Rachael Lyon:
Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachel Lyon here with my cohost, John Knepher. Good morning, John.

Jonathan Knepher:
Good morning, Rachel.

Rachael Lyon:
How are you? Happy Friday for our listeners. We record on Fridays.

Jonathan Knepher:
Yes. Indeed. It's a great Friday today, and looking forward to the weekend.

Rachael Lyon:
I bet. Because you're in San Diego, so the weather's gonna be perfect.

Jonathan Knepher:
Always perfect.

Rachael Lyon:
Yeah. Always perfect. I'm so jealous. So jealous. Well, I'm excite I'm so excited for today's conversation. Welcome back for the third time Maria Rowe. She's former US deputy federal chief information officer, and former CIO of the Small Business Administration. She's got more than three decades of experience driving enterprise scale digital transformation within federal government.

Rachael Lyon:
So awesome. So awesome your whole premier journey. I'm I'm so excited to get to pick back up again, Maria. Welcome.

Maria Roat:
Oh, god. So happy to be here again, Rachel. And, John, good to see you again here in rainy Maryland and wondering if my, soccer game's gonna get called tonight if there's thunderstorms.

Rachael Lyon:
Oh, it's wonderful. I'm I'm in Texas, and, you know, we're already approaching, you know, the the really high nearing triple digits. So I'm I'm a little jealous of these activities right now. So, John, do you wanna kick us off today?

[01:42] Navigating Administration Changes and Surge in Cyberattacks

Jonathan Knepher:
Yeah. So, Maria, I wanted to start off by asking you, you know, when when there's a lot of change and and things going on, you know, we we tend to see a lot of cyberattacks pick up. And, you know, I I seem to remember that shortly after, you had changes at the SBA, your offer office suffered one as well. Can you can you discuss how this was handled and, what things you learned from the experience?

Maria Roat:
Yeah. You know what? It's always interesting. Every administration change because you've got so many new people coming in. Right? New administrators, new department heads, new chiefs of staff, new political leadership just across the board. And and that's an opportunity, right? People are updating their websites and they're putting the names and, you know, some of it allows for or spoofing. Right? Right off the bat, you're going to see you're going to see spoofing. Right? So the Small Business Administration, certainly, you know, it's it's essentially a bank with billions of dollars in loans and loan guarantees. And we saw an uptick in attacks against the agency and the entire federal government.

Maria Roat:
Did, you know, any administration change? You're you're prepared for it. You see it. I know I remember one that we had right at the beginning of, '20 this was 2017. And, I remember it specifically because the emails the spoofed emails started coming in the night of the Fed one hundred. So if you're familiar with the the fed one hundred, you know, that's the federal prom. And I was I had just gotten there. My phone started ringing. It says, hey.

Maria Roat:
We got a problem. Right? So I I remember that. That was in, in 2017. The spoofs that came in at that point were not very good. They were they were definitely using Gmail. But what it told us was that we picked up on it very quickly, very early, and my team saw stuff coming in. But it, it definitely caught the attention of the front office because they were not prepared for, oh, I've only been in the job a week or two weeks. And why am I getting attacked? Right.

Maria Roat:
Getting spoofed. And, and it was, you know, coming in from Gmail and different accounts and things like that. And and, you know, part of it was, you know, my team saw it, had it come in. They knew what to do. They were prepared for it. You know, we got the email alerts and everything. But on the flip side, you know, the front office was, you know, a lot of times folks get in panic. Oh my god.

Maria Roat:
This is happening. And, you know, a lot of us been there, done that. We're like, yep. We'll address it, making sure it's blocked. Here's what you do. Don't answer, you know, all of those kind of things. And what we also did was just double down on the training, for not just the incoming folks, but the entire staff saying, okay. This is happening.

Maria Roat:
And that increased awareness because we also have follow on phishing, phishing that that was coming into some of our HR folks for bank account information for the politicals. Right? Hey. I need to change my bank routing number. I'm on the road. I'm traveling or I'm in a meeting, you know, would be the setup for the HR person and the HR person's thinking, oh, chief of staff. Yeah. They're busy. They don't have time to deal with this.

