Interview with Scott Gray, President at Gray Analytics

Cybersecurity is Everyone’s Job, Including Yours. Do Your Part.
October 12, 2020
Interim Rule for DFARS and What it Means for GovCon
November 4, 2020

Interview with Scott Gray, President at Gray Analytics

By AI TechPark | Featuring Scott Gray, President of Gray Analytics

1. Tell us how you came to be the President at Gray Analytics. 

I have had a long career working in technology. I spent time working as a civil servant with the US Army, with a large aircraft manufacturer, and with a couple of computer hardware and service providers. I enjoyed all those roles and, in each case, we were working to solve technical challenges for clients. I worked with a lot of great people and it was about leveraging all the resources we had and getting the entire team to work together to solve these challenges and help our clients. My brother Ron has been a successful entrepreneur with engineering and consulting firms since the ’90s. Ron set up Gray Analytics a few years ago and asked me to come join him in helping manage and grow this business. It is exciting for me, because we have and we are building a great team, and at our size, we are able to be nimble and truly be driven by our clients’ technical challenges.

2. What are some of the industries that Gray Analytics caters to?

It has been pretty amazing how we are evolving. Most of our work is in support of the Department of Defense (DoD), but we are placing an emphasis on helping commercial organizations as well. In addition to our DoD core, we have worked with clients in transportation, manufacturing, agriculture, legal, engineering, accounting and finance, and construction.

3. What are some of the common pain points your customers approach you with?

The most common pain point customers approach us with is risk. Our work with the DoD has ranged from the risk related to our nation’s lagging position on hypersonic weapon and defense systems, to the risk of cyber intrusions into national defense systems, to the risk of bad software due to inefficient and outdated development practices. On the commercial side, it is about the risk of cyber intrusion and losses of money, intellectual, property and PII due to these intrusions, whether by organized cyber crime syndicates, nation state cyber criminals, or even insider threats. Spanning across DoD and commercial is our work with SAP NS2 for our Supply Chain Intelligence Tool, ChainShield ™. This tool can be applied to any supply chain including but not limited to national defense systems, electronics, food, pharmaceuticals and critical infrastructure, to illuminate risks in the supply chain and take corrective action to ensure trust.

4. Can you give us a sneak peek into some of the upcoming product upgrades that your customers can look forward to?

OUR CHAINSHIELD ™ PRODUCT WITH SAP NS2 IS RAPIDLY MATURING. WE ARE LEVERAGING THE AI CAPABILITIES FROM SAP’S HANA PLATFORM TO QUICKLY ASSESS PETABYTES OF INFORMATION RELATIVE TO A PARTICULAR SUPPLY CHAIN TO ENABLE THIS TOOL THAT IS CRITICAL FOR THE GLOBAL SUPPLY CHAINS THAT GO INTO EVERYTHING WE USE AND CONSUME IN OUR COUNTRY.

5. What KPIs or metrics do you use to measure the effectiveness of an organization’s information security program?

The National Institute of Standards policies for cybersecurity (e.g. NIST 800-171) have long been a basis for our risk assessments, whether for government or purely commercial clients. We feel like that is a great framework to start with. Of course, the DoD contractor side is evolving and expanding to the Cybersecurity Maturity Model Certification (CMMC), and that model is rapidly becoming the standard to measure an organization’s information security program.

6. Give 3 important tips that can strengthen an organization’s information security program?

It is very difficult to name only three, but,

  • The first tip is to perform a cyber hygiene assessment to see where your company stands. If you don’t know where your issues are, you don’t know what to correct. We recently did an assessment for a client and found over 200 vulnerabilities of various degrees of criticality. Once you know your weak spots, you can address them. In that case, many of them were relatively easy corrections.
  • My second tip is on training. Your employees are your first line of defense. Email is certainly one of the most prevalent attack vectors and everyone has to be wary of an email asking them to take action, even if it looks like it is coming from the CEO. They need to be able to know how to identify suspicious emails and beyond that, to understand how their activities and actions can put them and the organization at risk for a cyberattack.
  • Finally, stay current on technology. Old and outdated hardware and software are easy attacks for cyber criminals. Current technology with current cyber protection is critical.

