands from the private sector and the government, some of it is not so unique. Right. I'll give you an example. Right. IP, right. Intellectual property, that intellectual capital, you know, both the private sector and the government has it.

Maria Roat:
It's in different scales and it's in different ways. Is a cybersecurity professional, you need to think about the risk right assigned to that data. And and, you know, if it's a private entity, you may have intellectual property. What's the risk around it? Understanding that risk around that and the data. And in the federal government as an enterprise, there's huge amounts of data. So the risk levels assigned to that could vary and is cyber professionals both in the public and private sector. Right? If you're aspiring to work in either, you need to think about some of that as well as you're working through your job. It's not just, you know, I'm there to work in a security operations center, but what's the risk around some of the things that I'm protecting?

Rachael Lyon:
So coming back to kind of your your current role and your your consulting with CISOs and CIOs and you're kind of applying your vast experience. I'm just curious in the conversations you're having in terms of, you know, how CIOs need to be thinking about prioritizing, right, you know, cybersecurity, their infrastructure, particularly when there's so many competing priorities that are coming their way.

Maria Roat:
Yeah. It's that's a that's really hard because, you know, I said first one of the first thing I said when we were talking was about, you know, cybersecurity being, a team sport. Yes. Right? What should be prioritized besides everything? Right?

Rachael Lyon:
Right.

Maria Roat:
Right. Yeah. Yeah. Yeah. You're trying to prioritize everything around cybersecurity. Right? You're trying to do all the right things. And I think just making sure that you're chipping away at maturity over time that you're not stagnant. I mean, that's a very broad answer to your question.

Maria Roat:
But in today's environment, the threats are going to continue. The threats are going to come from third parties. The threats are gonna come from your insiders. And and the way you're gonna tackle some of this is just contain just continuous sustained improvement over time. So to your question about prioritizing, it's everything, but you can't you can't eat the elephant all at once. Right? You need to you need to chip away at that little by little and eat that little that elephant and bites at a time and understand that change comes from over time. So Yeah. That that priority around, you know, insider threat, third parties, supply chain, start putting all the foundation.

Maria Roat:
If you've not put the foundations in place and you're not building on it, you're way behind the way behind the the curve on on that. So the priority is everything, but you still have to serve whatever the the company is doing. Right? Their priorities, the mission in the federal government. What's the mission? Is you know, are the priorities changing? So it's it's definitely a lot to be a CIO and a cybersecurity professional as you're as you're trying to prioritize based on even what funding you have, right? If your funding levels change, if they get cut, what am I gonna do if I get increased funding? Can I accelerate some of these things to protect the protect the company to protect the agency? Right? And an understanding from your strategy, how can what are the priority items that I need to protect more so than the others? And that's a risk based approach on what to do first, second, third. And of those first things, not everything can be a priority, but what can you do first, second, and third?

Rachael Lyon:
It's because it could be overwhelming if you try to look at everything all at once. Right? Boiling the ocean was just

Maria Roat:
Yeah. You can't. And I've and I've seen folks try to do everything all at once, and you're just gonna have a hot mess. And you're just opening you're just opening yourself up to, you know, a vulnerability when you're trying to do everything all at once. You know, hit the low hanging fruit, right, where you know there's holes, you know where there's gaps. You know, hit that low hanging fruit and keep building on top of that.

Rachael Lyon:
It's just so tempting, though.

Maria Roat:
I know.

Rachael Lyon:
You see all the fires and you wanna put them all out

Maria Roat:
at

Rachael Lyon:
the same time, and you just can't.

Maria Roat:
And some of those fires take 12 steps.

Rachael Lyon:
Right.

Maria Roat:
And, you know, in that 12 step program, there's a step one and then a step two and a step three. So this comes back to, you know, eating that whole elephant. If it's 12 steps to get to that that whole elephant, you got you got to start somewhere. And I think, you know, I've seen paralysis by analysis and plans to plan. Don't do that. Oh, my goodness. I I will tell you that I have redlined plan to plans and sent them back because they were not helping me prioritize.

Jonathan Knepher:
So, Maria, I I see, you sit on several boards that are that are all quite distinct and different, Frederick Health, Nantec, and so on. How how does your cybersecurity advocacy different, differ across all of these different companies as well? Like, it's it's gotta be impressive to look at all these different, companies and all the different needs.

Maria Roat:
Yeah. You know, you mentioned, like, Frederick Health. I joined the board last fall, and, you know, bringing in a technology and cybersecurity background, you know, really asking some of the hard questions. You know, we talked about plans and strategies and and like that. So really bringing bringing in some of those informed questions because health care, I you know, it continues to be a vulnerable sector. We all know this. There's nothing surprising about that. Like Frederick Health, right? That like Frederick Health, right? That health community, they deliver services versus being on, the board with ManTech, right? The Civilian Advisory Board, Right? You're asking different questions.