Maria Roat:
And in one instance, there was about seven or eight email exchanges that went back and forth between the HR person and and, you know, whoever was doing the phishing. Right? So the bad actor that was going on before she went, you know, something doesn't sound right. Mhmm. But the fact that it got to seven or eight emails, that was a big flag for us as well that not only did we double down, we had to continually reinforce, phishing because the bad actors, it's as simple as that. You know, people talk about the big things, you know, through supply chain and stuff like that, but some of this starts so, so small, you know, and we we constantly saw DDoS attacks, you know, throughout the pandemic. Every time we launched a new portal or a new lawn program, you know, new application, something came up. So it was it was really it was constant, but specifically during any administration change because there are people leaving and people coming in and a lot's being updated. You you really have to stay vigilant.

Rachael Lyon:
I can only imagine. Right? It's the times of uncertainty. Right? And Yep. Yeah. It just creates these little cracks of opportunity to to take advantage of.

Maria Roat:
Yep. It's

Rachael Lyon:
it's crazy. And, you know, I guess on that same thing, you know, how do you you know, you've been through this a bit, right, when there's an administration change. You know, how do you ensure that long term cybersecurity initiatives can stay in place, stay consistent, or keep moving forward?

Maria Roat:
Yeah. You know, that's a that's a great question because every administration, whenever you have change or turnovers, whether it's an election or what have you, right, you know, continually reinforce. Right? Cybersecurity is a team sport. Bad actors are not going away. You know that, and I know that. They're not, they're not going away regardless of what changes are happening in an administration or the government or industry, it's just gonna continue. And and really, when everything's going well and there haven't been any major breaches, think about it. You don't hear about cybersecurity.

Maria Roat:
It's in the background. Yet the minute something bad happens, it brings it brings cybersecurity back front and center. So I think that's important to your question about the long term cybersecurity initiatives, right? While we're funding all this, is it working and how do you know about that it's working, right? Because CIOs and CISOs, they have to be diligent about the tools. Right? They're using to monitor and manage their environment. Too many tools, too much overlap. You're gonna miss something. You're gonna have unknown gaps, not enough tools. You're gonna have a gap.

Maria Roat:
And, you know, I know my team over time, they were able to leverage cloud based, you know, a b AI, cyber SIM tools. Right? Security information, event management solutions for the sheer volume of events. And and they tuned it based on our needs. But that long term cybersecurity initiatives, you have to stay stay vigilant on that and communicate, you know, not be silent when things are being good. Right? Communicate. Here's what we blocked. Here's what we see. Here's the trends we're doing.

Maria Roat:
And having, like, one thing that's important, I think, you know, going to this long term strategy is adding your CIOs and your CISOs, you know, one or the other to overarching enterprise risk management boards. This goes for the private sector and public sector. You have risk management boards for organization. And I think for that long term, for that board, you have to tell them, here's what's going on. Here's what we're blocking. Here's what we're seeing and continuing to address any of those those long term gaps. And and I I really wanna put a plug in, for you guys, really, that those attacks are not just coming from the outside bad actors, but also the insider threat. Right? Why do we need a threat hunting? This goes to long term strategy.

Maria Roat:
Right? When I was and I'll use the SBA for an example. Right? It's a bank. Right? The I had a threat hunt team. It was only two or three people at any time, but I got reports every week focused on the financial sector with an analysis. And that analysis in term helped me when I went to the risk management board to make sure that we were continuing getting funding, that we were implementing, maturing our environment, all of those things. And that, you know, it was I'll tell you one story. Our threat hunting, during the pandemic, they identified out on a Reddit forum where, where folks were sharing sensitive documents. Right? We hired 5,000 people.

