***
Recorded at the 2024 Phoenix Live Podcast Tour at GMI on April 1st to 3rd.
Featuring:
In this episode you'll learn:
Full transcript and show notes
Ryan's LinkedIn
Ralph's LinkedIn
Owen's LinkedIn
Cátia’s LinkedIn
***
RECOMMENDED EPISODES
→ #173: Doug Ducey, 23rd Governor of Arizona
→ #174: Jack McCain & Tim Roemer - National Security from State to Local Governments
→ #175: Ralph Johnson, Allen Ohanian, Martha Goodwin, and Dr. Muriel Reid – The Human Firewall: Cybersecurity's Next Frontier
→ #176: Lester Godsey, Christian Taillon, Tina Carkhuff, and Gary Depreta - Weaving the Cybersecurity Tapestry: The Art of Public Private Collaboration
***
WHEN YOU'RE READY
🤝 Looking to increase brand affinity?
Promote your company’s logo and case study to an audience with $10 billion in public sector State, Local, and Higher Education (SLED) IT spend through our newsletter, which boasts an 80% email open rate and a 10% click-through rate (industry averages are 30% and 1%).
This means we have a super engaged audience (not just a database of emails).
Reach the SLED market’s top public sector technology C-Levels like SentinelOne, Verizon, and SAP. Schedule a call to learn more!
***
CONNECT
🤝 Connect on LinkedIn
***
PARTNERS
Thanks to our friends at SentinelOne for being our 2024 Podcast & Newsletter Partner
SentinelOne: Learn how SentinelOne empowers this state to stay secure or click here: https://assets.sentinelone.com/ghe/sentinelone-empowers
Verizon Frontline: The advanced network that keeps first responders connected when it matters most.
Check out the solutions built for first responders or click here: https://www.verizon.com/business/solutions/public-sector/public-safety/
SAP: Driving digital transformation in cities like Copenhagen. See how they’re making digital strides.
Download the Case Study Now or click here: https://www.sap.com/documents/2021/02/10c410bc-cc7d-0010-87a3-c30de2ffd8ff.html
🤝 Reach the SLED market’s top public sector technology C-Levels like SentinelOne, Verizon, and SAP. Schedule a call to learn more!
***
SAY THANKS
💜
Joe Toste [00:00:00]:
Hey, what's up, everybody! This is Joe Toste from techtables.com and you're listening to The Public Sector Show by TechTables. This podcast features human centric stories from public sector, CIOs, CISOs, and technology leaders across federal, state, city, county and higher education. You'll gain valuable insights into current issues and challenges faced by top leaders through interviews, speaking engagements, live podcast tour events. We offer you a behind-the-mic look at the opportunities top leaders are seeing today.
And to make sure you never miss an episode, head over to Spotify and Apple podcasts and hit that follow button and leave a quick rating. Just tap the number of stars that you think this show deserves. Today we're thrilled to have Ryan Murray, Deputy Director of Homeland security, and State CISO for the State of Arizona. Ralph Johnson CISO for the State of Washington, Owen Zorge, CISO, for the City of Chandler.
Joe Toste [00:00:46]:
And I'm going to have Katya introduce herself.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:00:48]:
I'm Cátia Pereira. I lead the North America sales engineering team for Kiteworks.
Joe Toste [00:00:52]:
Welcome to the public sector show by tech tables. We're excited to have you. We've got some first timers and some repeat guests, so we'll start in the back. A little bit about yourself. Quick intro.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:01:03]:
Cátia Pereira I was originally from Lisbon, Portugal, moved to the States a while ago. I've been with Kiteworks for about six years now. Moved from fintech into cyber and had to learn everything from scratch. I came in at a good time, though. It was that, I think that six, seven year period ago where cyber became went from Infosec and the not so cool cyber that we know today to the cyber that we know today that everyone's trying to get into. And that is the buzzword.
Owen Zorge, CISO, City of Chandler [00:01:31]:
I'm Owen Zorge. I'm the Ciso for the city of Chandler. I've been here about two and a half years. Prior to working for the city of Chandler, I worked for the state of Arizona for about 27 years, to include working for Tim Roemer, working for Ryan Morgan Reed junior. That's been very collaborative. I worked for the enterprise security team as their state compliance and privacy officer for about four and a half years. And prior to that, I was the CIO of the Arizona Department of Emergency and Military affairs, doing a lot of exercises from natural disasters, nuclear disasters and cyber exercises.
Joe Toste [00:02:03]:
So Morgan Reed wasn't kidding when he said, like, all my friends are here.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:02:07]:
Joe, all four of us, right? Hey, Joe. Ryan Murray, as you mentioned, deputy director for the Arizona Department of Homeland Security and also the chief information security officer for the state of Arizona. So I've been in public sector for the majority of my career. Born and raised here in Arizona, spent most of my life here, spent some time in public sector on the education side. So our k twelve partners and our education sector that we talked to earlier today, near and dear to my heart, the mission that they're trying to support. Spent some time at city government, at county government, across the board, seeing the perspective of what cyber challenges and technology challenges all of our friends are facing across the state.
Joe Toste [00:02:43]:
And Ryan's been on the podcast twice, two other times at Hotel Zaza in Houston. If you go to the tech table's website, you can search under guests. Type in Ryan Murray. And now we have individual profile for each guest that comes on, because guests come back for multiple episodes. And so now, by the end of this event, there'll be four episodes and a hat on the basketball.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:03:05]:
Glad to be back again.
Joe Toste [00:03:06]:
Second time with the basketball, second time with the basketball. I know. Final four. It's a theme.
Ralph Johnson [00:03:10]:
Afternoon. Ralph Johnson, state chief information security officer for the state of Washington. I've been with the state for 15 months. I just added it up. But I've been a CISO for 19 years, so I was first with King County, Washington, in Seattle for 14 and a half years, but moved to the CISO for Los Angeles county, the largest municipal jurisdiction in the country, and left for a short time for a stint in the private sector. Don't ever become a CISO friend. Newspaper. They don't get it.
Ralph Johnson [00:03:40]:
Then was recruited to come up to back up to the northwest, and I'm happy to be back there.
