Sheila Duffy


Sheila Duffy
Greystones Group

Greystones Group provides crucial cybersecurity training and solutions to the federal government. Using her leadership experience at both Fortune 500 and dot-com startup companies, president Sheila Duffy built an organization that helps both the Army and civilian agencies keep the country safe from constantly shifting cyber threats.

Q: Before launching Greystones, you worked at major companies, including Verizon and AOL. What lessons did your experience in the commercial sector teach you that you’re still applying today?

 A: I grew up as a first-generation American (my parents are from Ireland), experiencing first-hand the opportunity and advantages this country offers all people, especially women entrepreneurs. I started my career at Verizon (Bell Atlantic) and I was able to move up through the ranks quickly with positions that gave me visibility to all areas of the company. I was able to take advantage of excellent management and technical training there and get exposure to best-in-class systems and practices. I left Verizon to do three dot-com startups until the dot-com crash, then was asked by the founder of the last dot-com to work on consulting projects with him. I grew my consulting practice, evolving it to Greystones Consulting Group, LLC, which included strategic support for AOL’s internet security products and services, as well as VeriSign’s Digital Certificate services (authentication and encryption). In 2006, I made the strategic decision to take the company into the federal government space to take advantage of government presence in the Mid-Atlantic region as well as the variety of small business programs offered by the federal government, which I felt would allow me to grow Greystones from a boutique consulting practice to a scalable company. I knew I could take my experience with Fortune 500 companies and combine it with the speed and agility in business decision making I learned from my experience with dot-com start-ups to create a company that could provide excellence in service to the federal government. I was awarded our first federal contract — to support the National Guard — in 2008.

Q: Greystones has achieved a number of firsts in its work with Army Cyber Command. What achievements are you most proud of? 

A: I am extremely proud that Greystones conducted the very first Cyberspace Capabilities Based Assessment (CBA) for Army Cyber Command. Our team successfully led the Cyber CBA, conducting extensive research and analysis of U.S., Department of Defense (DoD) and Army regulations and doctrine, and conducting hours of stakeholder meetings and briefings to validate research and data management. The Cyber CBA Final Report was completed and submitted on time and was approved upon first-review by the Army Capabilities and Integration Command (ARCIC), an accomplishment that rarely occurs.

After completion of the Cyber CBA, our team developed various doctrine, organization, training, materiel, leadership and education, personnel and facilities (DOTMLPF) solutions to address capability gaps found in the Cyber CBA, particularly in the area of Training and Leader Development. Our team has developed a Leadership, Development, Training and Education program to incorporate cyberspace learning objectives into course curriculum and training objectives at all levels of training in the Army. Within two years, our project team integrated cyberspace curriculum into all Army officer schools. This involved a comprehensive and methodical review of each school’s entire curriculum, developing recommended changes or additions to the curriculum, and convincing leadership to approve the solutions. The results of this contract have received Army-wide interest and received praise from the former Chief of Staff of the Army, Gen. Raymond Odierno.

Q: You are working with the Navy on upgrading and fixing legacy systems. What are the big issues you see?

A: Probably the biggest problem we see is that so many systems and applications are significantly outdated and our customers don’t have the in-house historical knowledge or documentation on the application. We have to spend some significant upfront time analyzing the legacy application to fully understand its functionality and how it was designed, so that we can ensure there is no loss in functionality when we convert it to a more current technology platform. To complicate the challenge, many of the legacy applications are written in programming languages that are 30 or more years old. Finding a developer who both understands these older languages and is proficient in some of the current programming languages can be a challenge.

Q: Government contractors often struggle with the uncertainty of the federal budgeting process. How are you dealing with that challenge?

A: We have been doing several things to better position Greystones to respond to the dynamic government marketplace and ensure we continue to remain competitive in a contracting environment that sees a lot more competition at lower and lower prices.

First, we have focused our core capabilities into service areas that are critical to our government customers, namely software development and cybersecurity. The government is always going to need contractor support to upgrade and improve legacy applications and develop new software applications to better meet a changing mission and leverage cutting-edge technologies. The government is likewise going to be facing an ever-evolving cybersecurity threat and will need to leverage the private sector to stay on top of changing tools, tactics and best practices to defend against this ongoing cyber threat. Our focus on finding top-quality technical talent and our commitment to developing innovative, practical and effective solutions for our customers has enabled Greystones to position itself as a trusted, high-quality and best-value provider of IT and cybersecurity services to our government customers.