Maria Roat:
They went through the initial, you know, wants and warrants basic security checks, but they are taking pictures of slides, posting it on Reddit. This is why cybersecurity is important. Now my threat hunt team were pretty smart people, and 95% of the things they could trace back to somebody sent an email from a work account to their personal account. We could follow that thread. Right? They use their government phone and they posted it and and, you know, people really weren't thinking. Right? But, you know, for things like posting on Reddit, the example I used in in other forums, the thread hunting was really forward leaning and looking out there to make sure that the information didn't get out. So it's not just telling me about it. It was informing me so that I could go to, you know, the front office, the risk management board, you know, other entities to help make sure that the long term you know, our initiatives to mature the organization, we were continuing to get funding.

Maria Roat:
It was maintaining visibility. So the onus was on me to make sure the visibility was there. Absolutely. Yes. It's fun times.

[10:41] Balancing Policy Directives, Budgets, and Security Goals

Jonathan Knepher:
So I I like your comments about making sure you get right all of the the stakeholders and, involved in the risk. How does that lead to kind of coming up with the balance? Right? Because we're we're always under pressure as technology folks to to do the latest urgent thing, whether that's a policy directive, whether it's a new technology or some other business goal. But we can't let the security lapse. How do you find the balance?

Maria Roat:
You know, that's really hard, and you have to be, you know I think you have to be smart about your your tools and what you're what you're using, making sure that you have a holistic, security capability. Right? The days of the hard outer shell, soft crunchy interior, those are long gone. Right? Those days are long gone. So you so you do have to balance. Right? There's gonna be going to be requirements. Right? You know, in the federal government, there's policies that come down. A lot of times those don't come with funding and you have to figure out, okay, it's the right thing to do. We're going to implement, for example, zero trust strategies across the federal government.

Maria Roat:
Right? So when I was the deputy federal CIO, the executive order around zero trust went out, you know, making sure that those initiatives from the agencies, did they have the funding that they needed? Right. And what does it take for you know, because funding comes essentially from Congress and the appropriators. Right? So you're getting money from the appropriators. Sometimes it's targeted. Sometimes it's not. You know, there is some leeway at OMB on how to prioritize that funding for the agencies. But those policy directives don't always come with funding. But it does provide the model that says, okay, agencies, you've got a bucket of money for cybersecurity already.

Maria Roat:
Here's how we want you to direct it. Right? You're you're going to have, like, the when you ask the question, right, that long term infrastructure modernization efforts, the policies help shape how directionally you're going to use that money in really, direct it, like I said, right? Because even as, as you know, cybersecurity across the federal government, it's definitely complex, right? Definitely vulnerable, advanced cybersecurity adversaries, right? All of those bad actors, they're going to use AI and machine learning. And if that policy directive is laid out appropriately in that, you know, here's the maturity you should be following and making sure that you're getting ahead of this because it's not a one and done that you can continue to use ai and machine learning internally to to address the sophistication of attacks that zero day in really responding to that threat landscape. So the policy directors oftentimes just give you that framework and say directionally, here's how I want you to spend your money on cybersecurity so that that long term, you know, modernization around infrastructure security, all of those things continue to happen. So it's not just cybersecurity is not taking a backbench.

Rachael Lyon:
Agreed. Yeah. That's and that's a kind of an interesting segue because you mentioned AI. Right? And and so there's, you know, using AI for security, but also the exponential growth of output of data, input of data, and the AI systems. Right? And and so kind of thinking about today's very dynamic and where's it going landscape, what are what's the cybersecurity baseline that, you know, organizations should be trying to align with today, you know, be critical infrastructure, government, private sector. I mean, it's there's so much going on right now, Gloria. How to how to keep up. Right?

Maria Roat:
Yes. Yeah. You said, what's the current baseline? Is there a baseline? Let me ask you that question. Right? Because you have to you have to continually fortify. Right? And and those technologies, technologies are gonna involve AI is gonna get better. And and, you know, you know, is there a baseline? Right. Right. But I still think that having a strong strategy around, you know, zero trust, continually maturing, you know, cyber posture, whether you're in the federal space, public or private sector, you know, And I've seen, you know, a lot where the private sector, they align with, you know, the NIST guidelines, like, from the 853 to zero trust recommendation and incorporating that into their best practices.