Joe Toste [00:03:45]:
When you say recruited, that's got to be an easy conversation, right?
Ralph Johnson [00:03:48]:
Pretty much, yeah. Yeah, it was, it was. There were some easy parts to it. I was coming back to work for a CIO that I'd worked for before he was my CIO at King county and LA county, that was. He inherited me at King county, but for La county and the state of Washington, he had the opportunity to hire me or not.
Joe Toste [00:04:07]:
And I love that story a lot. And so we're talking right now. We want to come to Washington this year, if we can, and I'd love to have you both. Come on. I just love that relationship. So I think it's a special story, and especially the impact from King county to Los Angeles to the state of Washington. In today's interconnected world, collaboration and community building are essential for effective cybersecurity. As they say, cybersecurity is a team sport.
Joe Toste [00:04:32]:
Our guests are going to share their experiences and insights on fostering strong partnerships and networks that have helped enhance cybersecurity efforts across various levels of government and the private sector. Ryan, let's jump in with you. The cyber Readiness program and roadshows have been instrumental. We heard from Governor Ducey this morning a little bit about that in the community building efforts in Arizona. In Arizona, share one to two examples of how these initiatives have led to a significant improvement in the state's overall cybersecurity posture.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:05:02]:
Sure. And I'll just start off saying our cyber readiness program is a program that we started several years ago under Governor Ducey's administration, providing cybersecurity tools to all of our local government entities. They're struggling just as much as state agencies are to try to defend against cyber attacks, and oftentimes they are significantly under resourced when it comes to that. And frankly, we all are in government, but our local governments are fighting this just as much as anyone is. And a couple of specific examples, and I'll start generally on how we've seen success with this, is deploying these tools out there. We now have visibility across the entirety of the state of Arizona of what the threat perspective is. So we know what attacks we're seeing. We know what vulnerabilities exist.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:05:43]:
We know who and how we need to actually get out there and start putting boots on the ground to help. The second part of that is providing actual support to do those things. So knowing where the most vulnerable populations are when it comes to cybersecurity threats, when it comes to legacy technology, we can actually go out and provide additional support, centralized additional support, knowing how to prioritize, knowing where the most risky organizations are, understanding, again, the most challenging things that we're going to face is under resources. How do we make sure that we're prioritizing where those resources go from a statewide perspective, identifying attacks as they're happening and responding to them in real time. And I'll say two specific examples of where we've seen great success. One is city of Chandler, and I'm going to let Owen tell his story. But our second is with an organization, Kayenta Township, which is in the northern part of Arizona. One of our small tribal communities literally would not have been given the time of day with some of the tools and products that we're servicing, providing to that organization.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:06:42]:
So being able to provide them high powered, sophisticated cyber defensive tools to an organization that has never even thought about having this stuff in place, knowing that they are actively being attacked by the same threat actors that we're seeing across the board. That's a huge win for me.
Joe Toste [00:06:57]:
And if anyone's been following Ryan for any amount of time, you probably saw on LinkedIn that he was basically doing a roadshow around Arizona, which is pretty impressive and awesome. Ralph collaboration between the state and local entities, which I think you also have a great perspective from the county level and now at the state level as well as the private sector, is really crucial for enhancing cybersecurity. Share a success story from Watec that highlights the impact of collaboration and the lessons learned that maybe a few of the other states across the country would love to hear.
Ralph Johnson [00:07:27]:
First, I want to say that what Ryan's doing in the state of Arizona, some of the things you just talked about are some things that we want to do in Washington. We're a little behind you, but we're coming along. Collaboration with the local municipalities, local jurisdictions in Washington has been a little difficult because historically they havent trusted the state. Were turning that around. Bill Kehoe, our CIO, has worked tirelessly since the day he got there to try to turn that around and were making progress. We attend the Aces conference every time that it happens, we make sure that somebody is there. I told him last year when I went that they were speaking so highly of him that he shouldnt be surprised if they erect a statue in his honor. He told me I was full of it.
Ralph Johnson [00:08:14]:
But anyway, the biggest collaboration that we have recently is the advent of the SLCGP grant, the state and local cyber grant. In the first year of the grant, we were allocated about $4 million, and we made it a point that all of that money went out to local jurisdictions. We at the state didn't keep any of it, except for we made state agencies apply just like the locals did. We didn't just say, you're a state agency, you get to keep it. We made them apply. We issued 99 grants out of $4 million to 70 different agencies, primarily focusing on education, the fundamentals, risk assessments, and policy development. For these agencies, it's been, it's hard to judge the success of it yet. It's still in its infancy.
Ralph Johnson [00:09:06]:
They're still doing their projects. But I talk to many of these jurisdictions frequently and they're making progress. They are getting what they need, they're getting their entities or their projects underway. We also, in the first year grant applications, we also took several of them that were larger requests. We said we don't have enough money in year one, but we're going to pre fund these out of year two. We set aside money from the second year funding stream, and as soon as that was available to us, we issued those grants. That still leaves us with another $5 million to issue, and we just opened up the application process this past week for that. So, again, in terms of how successful it's been, we still don't know yet.
Joe Toste [00:09:54]:
That's great. And we'll get an update maybe in August.
Ralph Johnson [00:09:57]:
Possibly.
Joe Toste [00:09:58]:
Possibly. Oh, and the city of Chandler has been working closely with the state of Arizona and other municipalities to strengthen the cybersecurity measures. How has this collaboration influenced your approach to cybersecurity? And what unique challenges have you faced working with multiple stakeholders? And cue, this is your time to brag about Ryan Murray.
Owen Zorge, CISO, City of Chandler [00:10:20]:
You don't have to cue me for that. That's an easy thing to do. Just totally number one, what I wanna say is, we are better together. We cannot do this alone. Our adversaries are working together against us. If we try and do this in silos, if we try to do this alone, we're going to. We're going to struggle. We're going to fail.