Maria Roat:
Right? Being in the health care sector, understanding I worked with the health care space and DOD for Department of Navy in the nineties for a long time. I get the health. I get HIPAA. I understand patient data, all of those things. And when I'm working with, like, ManTech on their, federal civilian advisory board, the questions are different because they're providing services to the federal government, DOD, and the civilian and others. And a couple of small companies that I'm advising. Right? They have they may provide cybersecurity services. So there's a lens on how you're providing those services as well as how are you taking care of your internal, right company? You have your company to take care of, which oftentimes we don't get into a lot of with the boards, but it's but it is important.

Maria Roat:
Right? So so the roles I play on those from cybersecurity, my role differs, right? Working in the health, sector, right on the board, patient care, the hospital, the clinics, you know, all the things that they do very focused on that versus working for, on the board of, like, a contractor, a federal contractor where they're providing services, contracting services, perhaps are providing cybersecurity services to, the federal government. What's their strategy for providing services. So a little bit different lenses. It actually makes it kind of fun being that advocacy from both, you know, the health care sector as well as, you know, from from, where they deliver services to the federal government to small companies that are that are trying to get their feet under them to deliver services, right? Because they're gonna have internal as well. So it's actually kind of fun having, different lenses and being able to ask different levels and different types of questions in those.

Rachael Lyon:
It's like having kind of, like, a holistic view to Yeah. It is. All these areas. Yes.

Maria Roat:
It is. And and I think, you know, the the enterprise perspective, you know, working at different federal agencies, right? DoD for ten years at, you know, the TSA and FEMA and headquarters and USCIS as well as, you know, working at Department of Transportation is a deputy federal C. I. O. And S. B. A. And all of those things gives me that nice enterprise view on how things connect.

Maria Roat:
And I think I bring that to the table from a cybersecurity perspective and understanding the connectedness between big programs, big offices between a hospital and its clinics or hospital and the services service providers or those third party entities, or the services that a company is providing to the federal government, stitching those things together. And I think bringing that that that holistic enterprise view and understanding the connectedness really helps on that advocacy on the board.

Rachael Lyon:
I I can only imagine. That's all the things that you've seen and and worked on is so impressive.

Maria Roat:
It's scary.

Rachael Lyon:
It really is. You know, and and I think what I what I love about your career too and and kind of your outlook is you've been a huge champion for mentorship. And I just think that is so important as we talk about all of these things as well. And, I actually have two part question for you on this one, because you've got such a wealth of knowledge and you know if someone wants to find a mentor, identify a mentor, you know, how should they go about that? But also, you know, say someone like yourself, right, wants to be a mentor, you know, it's is is there a pathway for, you know, kind of making yourself available to folks or, you know, how can you make yourself more available, right, to be able to share that knowledge?

Maria Roat:
You know, what I what I tell folks, don't be afraid to ask. Right? I've had, just over time, I'll give you an example. Right. I had somebody from ODU right down old dominion, down in Norfolk, Old Dominion University Student there in their technology program. He sent me a note on LinkedIn and said, I would like to do a forty five minute, informational interview with me because cause I'm trying to learn and figure out what I want to do. I spent forty five minutes on the that is a form of mentorship. Right?

Rachael Lyon:
It is.

Maria Roat:
And and that's not the first time I've done it. I've met with others. And oftentimes, people just don't be afraid to ask. Right. Right? Even if if somebody is a senior executive and you just want forty five minutes of their time, they're open to it. I have done formal mentorship programs, you know, that are year long in nature, where, you know, you, you go into a program and you try to, you know, figure out who's the right fit for you. And you meet every month, every, you know, once a month. And so I've done some of those and I've done the formal ones.

Maria Roat:
I actually had one that I did formally for somebody who was, he very deep in engineering. Very deep. Super smart guy. I love this guy. He's super smart. I met him probably back in 02/2004. Really smart guy. But he got to a point in his career, he said, I need to move up, and I need to be able to work at the management level.

Maria Roat:
Can you help me? And so we actually, he asked me. And so we spent a year, once a month, we'd get together for lunch or dinner. He would have very specific questions set up ahead of time. And we stay in touch to this day. They were actually spot mentoring after that and says, hey, I've got some things coming up or I'm having an issue. I'm supervising and I've got questions. Right? Because he was a new supervisor. But to this day, I mean, twenty years later, we still keep in touch, not as much a mentoring program, but just, hey, how's it going? Or I'll see him pop up on LinkedIn and I'll say, hey, saw your article that you wrote.