Maria Roat:
I'm sitting on the on some boards. And when I'm starting to ask some of those detailed questions about their alignment, right, what do they use? That's what I'm hearing. Right? Coming back with the NIST guidelines or, you know, FedRAMP has some standards for right? Has the standards for what cybersecurity is in the cloud. Well, we look at those. They're looking at those controls, those NIST guidelines and what FedRAMP is doing as well. So I think that's that's a positive for the federal government. The pot you know, the private sector is using a lot of that. But I also think that, you know, when you ask about the current baseline, you know, I think it brings to mind the supply chain, Right? Continues to be a risk across the board.

Maria Roat:
Right? What's that baseline for organization? And, how are they managing, you know, third party vendors? This is in the public and private sector with your connections. Right? There's a whole risk around supply chain, third party vendors. Right. And and I think that's just is important incorporating into that baseline. Right. With the controls and the zero trust recommendations that holistically you're including, you know, stuff like that. Right. And all of those controls.

Maria Roat:
So, it's it's really it's interesting because what I've seen in some instances in the private sector that the private sector doesn't always incorporate security requirements into some of their contracts. Right? With the federal government, I mentioned supply chain. Right? Some agencies and departments have very specific. Right? This comes to policy. Thou shall, you know, do cyber, you know, supply chain risk management. And it's in contracts about that. And I'm not always seeing that on the private sector where there's requirements around that. I see, MOUs between, like, private sector entities and maybe their third party.

Maria Roat:
Well, that you know, it's a piece of paper. It's as good as the paper it's written on. And, you know, some of the things I ask about back to your baseline, how are you testing and checking that it's not just, you know, paperware, right, that it's shelfware. So I think that that baseline is a great question for the public and the private sector. And I think sometimes the private sector can learn from the government in that you just don't have an agreement with industry or a third party or a contract. You put the language in there, and not only do you put the language in there, you check and you test the controls. Right? And you make sure that you're doing, you know, all of those things, that it's not just a piece of paper that somebody signed. It's trust but verify, not just trust that somebody signed it.

Maria Roat:
I think that's a risk.

[17:50] Private vs. Public Sector: Strategic Differences and Gaps

Rachael Lyon:
That's that's a good point. It's why do you think that, I mean, because government, perhaps because of how it's run or regulations, building it into contracts is is a must do. But why not why is it private sector doing more of that?

Maria Roat:
Great question. You know, I've I've seen that sitting on some boards where I've asked those questions. Well, you had a third party. What does it look like? You know, I had a briefing a couple of weeks ago from a security company. They've done an assessment of somebody. And and some of the questions that came to mind were exactly these. Right? Great. You checked that there was you know, they're like a third party assessor almost.

Maria Roat:
Well, okay. You checked the piece of paper, but did you run the vulnerability scans? Did you make sure the patching was happening? Did you do all of these things? So yeah. Yeah. I'm not sure that that across the board, it's consistent. In the federal government, a policy goes out, and they try to raise all the boats across the federal government. Right? Raise everybody together. You don't see that consistently in the in the private sector, and small businesses continue to be a a big risk.

Jonathan Knepher:
Do you do you see that kind of as an overall difference on the on the priorities and kind of pace of cybersecurity between the government and the private sector? Like, is it is it profound?

Maria Roat:
I don't know about profound. You know, I I'm seeing where the government oftentimes is more organized around having strategies and then executing those strategies over several years. I I don't see that as much sometimes in the private sector, you know, for even medium sized entities. You know, I'm not talking about some of the largest, but even some of the medium sized entities, there's still a little bit of a fire fire aim while we're doing all these things, but without regard for a longer term, where are you headed to address the bigger picture on that?

Rachael Lyon:
So I just have a fun question to just backtrack a little bit. So what is the most eye opening thing for you moving from public sector government, you know, and now you you run your own company, you're a consultant. And, I mean, what have been the kind of the interesting moments you're like, wow. Wow. This could have been more different or, you know, these these are surprisingly similar in a way I didn't expect.