Owen Zorge, CISO, City of Chandler [00:10:36]:
So to work together to purchase our cybersecurity tools together is responsible stewardship of our taxpayer funds, right. We are serving our residents, serving our citizens, and that is, number one, the best way of getting things done, right, because Ryan's purchasing 100 times the number of licenses that I would purchase in the city of Chandler. So, number one, he's getting economies of scale, right? So we're getting much better prices on leading edge products. Leading edge cyber products. Number two, we have economies of expertise. Ryan's team has already deployed the same tools to multiple state agencies across the state government level. They've already learned the products, understood the products, and are helping us to mature our cyber controls as well. For me, when I first got to the city of Chandler, there were a few questions that I asked the team.
Owen Zorge, CISO, City of Chandler [00:11:23]:
Number one is, what are we doing to protect our endpoints? What are we doing to protect our network? And we were using legacy antivirus at the time. I had not gone through a budget cycle, so I had not had the chance to ask for a budget at the time. So it was a no brainer to start participating in the cyber readiness program. It also showed my city leadership that I'm smart with what we're doing. Right, that I can collaborate, that I can get a force multiplier. Right. Ryan's team is there for us, and it has made a huge difference. We deployed one of the tools, an endpoint detection response tool that Ryan's team provides.
Owen Zorge, CISO, City of Chandler [00:11:58]:
And two months after we first deployed it to our workstations, the system alerted to an incident. At the time, I was in death by meetings during the day, so I wasn't closely monitoring my email. My one full time employee was in training that day, so he wasn't closely monitoring the email, but Ryan's team was. They were able to see and immediately assessed the risk to our organization and immediately tried to reach out to myself and my team weren't able to because we were focused on other things. And through an agreement that we have prearranged intergovernmental agency agreements, they went ahead and took action to protect the city of Chandler. That is invaluable. We had another incident last year. Oddly enough, two months after we deployed this product to our servers, got up one morning, logged in, and half hour before I logged in, there were numerous, numerous alerts.
Owen Zorge, CISO, City of Chandler [00:12:50]:
And it was Ryan's team, the product that gave us the early awareness of the unauthorized activity, allowed us to quickly respond with his team as well, as well as we have our national guard team as a resource that we use here in the state of Arizona, and we were able to save the city from a very bad day. It is invaluable. And we participate in two other products with them as well, to continue to expand our program. What are some of the challenges? Exactly what Ralph said. It's the trust, right? It's changing the culture of, instead of seeing Ryan and Homeland Security cyber command as the big brother that they're going to watch over us, seeing them as a collaborator, their mission is the same as our mission to protect our state's critical infrastructure. So we have to work together. And it's been very rewarding working with Ryan, his team, and then the other members of the cyber radios program to help improve all of us, help improve cybersecurity here in Arizona.
Ralph Johnson [00:13:45]:
I'm telling you, when I start to sell this up in Washington, you two are coming up to talk to basis, because I love watching. This is the kind of message that I need to get across, and they're not going to want to hear it from me. They're going to want to hear it from somebody where it's a success.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:13:57]:
Absolutely. Happy to join you.
Owen Zorge, CISO, City of Chandler [00:13:58]:
Huge success.
Joe Toste [00:13:59]:
Washington state live podcast tour is happening right now. Let's go. Cátia Kaiworks plays a vital role in facilitating secure collaboration and communication among various stakeholders in the public sector. Walk us through a real world scenario where Kiteworks has helped a public sector agent or organization overcome communication barriers and improve its cybersecurity posture.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:14:23]:
Yeah, absolutely. And you guys teed me up nicely. You'll see in a minute. So thank you. It's almost like we planned it. The challenges that we're hearing are some of the challenges you guys just described. I know on some of the challenges you described, once you get down to the city level. So it's, folks, the threat surface is only getting bigger, right? With remote work from home, post Covid, it's exploded.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:14:41]:
So have the threats. I was listening to the podcast to catch up and see what the vibe was and what was expected, and I was listening to the CISO from Houston, and he said, and I remember the set. Cause I was like, wow, if you do the math, this is insane. But he said his SoC team was dealing with 30,000 threats per second. Now there's something like 86,000 seconds per day. So you can do the math and see what not just the threat surface, but the amount of threats you guys are dealing with. And that goes down to a city level, and you don't have the to add on to that. You've got budgets that are either staying flat or shrinking in most of the government agencies that we talk to, and you don't have the people.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:15:21]:
So what do you do? And I can tell you that we've been successful across federal as well as across. Down through the sledd market. But I think one thing that you guys have underscored that I think makes a huge difference is the whole of state approach. And that's where I think we've been most successful. And so I can tell you, for example, Texas, there's quite a few departments and agencies that are using us, but they're using it in a silo. Whereas the success story for me, when I look at it from the perspective of what we've been talking about, is New Mexico, which actually is using it as a centralized solution and disseminating it down to other agencies and down through the local levels to do exactly what you just described. Owen. Right.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:15:58]:
They get a better price break because they're using it for a large amount of users, and they get that protection from a system like kite works all the way down. Because I think the motto that you guys have is if one agency in the state is attacked, the whole state is attacked. And so if you're not thinking about the state holistically, then we're really not protecting anyone. Right. So I would say that, for us, is a success story, and we hope that more of those states take that approach and make it easier, because we hate to have conversations with the city government. They look at pricing. And they say, great product. Wish I could have it.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:16:30]:
Don't have the folks to support it. Don't have the folks to. Don't have the funds. I might have to wait a year to purchase it. And so doing what New Mexico is doing and doing what it sounds like, Ryan you're doing, I think, is really where the success is going to come from if we want to stay secure.
Owen Zorge, CISO, City of Chandler [00:16:45]:
And to follow up on that, it's not just Ryan's team and my team collaborating. Right. It's collaborating across all the customers that participate. Right. We had a situation in the last couple of weeks where one of my engineers solved a problem within one of the tools, and he's going to share that with Ryan's team. He's going to share that with all the other organizations because they're common problems. Right. It's solving this together.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:17:05]:
I would say even those organizations that aren't participating in our program are larger cities and counties. They have funds, they have resources, they have capabilities, but they're part of the conversation, right. They're part of crowdsourcing and supporting and providing solutions, because we may not be paying for their tools, but they're all using the same tools. So being able to say, hey, I solved this problem, this technology, let's share that with the community and make sure that everyone knows how to solve this problem. So we're all not trying to figure it out on our own.