7. What are some of the common misses from SMBs in terms of compliance and security protocols? What are the reasons for this – lack of expertise, lack of funds for infosec professionals, or simply neglect of processes?

We have seen a lot of misses.

A QUITE COMMON MISS IS PHYSICAL SECURITY. THIS CAN RANGE FROM SERVER ROOMS NOT BEING LOCKED, TO LAPTOPS BEING LEFT OPEN WHILE LOGGED INTO WHILE AN EMPLOYEE IS AWAY AND CLIENTS ARE IN THE AREA.

Another area is just pure policy and process – things like password policies, the principle of least privilege for system access and configuration management. Finally, in the technology itself, one miss would be not having proper technical safeguards in place. For example, many are very resistant to multi-factor authentication. Generally, I think it gets back to awareness and understanding the myriad of these things that can put you at risk.

8. How do you keep pace with the rapidly changing cyber security tech space?

For us, it gets back to our team. We have a great team of people that have a natural hunger for technology and cyber security and have an innate desire to stay ahead of the curve. I am fortunate the team will send me information to help keep me up-to-pace. I also rely heavily on reading as much as I can, such as at AI TechPark.

9. What is the one cyber security breakthrough that you will be on the lookout for in the upcoming year?

Well, this interview is perfect for that. It really is AI. SAP Hana’s AI capability is the underlying brains for our ChainShield ™ Supply Chain Intelligence Tool. Gray Analytics is also looking at how we can apply AI to other areas of cyber security.

10. How would you encourage women in STEM to take up cyber security as their career choice?

I am certainly encouraging of women in any area of STEM. I don’t think there is a better area to be in.

WITH THE WAY THE WORLD IS EVOLVING AND CYBER THREATS ARE QUICKLY MULTIPLYING, THE NEED FOR CYBER PROFESSIONALS IS GOING TO BE EVEN GREATER THAN IT IS TODAY. ON TOP OF THAT, THE WORK IS FULFILLING. YOU CAN HELP MANY ORGANIZATIONS DEFEND THEMSELVES FROM CYBERCRIME, AND TO ME, THAT’S FUN AND EXCITING.

11. What advice would you like to give upcoming cyber security start-ups?

Build a strong team that can work together. Get people with different capabilities that complement one another.  When possible, find those people who have a broad skillset, likes any technical challenge and will work to figure out a way to resolve a problem. Finally, your people need to be tenacious. You want team members who don’t give up just because the task is difficult and they meet failure along the way.

12. What is that one quote that has stayed with you throughout your professional life?

I talked about tenacity above; I have always thought tenacity was such an important character trait. When I first saw Theodore Roosevelt’s “The Man in The Arena” speech at the Sorbonne at the University of Paris, it really resonated with me:

It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, and comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows the great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who know neither victory nor defeat.

I have applied this throughout my life, but also when encouraging my three daughters in times of difficult obstacles, or even failures when working towards any goal or project.

Scott Gray leads the Gray Analytics team. He is responsible for setting growth strategies and execution plans with an emphasis on solving the client’s complex technical challenges with the highest levels of client satisfaction and Gray Analytics team member morale. Scott has over 30 years’ experience working with corporations and government organizations to deliver high-value solutions to help clients meet complex mission objectives. Prior to Gray Analytics, Scott worked at IBM with hardware infrastructure responsibility for the US Army, US Navy, US Marine Corps, and Missile Defense Agency. Scott has a Bachelor of Science in Industrial Engineering from the University of Alabama, a Master of Science in Engineering from the University of Alabama in Huntsville, and a Master of Business Administration from Vanderbilt University.