Maria Roat:
You know what? Given all the bad press for the federal government and what I see in the private sector, I this goes back to what we were just talking about. Right? The strategy is not being in place. Right? As a board member, right, I'm focused on strategy, those long term investments, yet I've got, you know, decades of experience where strategy and tactical. Right? I was way in the weeds in operations and engineering. Right? So I'm not, you know, that in the weeds, but it informs the questions I ask. Right? My experience of doing all that really informs those questions on strategy and where the long term investments are going. So when I'm when I'm sitting on some of these boards and folks are saying, well, we had a cyber and security incident maybe before I got there. And here's the things we're doing.

Maria Roat:
We're we're putting in this and we're doing this, and we might do that. And I asked, what's your strategy? And I think there's a gap there. That's that's what I'm seeing. And I'm also, learning and getting more data about how vulnerable small businesses are. I mentioned this a minute ago about small businesses. You know, they still have you know, they're not always taking advantage of of even some of the free tools that, a lot of the cloud providers provide when you look at the big ones. Right? The AWS and the Microsoft and Google. They have tools for small businesses for their for their cybersecurity.

Maria Roat:
You know, CISA had a lot that they put out. At the SBA. There were things that we put out online, and they're not taking advantage of it. And working with small businesses, you're still providing personal information, oftentimes, or nonprofits. Right? You got your name and your address. And if it's a nonprofit that you're contributing to, next thing you know, they might have your credit card information. And and I I think there's a gaping hole in the in the some of those nonprofits and small businesses that are I'm not talking about the ones that can afford, you know, some things, but those smaller ones that are, you know, even if they're a couple million, 5 million and less where they still have gaps. So some of the things that I'm seeing are centered around that.

Maria Roat:
And when you have 40,000,000 small businesses in the country, you go, wait a minute. Right? But, again, it's it's having some of the strategy for the big midsize, you know, those mid tier and some of the big companies. And then, those small companies, really, there's a lot of, a lot of gaps in cybersecurity there. You know? Everybody's using the same first word. It's just basic stuff. But, again, it's I if you had to ask me one entity, I think in the private sector, probably those mid tier companies, you know, as they're transitioning from small to mid size, they're not big yet. They're not making the profits to be able to invest. That's where I'm seeing, that's where I was a little bit maybe I shouldn't be surprised, but I'm seeing some of the challenges around around around those mid tier as well.

Rachael Lyon:
Interesting. It's I mean, just a sidebar. I was so surprised at how many free resources there really are available, you know, for for small businesses and toolkits. And it's is it just a lack of awareness, a lack of people resources, or kind of a combination of of all of the above?

Maria Roat:
You know, it's, there's a nonprofit that I'm working with. Right? So, full disclosure. And they they help small they're trying to help small businesses. Right? They'll do a a little assessment. Right? Basic assessment. Right? Are you sharing passwords? Is your server up underneath? Are you taking advantage of cloud? Very basic stuff. But those small entities, those nonprofits and the small businesses also have to want to do it. Right? Even when the resources are free, they're busy running their business, and they're like, I don't have time for that.

Maria Roat:
And so I to your question, I think I see I see that a lot. I don't have the cybersecurity thing. I don't I don't have time for that.

Rachael Lyon:
Why would anyone target us? We're just,

Maria Roat:
we're just we're just little. And in fact, you know, 40 ish small, small businesses across the country that are in the science there in the medical fields, they're doing the innovation, they're creating new things. Oh, my goodness. Think about the intellectual property, the idea around this. It's it's it's, when the resources are free, sometimes you gotta take a minute. And how do you convince those small businesses they need to take a minute sometimes?

Jonathan Knepher:
Yeah. I think a lot of them don't even know they need to be looking, right, until something's happened. And

Maria Roat:
Or they don't know Yeah. That something's happened.

Jonathan Knepher:
Exactly. Yeah.