Joe Toste [00:17:31]:
Ralph, an important conversation, and I love this, is the critical challenge around retaining cyber talent. And I'd love to get the WA tech perspective on attracting training, retaining the top cybersecurity professionals up in Washington state.
Ralph Johnson [00:17:48]:
Washington state, probably not unlike most other states, has challenges with this. We're the home of Microsoft. We're the home of Amazon, T Mobile, Boeing. Although Boeing's headquarters is, I think, in Chicago, a lot of their it infrastructure is still in the Seattle area. So we've got some major competition. We all know the private sector pays better than public. Right?
Owen Zorge, CISO, City of Chandler [00:18:11]:
Folks?
Ralph Johnson [00:18:12]:
It's difficult for us to compete. One of the things that we've done at Wa Tech, and I can't speak to all agencies because in Washington state, almost every agency has its own it team. But for WA TeC, what we've done is we allow our people to live anywhere we recruit nationally, they can live where they are currently living. In most cases, not all. There are some cases where they actually have to be on site from time to time. But I've got a Soc engineer in Alabama, one in North Carolina, one in North Dakota. I had one in Kansas, I got an architect in Texas. So they live everywhere.
Ralph Johnson [00:18:49]:
And I know that's not something that a lot of smaller jurisdictions can do because I was having a conversation with somebody about this just yesterday, and she said, oh, it was the girl from Scottsdale here. She said, we can't do that because we can't handle the tax issues. We're a state. We can. So that's one thing allows us to broaden our talent pool. It allows the employee to have the kind of work life balance that he or she wants. And it's fantastic. As far as training and leveling up their careers, we're working on that.
Ralph Johnson [00:19:17]:
That's something that has been sorely lacking in Washington for quite some time. And I'm looking at putting together programs to provide cyber practitioner education, and not just to the cyber practitioners, but anybody in it who's interested in getting into cyber. Because as we all know, if you're an active directory administrator and you ever tell me I don't do security, I'm going to try to fire you. Okay. I've actually had that conversation with some active directory administrators. I'm not security. That's not true. If you're in it, you do security.
Ralph Johnson [00:19:50]:
If you work for a company, you do security within the role of your job. And we have to get that across to them through our end user awareness training programs, through our other training programs. But keeping our cyber professionals and our it professionals up to the necessary levels is highly important. And unfortunately, it's highly expensive, but we need to do it. And I'm looking at a whole of state concept for that in terms of getting one of these SLCGP grants to provide it not only to the state of Washington, but all of our municipalities buying enough licenses to a program that these folks can take the CISSP class because we had a. That was a large part of what we had applications for in year one was training. So why not do it from a central perspective? Provide it to everybody.
Joe Toste [00:20:45]:
Ryan, we've heard a lot from Arizona today, so I want to keep hearing more talk about the kind of the creative solutions to address the cybersecurity workforce challenges and some of those that have been the most beneficial to close the skill gap in the state.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:20:58]:
Yeah. And I'll just touch back on what Ralph said. Right. We can't compete with private sector. That's something that we should never even attempt to do. It's just not sustainable. And looking at the current cybersecurity skills gap across the nation, it's what, 500,000 vacant positions that cyberseq tracks 10,000 just here within Arizona alone. That's an impossible hole to fill if we're only looking at traditional pathways into those positions.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:21:22]:
So something that we've tried to do is one looking at retention. Let's just lean into the fact that we're not going to be able to retain people for a certain amount of time. No one is looking to be a 25 or 27 year venture veteran within state government anymore. So how do we lean better into those partnerships that we have with private sector to say, look, we're using your tools, we're teaching our employees on your tools. They're probably going to come work for you when they leave my team. How do we make sure that they're best trained to be successful when they come to work for you? But doing that today, now, partnering better with our private sector partners to do on the job training for those tools and technologies and capabilities that we need them doing today, knowing that they're going to take that to their next career step. But I also want to partner very closely with the talent pipeline we heard from some of our education partners earlier today. Let's start talking to high school students.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:22:13]:
Let's start talking to middle school students. We're putting together cyber days and coding days and technology days with middle schoolers and junior high school students to make sure they understand what the art of the possible is when it comes to being a technology student. When it comes to being a technology professional. And we're also looking at finding other wiggly paths within the cybersecurity. A partner we worked with used this terminology, and I really love it. Looking at all of the ways that we've come into cyber. Some of us have a traditional technology background some of us don't have, most of my team doesn't. And we're working on filling a position right now for our chief privacy and compliance officer.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:22:50]:
The person has basically zero background professionally as a cyber expert. Knowing that we have sure, there's technical jobs in cybersecurity, understanding how active directory works and how to secure it. Absolutely a valid skill as a cyber professional. But we also need legal professionals. We need project managers and program managers. We need people that are thinking outside the box. Both their professional and historical cultural backgrounds need to be diverse because we're solving complex problems for the entire state and frankly, the entire nation. We need to be able to bring these diverse lines of thoughts into solving those problems.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:23:25]:
If we only want to solve problems for middle aged white dudes, I got that covered. But we need diverse lines of thoughts to help solve the problems for the entire citizenry of the state of Arizona, as well as all the rest of us across the nation. And I do just want to double click on something that was said by Governor Ducey earlier today. This was one of Tim's famous lines as we're taking our team of 16 and turning into a team of 36,000 through mandatory security awareness training, we're now pushing that out to all of our local government partners, our cities, our counties, our school districts, our tribal communities. So I want to turn that 36,000 and crank it up to 250,000. Let's make the entire state of Arizona one team defending itself.
Joe Toste [00:24:04]:
Oh, let's go. I love that. Yeah, let's find that.
Ralph Johnson [00:24:10]:
May I add in one other thing that I meant to mention earlier? One of the other things that we're doing to recruit is we're eliminating the college degree requirement in our position descriptions. I don't know if the rest of you are doing that. It's something that we're looking at, and we're putting it in there that a college degree can substitute for years of experience. So if we say you have to have eleven years of experience and you've got a college degree but only six years of experience, you might make it to meet those minimums before HR actually says you don't make it.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:24:43]:
Let's remove the barriers to entry.
