During the second semester of my freshman year at Old Dominion University, I distinctly remembering entering the doors to “Principles of Financial Accounting” and questioning my decision to enter college as a business analytics major. For the majority of my time in school, I had struggled with math, and while I never saw myself as someone who couldn’t find a solution to a problem, I for the first time in my academic career truly doubted myself. It was that spring while meeting with my advisor at the time, that I expressed an interest in switching my major, a decision I was prepared to make without a plan or even an idea as to what was next. Something about the way my advisor read the word “cybersecurity” instantly hooked me, and without any understanding of what was ahead, the journey I would be taking, the classes I would be faced with completing, or what lie beyond graduation, I officially switched my major to cybersecurity.
Despite my success throughout a multitude of challenging computer science, cybersecurity, and criminology courses, I entered my junior year assessing my progress on degreeworks, and despite my progress I still viewed the internship portion of my capstone with little excitement. While I greatly enjoyed my progress with cybersecurity, as well as the topics I had learned and skills I developed, I remained unsure about how my degree translated into the field as a whole. I had been consistently told by relatives, professors, and classmates; “with cybersecurity, you can get a job anywhere,” yet I still did not know what I would be doing. When I finally decided to bite the bullet and pursue my internship opportunities, I remained hopeful while simultaneously battling with an inner doubt that despite my success with my studies, I would lack the tools to succeed within a business environment. I had always enjoyed the theory part of cybersecurity the most, whether that be cybersecurity, criminology, or cybercrime as part of my minor, however, I was hesitant to expect to use these exact skills in the field due to the abstract nature of their performance. After weeks of combing through Handshake, I was surprised to come across an internship opportunity working as a research assistant for LightGrid LLC, a discovery that caught me off guard due to it seeming like the exact opportunity I was looking for. Upon applying, I immediately was plagued with a sense of self-doubt as I was sure I would not be chosen for what I believed to be the perfect internship opportunity. My fears while understandable to a certain degree, were proven obsolete when I was, to my surprise, selected only a few weeks after applying.
Upon being selected, I was overjoyed, immediately scrambling to both make solid first impressions while setting myself up mentally for success. It was at this point I learned of the remote aspect of the internship, an addition I believed would only help me thrive due to the comfortable environment I could build for myself. During the first week, I learned during my onboarding process that I would be named a “cyber futures intern,” a position which involved the research and development of cybersecurity policies. My interest in the theory of cybersecurity seemed to be finding the light of day within a real business setting, a feeling that left me overjoyed. While I was confident in my abilities to research specific cybersecurity topics, I was unsure of how I would handle the development and implementation of specific policies, leaving me with instead of anxiety, a sense of excitement as I knew this was something I could learn and accomplish. To some, policy development and implementation is nothing but words on paper, rules they have to follow. To me, I found the field I enjoyed most within a classroom setting, one that relied on ideas and communication opposed to technicalities and code, I felt hopeful.
LightGrid LLC, founded in 2010, is a HUBZone certified small business working to solve unique data management and telecommunication issues throughout government adjacent and government specific operations. While the strong connection to government projects still thrives within the company, the ISO 9001:2015 certification displays their reliability when it comes to data management customer satisfaction. LightGrid, as described as an SBA certified business, operates within a range often overlooked by larger cybersecurity data management corporations, nestled comfortably in a field of small businesses often left ignored. The contract nature of LightGrid allows them to excel within technology innovation consultation services, whether that be through future technology development and implementation, cybersecurity policy application, data management techniques, or management services designed to oversee larger projects and assist with fundamental goals.
My time with LightGrid started quickly as my onboarding and training happened online over the period of a week. To my surprise, the position I was now filling allowed me to work directly under the CTO of LightGrid, Alan Sekelsky, a cybersecurity and telecommunications expert with enough experience to leave me speechless. This opportunity was one I approached with both an open mind, and open arms, as I immediately understood that by joining this team, I now worked alongside someone I could look up to as a mentor opposed to a boss. Upon meeting Alan I was greeted by a warm embrace of knowledge, someone who loved what they do while wanting to share it with others. Questions I had were answered tenfold, ideas I had were not only listened to, but built on and further discussed, but above all else, I felt like a member of a team rather than an employee.