Maria Roat:
That's how

Jonathan Knepher:
their bank account shows

Maria Roat:
Yeah. Exactly. Exactly.

[25:03] The Changing Skill Set: What the Cyber Workforce Needs Now

Jonathan Knepher:
So so what's what skills, are required for for folks entering this field, in order to basically help all all levels of of organizations?

Maria Roat:
Yeah. You know what? When you look at cybersecurity, it just it runs the gamut, right, from, you know, everything from compliance to very technical to understanding AI. It just data, all all of those things. But I think around, specifically around the soft skills, the ability to communicate is not going away verbally and in writing. You may work in a SOC. Right? So I had a threat hunt team that was part of my security operations. And if you're repairing a threat report for the CIO or the front office, you need to write in a way that the information can be communicated very clearly without deep technical jargon. Right? I might get it as the CIO, but if I have to share that and the intent is to share that with somebody else in leadership, the the cyber folks need to understand.

Maria Roat:
And and they're also gonna be sitting at a table right during a briefing. I brought people with me when I was doing briefing that were very, technically deep in certain areas, depending on what I was briefing. And then they're gonna sit on the back bench. And if a question comes up, I am not gonna make things up. I'm gonna turn to the person who's the smartest person who knows the very specific details, and I'm gonna ask them. And I think it's important that those verbal skills are are practiced as well. Right? You just don't know when you're gonna get the the boss is gonna ask you a question and you're gonna have to respond, and you can't sit there and go, or, you have to speak up with authority that you know what you're talking about and what happened and speak concisely and and, you know, directly. Right? You have to be prepared to provide the context.

Maria Roat:
So I think that that verbal and written communications are certainly, not going away, whether you're in tech. I don't care what field you're in. Right? It's it's you need that, and you have to be able to listen, in here and pay attention. Even if you're on the backbench during a briefing or something, you can't be sitting there working on and not paying attention because somebody's gonna turn to you and ask you a question. Right? Tune in on those Zoom calls. I know those teams calls. Right? But I think, you know, on the technical side, you know, you're going to have folks that are very deep in operations or data or AI, all of those skills, understanding, you know, the bits and bytes and the ones and the zeros and really understanding how data moves and how traffic moves and all of those things within your organization, all of that lends itself to a good cybersecurity expert over time, especially if you want to be, you know, move into being an architect. Right.

Maria Roat:
You know, you you need to understand all of that. And and if you're going to do something like architecture, you also have to be in tune. Comes back to the soft skills of how the organization operates, whether it's private sector or the government. Right? How that business functions and operates so that as you're developing an architecture, it meets the needs of the organization, too. So I think those soft skills, I just the communication, verbal writing, and being able to listen and learn and ask ask good questions is is super important.

Rachael Lyon:
Speaking of communication, how how fluid is you know, people who wanna get in the cyber industry or move around in the cyber industry, where are you seeing opportunities today? Right? And and help people, you know, discover these opportunities because it it changes. Right? You know, as the years go on, opportunities, skills, all of those things are different, but, you know, also how are they different in the private, right, and the government sectors, and and how can folks identify these opportunities to pursue them?

Maria Roat:
Yeah. I think regardless of the public or private sector, I think the opportunities are the same. Right? If you're coming out of college, you know, coming out of the military, you have some skills. Right? Think about how you can apply those. You know, somebody might come out of college and say, I wanna be, you know, a security architect. Well, you're not gonna walk in the door day one. Right? Proof you're a cyber you're you're a security expert. You know, that's not gonna happen.

Maria Roat:
And you need to understand that, some of this takes time and learning, you know, you're going to learn stuff out of a book in college and you could be super smart and you could be a great coder, but there's a whole lot more in the environment that you need to learn and you need to be exposed to. So I think the opportunities for cybersecurity folks, even coming out of the college or the military, you know, a job may not be perfect or be the right fit. Hopefully it's, you know, if if you're coming in on the ground floor, be open to taking on a job that's different than what you expect right in the technology field because you're going to learn from that, apply what you learned and then move on to something else. Lord knows in my experience, I never had the same job twice in tech. I've always done different things, but it's always been in tech and cyber field. So so be open to not doing the same thing. I'm a coder, and I'm gonna stay a coder. And and my coding is gonna lend itself to cybersecurity because I'm gonna be able to crawl code and I'm gonna know where the problems are and

Rachael Lyon:
Right.