Ralph Johnson [00:24:44]:
Exactly. Remove those barriers to entry. Make it easier to get in. And that's going to help you open up your talent pool as well.
Joe Toste [00:24:52]:
Yeah, no, I really like this a lot. I've got a story from the Raleigh live podcaster where we had in 2022 with Mandy and Jim and my Uber driver Asim, I'm talking to on the way to the event. And he's talking about data science. He's talking. He's taking courses online, and he wants to get out of driving Uber. I'm like, oh, have you ever thought about public sector? He's like, the DMV. I'm like, that's what I thought, too, the first time. It's funny.
Joe Toste [00:25:19]:
I was like, sim, there's an event that's gonna happen. There's gonna be some folks there. I think you should really meet them, and maybe it will open some doors. And he goes, I'm wearing a t shirt and shorts right now. And I'm like, and he's. And I don't have a college degree, but I'm hammering away on coursera right now. I'm like, sim, hear me out. They'll let you in.
Joe Toste [00:25:43]:
Who's going to approve that. There's no way the guy that's doing this is going to approve me. I'm like, you're approved. I just authorize you. You're welcome. You're welcome to come.
Ralph Johnson [00:25:52]:
Shirt and shorts is gonna. He's gonna fit in with programmers.
Joe Toste [00:25:55]:
And it was actually a great experience. It was about, like, taking advantage of opportunity. And as Sam had more conversations, it was insane. He had talked to more agency, CiO's and Weaver, just cause he's in North Carolina and he's taking business cards, and I don't know what came from that, but just that opportunity, and it was just so impactful to see in Houston. We had the future information technology professionals come out from the University of Houston. And Ryan, you were there. I don't know if you saw they were counting business cards. It was cash in the back meeting CIO's.
Joe Toste [00:26:29]:
And at the end of the day, the backgrounds are going to be different, but we really want to at least have those conversations, because this is two years ago. But Rob Main, when he was. When he was still working for the state, there was 30,000 cyber jobs. It was just a huge hole. I'm sure it's only grown since then. Owen, as Chandler faces really tough competition for hiring, what strategies have you used to double your team from two to four, which I love. Let's go. Come on.
Joe Toste [00:26:57]:
City Chandler as an attractive destination in Arizona.
Owen Zorge, CISO, City of Chandler [00:27:00]:
Great question. I want to start by responding to something that Ryan said just a moment ago as well. So I was in a similar situation where before I was hired as a state compliance and privacy officer, I didn't have any compliance and privacy experience.
Ralph Johnson [00:27:12]:
Right.
Owen Zorge, CISO, City of Chandler [00:27:13]:
But it took having a passion for cybersecurity, collaborating with the state CISO, like Mike Lettman at the time with Morgan Reed and the enterprise it group, and being passionate and really wanting to make a difference. I think that passion is really what sets people apart who are in cybersecurity. So thank you to Mike Luttman, to Morgan to give me a chance and just grow who I am and grow my skills and so forth. Yeah. Don't be afraid if you don't have the experience, but you have the passion, really, it's the passion and the culture fit that I am looking for in new people. Good on you, Ryan.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:27:45]:
Thanks. Good on you for doing well.
Owen Zorge, CISO, City of Chandler [00:27:47]:
So to your question. Yes, thank you. I have grown the team from two to four. I am super excited. I am sleeping better at night. What are some of the strategies that I incorporate from pretty much the moment I started with the city of Chandler. I have a super supportive CIO, so I report to the CIO. Sandeep Dollakia.
Owen Zorge, CISO, City of Chandler [00:28:04]:
He is an awesome CIO. He's very supportive of me, very supportive of cybersecurity. He has gotten me in the presence of city leadership. So city manager's office started doing regular briefings, monthly briefings, quarterly briefings of cybersecurity, as we were doing assessments for the city and understanding where we were at the time. So really opening up the visibility of what we're doing. Right. Helping me to communicate the city leadership. Right.
Owen Zorge, CISO, City of Chandler [00:28:27]:
Help me understand, and for me to get in front of city leadership to understand what is important to them has really made a difference. I think also showing city leadership that I can be innovative. Right. I don't have to have multimillion dollar budget in order to protect the city. I can collaborate with people like Ryan, his team, Homeland Security, etcetera, and show the city that I'm making effective use of not only our time, but also our residents, taxpayer funds, and so forth. We also, at the city, we do mentorship. So I've had multiple mentors, which are employees of the city who have an interest in cybersecurity, who apply to the mentorship program, and they'll specifically ask for a mentorship in cybersecurity. So I'll work with them over two, three month period to show them what cybersecurity is and help guide them in their journey.
Owen Zorge, CISO, City of Chandler [00:29:16]:
We also partner with the local Chandler Gilbert Community College. So they have cybersecurity programs and IT programs there, and we bring interns in. We've hosted lots of interns in the IT department. Now that I've grown my team, I'll be able to host them in cybersecurity as well. So I'm really looking forward to getting our first intern there also. But I do want to thank the city of Chandler for supporting cybersecurity, for listening, for understanding. I think also just showing that we're making impact. Right.
Owen Zorge, CISO, City of Chandler [00:29:41]:
The incidents that we've had, we report up to city leadership to show them the impact these incidents could have had we not done the right things, implement some of the tools and so forth. And then really, again, it all comes down to, we're better together, collaborating, knowing the people, getting out there, having people know who you are, being collaborative, encouraging my team to be collaborative, learning. And like Ryan said, I'm not going to expect to keep them for 10, 15, 20 plus years. Right. But I am going to make sure that they have the right training, the right guidance, so they can go on and protect other organizations. And I'm going to look for those people who have that passion, who really want to make a difference in their community and foster them and grow them the way that help them in their career path. So that is really, I think that really came across in the hiring of the two people I have now. And they're awesome.