It immediately became clear that the members of Alan’s intern team: another student from ODU, Alison Dellinger, and myself, were brought on to directly assist Alan with the development and implementation of a cybersecurity policy that covered the soon-to-be mandated CMMCv2.0 cybersecurity framework; a framework of policies developed to ensure that government adjacent partners are authorized to handle and distribute Controlled Unclassified Information. While the task seemed daunting, Alan assured us that the team would function as described, without unnecessary competition or individual goals. Alan made it clear from the very first meeting that his management style aligned more with a co-worker than a boss. I have rarely had a question unanswered, or an idea not discussed either through email, Microsoft Teams chat, or during a meeting. Our effectiveness as a team immediately reflected his opening statements, as the three of us understood the challenges ahead but knew we had our team at our back. Furthermore, I found success in myself as I quickly adapted to new environments, ideas, and practices due to this interconnectivity within the team. Alan’s management style encouraged success, new ideas, and discussion, this was only fueled by his knowledge within the field, and his desire to see us grow.
Immediately following orientation and an initial introductory meeting, Alan informed the team the scope of our tasking and goals. The three of us were to analyze, develop, and implement a policy framework that would grant us compliance within the soon to be mandated CMMC framework. This task was crucial to the survival of LightGrid as without compliance, our handling of CUI would be denied, and our contracts would no longer be in effect. For that reason, the seriousness of the tasking became apparent as we knew the timeline of CMMC implementation did not allow for extended periods of comfortable operation. It was understood from the very beginning that in order to achieve compliance we had to get to work.
In an effort to further our understanding of cybersecurity systems, Alan tasked us with uncovering and discussing current events within the cybersecurity world, a task with an end goal of strengthening our abilities to think like a cybersecurity expert able to adapt to differing problems and present a solution that would benefit our specific business. The task proved that cybersecurity theory dug much deeper than I had initially realized, extending from general analysis to in depth discussion on how a vulnerability unrelated to LightGrid, is something that still needs to be considered. I took most from this assignment a deeper understanding of what it means to work in the world of cybersecurity as it proved to me how interconnected everything is. By understanding current vulnerabilities, attacks, data about attacks, and improved and released systems, I began to understand how important adapting to possible situations is, as any individual misstep could lead to our policy development falling behind, possibly leading to major vulnerabilities that could result from anything as minor as password leaks to something as major as malware intrusions or data theft.
We began by dissecting CMMCv2.0 as it was clear we were required to know the ins and outs of this entire policy framework. In approaching this task, I immediately realized how in depth and complex a framework of policies can be when viewed from the whole interconnected aspect of the group. In order to break down the complexity of CMMC, Alan recommended following the CMMC leveling system that the framework is organized by. By organizing the policies into levels, personnel adapting their structure to the framework are able to follow along with which policies most affect them. These include levels 1-3, with level 1 being the lowest, perfect for small businesses and beginning cybersecurity systems. Level 3 on the other hand was much greater in scale, including anything from penetration testing to firewall development, part of our organizational methods involved removing level 3 and most of level 2 as it did not affect LightGrid and therefore seemed only to confuse us. Apart from the organizational methods of analysis, Alan also recommended we work towards understanding the policies we were working with by closely comparing CMMC with another in-house framework that was also closely referenced: CISv8.0. CIS while different in scope and approach, remained similar enough to CMMC to the point where we were able to view the two as equals, resulting in comparisons that displayed the innerworkings of CMMC. CIS was chosen due to the pre-existing reliance on said framework by LightGrid’s outsourced IT division, a framework that could not be changed due to the conflicting specifications and already in place policies. Therefore, we found that fully creating a map between the two policies both strengthened our understanding while forming a solution for individuals following both sets of policies, to refer to one another without needing to further complicate tasking by needing to research either framework. Our goal of creating an interconnected web of two differing frameworks shifted into creating a map simple enough to follow so that any individual could refer to it without issue, as the implementation was a task that would affect all divisions of LightGrid.