Maria Roat:
Okay, that's good. Or, you know, if you understand data, if you really understand data in cybersecurity, think about AI and the trends and events. And and if you like to do research, think about you know, I talked about being on a threat hunt team. Right? If you understand the nature of threats, you can take that expertise. And if you like to dig in and do research, you're gonna be really good digging around, you know, the web, you know, and I'm not even talking about the dark web, right? Just digging around the Internet and the forums and the different areas in social media and being able to key in and be able to find where, you know, that insider threat. The example I use. Right. And that's where some of that research expertize comes in.

Maria Roat:
So, I mean, there's there's a lot of opportunities. People have to be open to, understanding that their data expertize or their operations expertize has a play in so many different jobs in cybersecurity. It's much just like you're an it professional. Well, okay. Do you work on networks? Do you work on, you know, operations? Are you, what, you know, are you a router expert? I don't, whatever that might be. There's just so much out there. And I think, the opportunities are about being open to it. Remember what I said about stepping outside your own comfort zone, get uncomfortable, right? Get comfortable being uncomfortable sometimes step outside of your comfort zone and and and work on a job that's a little different than what you expected.

Maria Roat:
You're gonna take something away with it from it regardless.

Rachael Lyon:
Yeah. And it's once the kind of move forward with courage and confidence is is something I've been hearing a lot of you know, in in very different places with signposts. But Right.

Maria Roat:
You're like, I know the job. Be confident, own it, and just go.

Rachael Lyon:
Exactly. Exactly. Yes. And for today, everyone, we're gonna call it a wrap. We're having such a great conversation with Maria wrote today. We are gonna pick back up next week for part two. You don't wanna miss it. So until next time everyone, stay safe.

About Our Guest

Maria Roat, Former US Deputy Federal Chief Information Officer

Maria A. Roat is a distinguished technology leader with over 35 years of experience in information technology across both the public and private sectors. She was appointed Deputy Federal Chief Information Officer in May 2020, bringing a wealth of expertise in digital transformation and enterprise IT strategy.

Prior to this role, Ms. Roat served as Chief Information Officer at the U.S. Small Business Administration (2016–2020), where she spearheaded the agency’s digital transformation. Under her leadership, the SBA evolved into a forward-thinking, service-oriented organization, better equipped to meet the technology needs of its program offices and support small businesses and entrepreneurs nationwide.

Earlier, she was the Chief Technology Officer at the U.S. Department of Transportation, where she led the department’s technical vision and innovation strategy, aligning technology growth with mission-critical activities.

Ms. Roat also spent a decade at the Department of Homeland Security, holding several key leadership roles including Director of the Federal Risk and Authorization Management Program (FedRAMP), Deputy CIO at FEMA, Chief of Staff to the DHS CIO, and CISO at USCIS. She also played a pivotal role in TSA’s Secure Flight Program as Deputy Director of Technology Development.

Before her federal service, Ms. Roat worked in the private sector for five years, managing global enterprise network systems and leading Network and Security Operations Centers.

Her early career included roles with the Navy Medical Information Management Command and other Navy Commands, focusing on global network management, engineering, and IT operations.

Ms. Roat retired from the U.S. Navy in 2007 after 26 years of active duty and reserve service, achieving the rank of Master Chief Petty Officer, Information Systems Technician. Her leadership roles included serving as Command Master Chief for both the Reserve Intelligence Area Washington and the Center for Navy Leadership Mid-Atlantic.

She is a graduate of the University of Maryland (UMUC), the Harvard Business School Executive Education Program for Leadership Development, and the Navy Senior Enlisted Academy.

Check out Maria's LinkedIn