Joe Toste [00:30:29]:
Cátia Kaiworks solutions are known for helping public sector organizations manage workforce challenges by streamlining processes and enabling secure collaboration. Share one to two examples of how a public sector organization has leveraged Kaiworks, and he touched upon it a little bit earlier, but how it's really helping to optimize the cybersecurity workforce and improve overall efficiency for teams.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:30:50]:
And first, I do want to quadruple down on what everyone said about the background. Right. So I was an international relations major in college. I started out my career in finance. When I got recruited into cyber, I knew, I don't think I even knew what a router was, to be honest, or what it did. And it was just a lot of nights of, like you said, perseverance, obsession, and to make sure you keep learning, because the cyber game's changing every single day. You're learning a new acronym, a new threat vector, all of that. You have to stay on top of it.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:31:17]:
I would quadruple down on don't need the college degree, you need curiosity, you need to stay on top of it. So. Absolutely. And then to the example, I think the name of the game is risk mitigation. Right? And you guys have mentioned you took your team from two to four. You guys have challenges finding folks, keeping folks. And for kite works, an organization like ours, our goal is to make sure we can enable you guys to do as much as possible. We live in a world where, you know, to do your jobs, most of our jobs, we have to share sensitive data out with the world.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:31:44]:
The world has to receive that, but we have to protect it. We've got compliance regulation, we've got privacy laws that we have to adhere to. But at the end of the day, you know, folks just want to do their jobs and go about their day, and they don't, as much as they should be security professionals, they don't want to be security professionals just to do their daily job. Right. And so that's where kite works has come in. And I want to talk about Texas juvenile department is a really good example of where we've helped as a, and specifically as a former sales engineer, now a leader of sales engineers. We like to talk about all the features that are great in our product and how we tick all the boxes on all the requirements you guys have, and we can talk you to death about that. It's a hardened virtual appliance, it's secure, etcetera.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:32:23]:
But all that doesn't really matter if folks aren't using it. And Texas juvenile, I think, is a good example. So there, I think what they told us, and it's a case study, you guys can go out and look at it. It's public, but like 95% of the data that they share is sensitive data because of the nature of their work. And folks are doing their daily jobs and they have to deal with that 95% of data. So they implemented Kiteworks, they purchased it. And it was interesting because as we were talking to the information security officer about how things were going, he said, honestly, it's gone from, we initially just thought 100 people were going to need it. It's grown to 600 people all of a sudden.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:32:58]:
And that's because it's easy to use, and that's the thing that we have to do a better job of as vendors of one, communicating, but also making our products easy to use, because we could sell you shelfware all day. I'm sure you guys have plenty of shelfware that you deal with today.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:33:11]:
Unfortunately, yeah.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:33:12]:
Yeah. And that's not helping any of your cyber teams. It's not helping you enable the small team that you have to have the shelfware. That's doing not much for you. Right.
Owen Zorge, CISO, City of Chandler [00:33:21]:
We need more than checkbox compliance, right. We need outcomes, real outcomes, people actually using.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:33:27]:
And so when he said that, and he said, honestly, it works like email, so we don't have to. We did training once for the user base and we haven't gone back, and it's continued to grow. And that's because people talk to each other, they say, how do you do this? And they go, oh, I use kite works. Just get an account and do your thing. Log in with your usual credentials and use it just like email. And I think for me, that's how you enable an organization. I think it was junior yesterday that pointed out that cybersecurity is the number one concern for cisos, and number two is digital experience. And again, as vendors, I think we need to do a better job of making sure that we make products that are easy to use and can be scalable and scale your teams and make them more effective, give you those logs that you need right now, that all those folks are using the product, give you more control over how folks are dealing with sensitive material and ultimately enable your teams to actually have that data.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:34:17]:
That's crucial.
Owen Zorge, CISO, City of Chandler [00:34:18]:
When I look for a vendor, I don't look for a vendor, I look for a partner, someone who's gonna be there with us, someone who's gonna help us to be successful. Right. Not someone who's gonna be selling us a product and then going on to their next sale next. Right, yeah, absolutely. And we do have that with the cyber readiness program as well, so.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:34:32]:
And I'll just double click on something you said, right? There's this unending balance between security and usability, right. We have to drive whatever our business outcomes are. We have to provide those critical citizen services to those citizens. Right. And if we're putting security controls in place that prevent that from happening, we're all failing at our.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:34:51]:
And you don't have security controls.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:34:51]:
It's just security. But our business objectives are failing. Right. So how do we find that balance of, let's take the complexities out of making things secure? Like you said, no one wants to be a security professional, but if we can make that the default choice, the easy choice, the easy path, just have that be the way things work, then things are going to be secure by default.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:35:11]:
And I'm really glad you said partnering Owen, because part of one of the things we're rolling out is policy driven, automated policy driven sharing, right? We know, and I think even Governor Ducey said it today, like, 90, 80% to 90% of breaches happen because of user error, whether they mean to or not. Right. Whether it's malicious or an accident. And so if you can do. And we heard from our customers, they said, hey, this is great, but users don't really know. Like, users will just send clear text email when they're not supposed to. So how do you help us get our arms around that? And we put our heads together with product. We worked with customers to figure out what made the most sense, and we came up with policy driven automated solutions.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:35:48]:
We take in your data classification, for example, and we say, hey, this has Phi in it. It can only be shared in these ways. So this is IP, it can only be shared in these ways. You can't give it to certain folks, so on and so forth. Yeah, I think we have to continue to partner with our customers to understand, because you guys know better than us, right, what you need.
Owen Zorge, CISO, City of Chandler [00:36:06]:
Sometimes we don't, but you're right. You're right most of the time.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:36:10]:
Yeah. And that's why it's a partnership, right? Because we generated something else that our customers didn't. Know they needed next gen DRm. And we're now talking to them and they go, wait a minute, I didn't even know that was possible. So it's a give and take.
Joe Toste [00:36:23]:
Yeah. And I just want to, I want to brag on Katya, and I'm at risk of saying this because now everyone's going to start doing it. But I always say, if you're going to come to the event and you're a vendor, I would love to try out your product. No one's taking me up on it. They're just like, hey, you're the podcast guy. I'm like, dude, I majored in finance and mathematics, okay? Like, I'll figure it out, don't worry. And she sent over Kiteworks. So all of the case studies and everything was in, in Kiteworks.