Maria Roat:
Right? Who'd have thought this guy would do it do that. Right? Saw it. Great job. But I think the mentorship, people have to just ask. Right? And, and not everybody's comfortable with asking. So if you're a part of an organization and I'll put a plug in for like, ACT IAC, right? FC of Bethesda and others, they have really good programs, centered around mentorship and meeting people, and that's a great way to start.

Rachael Lyon:
I love that. It's, you're right. It's it's hard to kind of put yourself out there and say, hey. You know, can you give me forty five minutes to someone who's so accomplished and no way would they ever have time for me to talk to me and but you're right. If you don't ask, then it's never going to to happen at all. And and if you need that person too, like an outside perspective, I think, an objective person to be able to have these kind of conversations with, so you don't necessarily have to out yourself at work. Right.

Maria Roat:
You know, and there are there are women like myself who've been CIOs, former CIOs in the federal government, long careers, both in private sector, that, like myself, they will not turn down a request to say, hey, I just wanna talk to you. You know, baby lunch isn't an option, right? Everybody's busy or in your different parts of the country. You have a wide ranging audience on your podcast. Right? So so why not just have a a thirty minute or a forty five minute conversation? There's there's no reason to ask. And if and if and like I said, a lot of the the commentees that I've had have been mad.

Rachael Lyon:
Interesting. Yes. Yep.

Jonathan Knepher:
Yeah. I think that's great advice too. Because, like, I remember when I was, you know, starting out, in industry, I I would have been horrified and afraid to to ask for that level of help.

Maria Roat:
So I

Jonathan Knepher:
think that's it's great advice.

Maria Roat:
You and me you and me both. I never had a formal mentor in my career, and it was always informal because I I'm very much an introvert, and I watch people and I listen and very much. And but sometimes I wish I had somebody that I could just bounce ideas off of in a neutral environment. Yep.

Jonathan Knepher:
Yeah. So, I mean, your experience here has been so broad, military, state government, sports, all of these board positions as well. What are some of the biggest lessons that you've been able to take between all of these different, areas?

Maria Roat:
You know, that's that's a great question. I think it's it's, you know, continuous learning, I think, is so important. And even as I sit on the boards listening, paying attention, asking questions,

Rachael Lyon:
You know,

Maria Roat:
you said you said sports around cyber experience. Right? In sports. Right? I play soccer every Friday night. I've been playing since 02/2007, indoor and outdoor. Right? Love it. And I meet people through sports. Right? I just did, you know, the biggest lessons in talking to people. I just did a session for a bunch of high schoolers in their tech program, which is kind of fun.

Jonathan Knepher:
That's awesome.

Maria Roat:
So so through sports and meeting people, you know, my biggest takeaway, hey, cool. There's the next generation of young people. I'm not gonna call them kids, the next generation of young people and trying to relate to them on their on their level. So lessons for me is how to talk to high schoolers. Right? I'm I'm a long way from high school, but sharing those experience in terms and and how meeting them where they are. So I think that's one of the lessons is meeting people where they are as well because I'm talking to high schoolers. I'm talking to people young in their career, but meeting meeting people again, continuing to meet people through the military through, you know, even my soccer team. Right? Doing this thing last fall with the through the military, through, you know, even my soccer team.

Maria Roat:
Right. Doing this thing last fall with the high schoolers was a blast. And through the boards and being open to conversation and in sharing and being open to questions.

Rachael Lyon:
You know, Maria, when, you know, we talk all this and and I always think this way when we have our conversations, like, I feel there's a book in here. Where's the book? When's the book coming? Because you've just got so much great, you know, knowledge or perspective to share. Somebody could really benefit from.

Maria Roat:
I I don't know where that would start. I don't I've had so many I don't know. You know, you're not the first person who said that. I I will tell you that. But I just I don't, I always think, do I have that much to write about? I don't I think you do.

Jonathan Knepher:
Yeah. I I have to agree. I think you do.

Maria Roat:
There's a lot of stories and some that are only good over a cocktail. You know? I got a lot of those. I don't know if I'd write some of those down.

Rachael Lyon:
Well, I'm here for it. When you're when you're ready to publish, let me know. I'm I'm here for it. I'll go right to Amazon. So you've as posted. You've as posted. So anything else exciting come up? I mean, you said that you just got back from this amazing trip, Madagascar, Seychelles.

Maria Roat:
Yeah. South Africa. Got some hiking in. I, I'm I'm actually, enjoying spending some time. I have a new granddaughter. She's seven months old, and I have two grandnieces that are three and one, and I am having a blast with them. So a little bit on the personal side. And I also when I went to South, when I went to South Africa, I will tell you that that was my last, continent when I said that on there.

