With more than a decade as an intelligence and special signals analyst in the U.S. Navy, Aaron Barr spent a significant amount of time learning how systems worked and discovering he had a knack for figuring things out. After he got out of the Navy in 2001, he entered the booming IT market. Knowing he wanted to focus more on IT security, Barr took a position at Northrop Grumman TASC, where he started out conducting vulnerability assessments and penetration tests, as well as teaching the early version of the company’s CyberWarrior course. After moving from Colorado to Washington, D.C., mostly for the career possibilities, Barr was offered a technical director position managing the technical strategy and execution for one of Northrop’s cybersecurity business units, which was “an opportunity I couldn’t pass up,” he told TNNI. After a year, he decided to try something he had always been curious about and transitioned into the small-business side and currently serves as CEO of HBGary Federal.
TheNewNewInternet: Can you tell me a little bit more about your background?
Aaron Barr: I moved out here and really started to get involved less on the program and customer side and more on the overall strategy side. Both from a customer-government perspective, as well as a corporate perspective on how do we build strategy and business around cybersecurity? And then as a nation with all the different programs that were under my business unit, what can we leverage as a company to help out what was and remains a very problematic field. I got picked up a few years ago to be the chief engineer for the Northrop Grumman cyber campaign. I was developing the technical strategy related to cybersecurity for the entire corporation. That was quite a challenge, but it was also an amazing opportunity. A company as large as Northrop Grumman, it gave me an amazing understanding of what all of its capabilities were as well as the capabilities of the nation. It’s probably to some people’s surprise; Northrop Grumman didn’t even know what all it had. So, understanding all the different capabilities, bringing those together, trying to organize those into an offering was interesting and challenging. One of the outcomes of that campaign was we realized in order to be effective, especially in a field as challenging and complex as cyber, we need to put as much of the company’s cyber capabilities into one place as possible. Around that same time, Northrop reorganized and that is exactly what happened. During the reorganization, I took the opportunity to get back into the line and took a position as the technical director for the cyber and SIGINT business unit, which is where most of the cyber work ended up. It was in that position that I got a firm understanding of the nation’s incident response and network defense capabilities. The impression I was left with after sitting at many of the national CERTs and SOCs was one of unease. I remained in that position for about a year, and then I realized I wasn’t getting any younger. I’d always had an itch to try the small-business side and work in a more fluid, less process-oriented environment that had a lot of technical innovation, and so I decided to give it a try. I’d known Greg Hoglund, the CEO of HBGary Inc., for a number of years. I’d actually used his company on a number of programs as a subcontractor. I’d known of his talents and capability and his company’s talents and capabilities, so I talked to Greg and he had been wanting to open up a service business for a while, so it all just worked out. Good timing.
TNNI: What are some of your current duties?
Barr: Current duties entail growing a cybersecurity services organization. We’re fairly focused as I have come to understand small companies need to be. We are focused on incident response, threat intelligence, and information operations. What I like to call the mind, the shield, and sword. My charter, job duties right now, leveraging the experience and contacts that I have at a national level and building out a pipeline and set of resources to succeed in this market.
TNNI: What are some of the greatest challenges you’ve experienced in your current position?
Barr: Greatest challenges … there’s so many. Coming from a large integrator, I default to thinking strategically. And now that I’m the CEO of a small company, it’s really being able to take that experience and execute tactically, growing that business in those areas that I mentioned. Those are certainly challenge areas for me. But it’s a good fit for me. Even as a manager, I have always been technical, so I can bring that capability, along with my strategic view and develop tactical, point solutions to help satisfy some of the larger challenges.
TNNI: There has been a lot of talk about the need for skilled cybersecurity professionals. How does your company recruit top talent?
Barr: A couple of different ways. Top talent, in my experience, tends to drive itself downward. And what I mean by that is the best talent usually finds itself in small companies. We have an advantage there for a couple of different reasons. One, if you’re really good, you can usually cut yourself a pretty good deal inside small companies, get maybe a small equity share, maybe the salary and the flexibility and the lifestyle that you want. That’s harder for larger companies to offer and provide. Another advantage we have is that I came into a company that already has existing name recognition, both in Greg Hoglund, who is very well known in the cybersecurity world and malware analysis and forensic world, as well as the company itself and the products that it develops. So, when I go to deliver services, or when I talk to customers, or business partners to deliver, or to provide service offerings, typically most of them already recognize us and respect what we’ve done. Lastly, having worked in a senior position at the second-largest defense contractor in the U.S., I know a lot of people in the defense space.
TNNI: How would you describe your company? What’s the culture like?
Barr: It’s pretty flat, mostly because it’s pretty small. We all have ownership in business development right now, program execution. Because we are a small company, we’re fairly close. We go out and we do things together, we socialize together, so it’s a really good working environment and one which I really enjoy, again having come from a larger company where some of those types of things are a challenge. It is all about delivering capability at this level, everything shapes around that goal.
TNNI: What is your advice for up-and-coming cyber professionals?
Barr: Roll your sleeves up and get your hands dirty. In this field, you learn most by doing, even by tinkering. Certainly, if you are serious about it, go to an advanced school for a computer degree, look at certifications. But in computer security, there is no substitute for experience. Also, try to get exposure to different fields. This is a complex field as well, and often the biggest vulnerabilities lie at the intersecting points of technology. You need to be able to connect with how security operations work and how it fits inside organizations, business and government operations.
TNNI: What’s something most people would be surprised to learn about you?
Barr: Before I went for a master’s degree in computer security, I was going for a master’s degree in mycology, which is the study of mushrooms.
TNNI: What made you change your mind?
Barr: I wanted to go for an advanced science degree and my bachelor’s is in field biology. The reason I was going for a degree in mycology is because it’s a fascinating field. It’s an investigation. There are over 3,000 species of mushrooms, they’re not like trees, they are always in the same place every time, each species of mushroom requires a different set of environmental conditions to reproduce. And what I quickly found out was that computer security as similarities, in that it’s a hunt, an investigation, it’s a challenge. There is something new all the time.