Joe Toste [00:36:49]:
And it was awesome to, you probably saw I was like clicking around and trying to demo and all that kind of stuff. Again, going back to just being curious, right? I'm just curious. And now everyone's going to send me like, hey, man, here's my cyber security platform and here's a demo transition to emerging technologies. They offer new opportunities for cybersecurity, but it's critical not to overlook the fundamentals, the blocking and tackling. How does Arizona strike that balance between adopting cutting edge solutions and then focusing on the blocking and tackling? That's just so important.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:37:19]:
I'll just say that those two don't necessarily need to be contrary. Right? One, we're focusing on how do we utilize the best possible tools to do the fundamentals, right. Knowing that we all continue to struggle doing those things. We suck at patching, frankly, right? We know that there's thousands of vulnerabilities out there and we still can't patch them all. And more and more are getting created every single day. So knowing that we're never going to be able to keep up with that, with the old processes, the legacy technology, how do we put something in place that helps us take that struggle out? How do we start automating, patching and vulnerability management? How do we start transforming into autonomous vulnerability management and patching? Let's take the human out of it. Sure, there's going to be some amount of transition in there, but it doesn't need to be a system administrator pushing, yes, every single time a patch is deployed. It doesn't need to be, oh, we're going to take down all of our production environment every time we push a patch.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:38:13]:
Let's start trusting in the technology that we have and understanding where the risks are and building towards better understanding how we interact with that technology. On the other side of that is knowing that all of our users want to push towards innovative tech. Most of them want to, especially. And I'm sure we're going to bring this up, AI, right? Like, everyone wants to do everything AI right now. So knowing that our users are pushing for this understanding, how do we put our heads and our hands around it, either with technology, with processes, with awareness training, to ensure that we're doing smart things with this? And AI is no different than any other tool we've ever had in the history of humanity. Right. A giant stick can be used for good or to bash in your friend's skull. Right.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:38:54]:
Let's look at AI the same way, that this is just a really sophisticated hammer that we can use for good things or bad things. And how do we make sure it's only used for good things, either by our employees or defending against ourselves from bad guys trying to smash our skulls in with hammers. Let's start putting some helmets on. Right?
Joe Toste [00:39:10]:
Okay. And are there right now, are there one to two use cases that are top of mind for you?
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:39:15]:
Yeah. So something that AI is really great at is anomaly detection. Right? So taking in copious amounts of data and looking for anomalies within that data, and that's fantastic. Use case for security. Right. We're looking at tons of data, whether it's from system logs or network logs or even file usage logs. We want to be able to understand what is normal behavior and where is there potentially anomalous or malicious behavior. So that's one area we're exploring really heavily right now, is trying to better understand how that fits in.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:39:43]:
The other one is, again, pushing towards autonomous system utilization. Right. We want to better understand how does this patch or this vulnerability impact performance. We've got a ton of data on all these patches we've pushed. We should be able to gather what the performance impact is of patching these devices. Now, we can use that to further automate. Our users aren't using their devices. Between midnight and 03:00 a.m.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:40:05]:
we have that data. Let's make sure that we're patching within those timeframes. It takes, we'll say, five minutes to deploy this patch. 90% of the time it's deployed, we have that data. It's got a 95% success rate within that timeframe. Great. We can automate all that stuff and nail, like, 90% of our vulnerabilities and not have to worry about a major service impact so how do we start driving towards that autonomous utilization of the technology that we have?
Joe Toste [00:40:30]:
Ralph Watech is also on the emerging technologies front. Seen some articles, but I'd love to hear how you think about that on the cybersecurity side.
Ralph Johnson [00:40:39]:
Besides the fact that he made me flashback to the opening scenes of 2001 A Space Odyssey with the stick analogy.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:40:45]:
That's right. And he's smashing it.
Ralph Johnson [00:40:47]:
Yeah, exactly. He's using it to dig a hole, if I remember right. And then he smashes some guy's head. Yeah, that was great. Ryan said it quite eloquently in Vatec. We don't want to be on the bleeding edge of technology. We want to be near the leading edge when we can. Obviously, we're all in state government, local government.
Ralph Johnson [00:41:05]:
We know that there's legacy systems out there that we can't get rid of. We got to find a way to protect those legacy systems because they are essential. We know that we have that at the state, so we've got to find ways to protect those. We also, though, want to be on the leading edge. We want to adopt AI where it's appropriate. And this whole conference so far, AI had not been mentioned except in some side conversations I had. If you hadn't mentioned it, I was going to.
Joe Toste [00:41:33]:
We still got seven more podcasts. Okay, everyone, take it easy.
Ralph Johnson [00:41:36]:
Yeah. For the last year, almost every conference I go to has been nothing but AI. Two years ago, it was something else. Now it's all about AI. And this one has been somewhat refreshing up until now, because we haven't. No, it's okay, because as I said, if you hadn't mentioned it, I would have. But AI has been around. They say AI is coming.
Ralph Johnson [00:41:56]:
No, it's not coming. It is here. It has been here. There have been tools that have used AI for decades, and we have to embrace it. We have to find where it actually makes us more efficient and actually benefits us. But we also have to do that in a way that protects our intellectual property, our data, our sensitive information, so that we're not putting a document that has sensitive information, such as Social Security numbers or bank account numbers, into chat GPT and say, analyze this for me using chat GPT, or any of its equivalents, copilot, if you will, that actually helps us get do our jobs better. I was at a conference not too long ago, and they said that they used chat GPT to write a report, to help them write a report, that it didn't write it for them. It analyzed that report and it made it better, and it made it so that the recipients of that report, which they've had to do every year for the past, who knows how many years, finally were able to understand the contents of that report.
Ralph Johnson [00:43:03]:
And that's the benefit of AI, is how it can make us better within the bounds of protecting our information.