Maria Roat:
Yes. Yes. Yep. I went to New Zealand and Australia back in January and I've been on a roll this year traveling and landed in South Africa and, was there for, what, several days and ticked off on my last my last continent. Super excited about that. That is so cool.

Rachael Lyon:
So then what do you do after that?

Maria Roat:
I know. Then it's like, okay. You know, I'd hit all the continents. Okay. Now what am I really interested in going?

Rachael Lyon:
Yeah. I don't know. Do you do ultra marathons? I was following this fellow on TikTok doing a 300 mile ultra marathon, but I mean, they they were able to do it. I could see you doing that as well.

Maria Roat:
Oh. You know? I will tell you that I have done, Spartan races. Oh, cool. Yeah. I have done the obstacle, the OCRs, the obstacle course races. I have done Spartan races. And I am, a kind of a little bit of lull because of the pandemic. Yep.

Maria Roat:
I did one right after the pandemic, and then, I kind of fell off the training wagon a little. My mom, we had a little incident with my mom, she was sick for a little bit and I am back on the training wagon and I may be doing another one, another race in August. So another Spartan race coming up. Yep. And I do that with my kids, with my daughters. Yeah.

Rachael Lyon:
So

Maria Roat:
this one in August, I think will be with my oldest. The first time I'll tell you the first time we did a Spartan race, I kicked butt at all the obstacles because I worked it. I studied them. I studied the techniques, watched all the YouTube, did all of that. They did not. So I can say I kick butt and beat them on the obstacles.

Rachael Lyon:
That's so funny. It's that rise of American Ninja Warrior a little bit. Right?

Maria Roat:
Exactly.

Rachael Lyon:
Study the they're kinda tricky, but if you study it, it could be it could be accomplished.

Maria Roat:
We need the we need the old people, the older, you know, the the older people version of American Ninja Warrior. That would be fine.

Rachael Lyon:
Exactly. Because there'd be some people showing up really strong too. It's Yes. What we know about health and and fitness these days, you know,

Maria Roat:
watch out. There'd be a lot.

Rachael Lyon:
Yep. %. Oh, Marie, it's been so wonderful having you back. This has been such a fun conversation.

Maria Roat:
Oh, it's great seeing you both. This is wonderful.

Rachael Lyon:
Same. Same. And and again, to all of our listeners out there, thank you so much for joining us, again this week with another amazing guest. And, you know, there's there's this thing we like you to do every week if you could. You could smash. Right, Jonathan? Smash?

Jonathan Knepher:
Smash the subscribe button.

Rachael Lyon:
Or gingerly do so. Whatever your preference preference is. So, until next time, everybody. Stay safe.

About Our Guest

Maria Roat, Former US Deputy Federal Chief Information Officer

Maria A. Roat is a distinguished technology leader with over 35 years of experience in information technology across both the public and private sectors. She was appointed Deputy Federal Chief Information Officer in May 2020, bringing a wealth of expertise in digital transformation and enterprise IT strategy.

Prior to this role, Ms. Roat served as Chief Information Officer at the U.S. Small Business Administration (2016–2020), where she spearheaded the agency’s digital transformation. Under her leadership, the SBA evolved into a forward-thinking, service-oriented organization, better equipped to meet the technology needs of its program offices and support small businesses and entrepreneurs nationwide.

Earlier, she was the Chief Technology Officer at the U.S. Department of Transportation, where she led the department’s technical vision and innovation strategy, aligning technology growth with mission-critical activities.

Ms. Roat also spent a decade at the Department of Homeland Security, holding several key leadership roles including Director of the Federal Risk and Authorization Management Program (FedRAMP), Deputy CIO at FEMA, Chief of Staff to the DHS CIO, and CISO at USCIS. She also played a pivotal role in TSA’s Secure Flight Program as Deputy Director of Technology Development.

Before her federal service, Ms. Roat worked in the private sector for five years, managing global enterprise network systems and leading Network and Security Operations Centers.

Her early career included roles with the Navy Medical Information Management Command and other Navy Commands, focusing on global network management, engineering, and IT operations.

Ms. Roat retired from the U.S. Navy in 2007 after 26 years of active duty and reserve service, achieving the rank of Master Chief Petty Officer, Information Systems Technician. Her leadership roles included serving as Command Master Chief for both the Reserve Intelligence Area Washington and the Center for Navy Leadership Mid-Atlantic.

She is a graduate of the University of Maryland (UMUC), the Harvard Business School Executive Education Program for Leadership Development, and the Navy Senior Enlisted Academy.

Check out Maria's LinkedIn