Second, in this day and age when the government is willing to accept a lower-quality technical solution for the lowest price, the pressure is really on companies to improve their operational efficiency and lower their cost, while sustaining their ability to deliver high-quality services. With fewer dollars to spend, we find our government clients are really looking for capable companies that they can trust will deliver what they say they will deliver. Greystones has been making some key investments to keep us cost-competitive and improve our ability to deliver to our customers. Within the next year, we will receive our ISO 9001 Certification and become CMMI Level III certified for Services. We have also invested in some internal business information systems and management tools to help us better monitor our performance, manage risk, and ensure compliance with government requirements.

So far, the changes we have made have been successful in allowing us to continue to grow in a declining federal market. Our customers continue to be extremely satisfied with the services we provide and our IT and cybersecurity portfolios continue to grow.

Q: You’re working on a curriculum for non-IT employees at government agencies to educate them on cybersecurity. Why is that important for those not directly involved in IT? 

 A: Historically, the focus and priority of both DoD and civilian agencies/organizations regarding cyber training, has been the Cyber Corps — those technical professionals whose job it is to protect and defend against cyber attacks/intrusions, perform Cyber R&D and other cyber-related operations. While clearly important, the unintended consequence of this laser focus on the Cyber Corps has been creation of a large and growing non-cyber community, the vast majority of which possess only a basic understanding of cybersecurity. Despite representing 98%+ of the total DoD and civilian workforce, this community receives less than 1% of budgeted cyber training dollars. This gap in training dollars/focus has resulted in an ever-increasing level of vulnerability to cyber attack across the non-cyber community.

To address and begin to close this gap, Greystones has developed a training program — currently focused on the DoD/Services — called the “Non Cyber Warfighter” training. Our program includes a rapidly tailorable, topic-based POI focused on addressing the following:

1.) The What: Fundamental understanding of cyberspace operations and warfare.

2.) The So What: Relevance and application of cyber (CO), tailored to the level and type (e.g., MOS/duty assignment) of non-cyber personnel being trained.

3.) The What If: A customized suite of threat-based scenario exercises and simulations — based on recent and real-world events — focused on the trainee’s ability to apply the knowledge gained from areas #1 and #2 above to help the Cyber Corps maneuver in cyberspace, mitigating/eliminating the threat.

Q: The nature of cyber attacks changes constantly. How does Greystones help the government stay ahead of the latest threats? 

A: I’ve really tried to create a culture of innovation and excellence at Greystones. We offer a robust education and training program where employees select training courses and certification programs relevant to their area of technical expertise and job responsibilities. The majority of our employees either already have or are in the process of obtaining an information security certification. We also encourage a culture of thought leadership, sponsoring our employees to participate in cybersecurity-related professional symposia and the development of white papers on cybersecurity-related issues. Finally, as a company, we really like to make sure we are “walking the talk” in the cybersecurity advice we provide our customers. We have established a Cyber Red Team in the company with the focus on researching and understanding the latest cutting-edge techniques and technologies in offensive and defensive cyber operations. Our Cyber Red Team is also chartered with testing and evaluating our own internal corporate cyber posture to make sure we are practicing good cyber hygiene and following through on the cyber defensive measures we advise our customers to employ.

Q: As a government contractor, you have many employees working off-site. How do you make sure all employees stay engaged and aligned with your vision?

 A: We work very hard to ensure we remain connected with our off-site employees. We conduct an annual all-hands meeting to brief our team on the company’s strategy for the year and provide an update on the work of our project teams. We also cover new business initiatives for the company, including briefs on new markets and new capabilities the company is developing. We publish a quarterly newsletter to provide periodic updates on the individual achievements and milestones of our employees, program updates and upcoming priorities. I also make it a point to travel regularly to all of our locations around the country on one of my CEO visits to meet face-to-face with our employees and touch base with our customers. We also leverage a wide array of communication tools to facilitate phone or virtual meetings for our off-site employees so that they can remain fully engaged with their project teams regardless of location. Finally, as a technology company, we are always evaluating new technologies and their potential impact on helping us solve management challenges and improve business performance and efficiency. Some of the Social Performance Management tools that have come to market look to be very promising applications for facilitating collaboration across the company and encouraging employment engagement for a dispersed workforce. We are currently exploring several of these tools for implementation here at Greystones. The bottom line of all this is that it does take some thought and planning to make sure all of our employees feel like they are never too far from Greystones, but the effort is well worth it in terms of the low employee turnover we experience and the consistently high satisfaction ratings we receive in annual employee surveys.

Leave a Reply