Joe Toste [00:43:11]:
I love what you said, Ralph, especially around helping to really drive efficiencies and gains is a huge one in a totally different domain. But we had this conversation last night, Ryan. I'm literally a single guy and my wife helps me part time when she's not teaching preschoolers, running a business, launching nine or ten podcasts in this. And it's because there's a system. And yes, I use AI, but I use all kinds of other stuff. And no, it is not smart enough to dump out these questions. The biggest unlock is like how can you in even looking for examples in different domains, guys doing something totally different over here. I wonder what that would look like in the cyber world.
Joe Toste [00:43:52]:
How do we drive those types of efficiencies? What does it look like? You mentioned the report, right? Which is really great. And being able to speed up and help folks is really a game changer because then you're not doing the administrative tasks, but it's not the report output necessarily that you want. But even going deeper around having a conversation with that report is super powerful. And all of these podcasts here will go into my own database where I will have a conversation later and I will be able to even understand everything even deeper. And those are like the connecting the themes and really just I think that's the piece that's super powerful and I.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:44:31]:
Think it offers some amazing accessibility options. Right. If you can take your podcasts and on the fly translate them to 15 other languages, that's huge, right? If we can take that report and translate it into human readable English and not cyber nerd, that's huge for our executive leaders.
Ralph Johnson [00:44:45]:
I've actually done that. I've taken documents that I felt might be a little too technical, put it in there and said, essentially, dumb this.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:44:53]:
Down and you're not going to immediately send that to those executive leaders because.
Ralph Johnson [00:44:58]:
You'Re then going to read it and fix the things that it misinterprets.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:45:01]:
But it helps you to get your thoughts together. I had one of our partners say, use it as an intern, right? Throw all the work that you don't want to do with this person and then double check their work when they get it done. But they're going to handle a ton of the monotonous stuff that you don't want to deal with. Right?
Joe Toste [00:45:15]:
Yeah. 100%. And then you could layer on an assistant who's creating sops for you and then leveraging. Yeah. So it's a super fun time to be around Owen, curious around how you do you even have the opportunity to prioritize the emerging technology and adoption. Is it just.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:45:32]:
Sorry.
Joe Toste [00:45:32]:
This is where we're at with the city of Chandler.
Owen Zorge, CISO, City of Chandler [00:45:35]:
We do have some technical debt that we're dealing with, as every organization does. And I want to emphasize that not no organization does this 100%. Right. We're all struggling in the same ways. Right. What I'm doing at the city, Chandler, is, first of all, like right now, we're putting together a champions governance committee across the city. So instead of me doing it myself or my team, the cybersecurity team, we're bringing partners in across the city from the departments, especially those that have critical workloads, police department, HR, our water, wastewater, ics, SCADA, to come together to identify and improve the security for the city of Chandler. We're also in the process of updating our citywide policy.
Owen Zorge, CISO, City of Chandler [00:46:15]:
So we have really clear requirements at the city at the enterprise level. But we are also looking at emerging technologies. Right. There's been lots of talk about AI, right? And I've had department directors come to me and ask me about that from a security perspective. And I take a similar approach to my explanation that Ryan does, is there's good and evil in everything, right? So let's look at it and let's embrace it to solve your business problems. And I emphasize that a lot, too. Is my number one priority, is to solve your business objectives, to ensure your business objectives, not to solve them, but to ensure your business objectives are met. Right.
Owen Zorge, CISO, City of Chandler [00:46:51]:
Some other emerging technologies that we're looking at is ways of making security less, making security more transparent to the user. So they don't see this. It's there. It's improved, but they don't see it. Right. Is there ways for us to reduce the number of times they have to MFA in their login? Are there ways that we can maybe automate things a little bit better so that we can reduce the risk, but also allow our company to do things better and more effectively? So that's where we are.
Joe Toste [00:47:21]:
Katya, let's wrap up with you. You mentioned earlier, scale is a huge factor for public sector organizations looking to meet their growing cybersecurity needs. How can Kiteworks solutions help these organizations scale their cybersecurity efforts efficiently and effectively? And what sets Kiteworks apart in the market.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:47:37]:
I think those two questions probably get answered with the same kind of notes. I would say to be scalable. I think the first piece is, before we start talking about anything, tables takes these days for a security product, you have to be secure by design. I know that sounds like it should be obvious, but Cesa just put out a note that said, hey, we're going to have software be secure by design. Here's the guidelines, and here's attestation for that. I'm sure you guys have lots of products that claim to be secure. And then you look under the hood and they're multi tenant, there's all sorts of stuff that you look and you go, wait a minute, you're not even designing the product in a secure manner.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:48:13]:
Or they had 100 critical vulnerabilities that released last month, right?
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:48:16]:
Correct. There's no bug bounty program. There's, once you look under the hood and you ask, what is your security program? Are you doing secure code development? And you ask for that information, it's not there. Right. So I think before I joined, a couple years before our CEO came on, and we used to just be a secure file transfer organization, just moving files from a to b, successful business, not a big business. And he came in and he said, wait a minute, he came from israeli intelligence and he said, this is going to be commoditized. And so what are we doing differently? And so he came back and said, security, that's going to be the key is he foresaw all of the regulation, all of the stuff that you guys are probably dealing with now in terms of data privacy. He foresaw that and said, nope, let's pivot, let's change the game and let's start thinking secure by design.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:48:59]:
He got us fedramp authorized, so on and so forth, ISO, et cetera. So that's step one is giving you that secure by design. And then I would say step two is it's a platform, and so it's not, we're nothing. You're gonna, your organization folks are using email, they're using file sharing tool, they're using automation, they're sharing data through all sorts of channels. Chat, I'm sure you guys can name more, right? They're ingesting information from the public through various channels. And so if you're not taking a platform approach, there's no way you can scale, because what are we gonna offer you a product for chat, another product for this, another product for that, with totally different logs that now you have to go collate and try to gather information from. That's not scalable, that's not going to work.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:49:43]:
And a different user experience for every single one of those products, right?
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:49:46]:
Exactly. And down to if you're using a mobile device, Kiteworks looks the same and that's by design. That's because we realized that if you made the mobile device look totally different than the male client and you know how they're automating and the rules were different as an admin, right. If you have to set up different rules across the board, that's not scalable. Right. We talk to customers all the time. We're doing a customer review and an admin for 5000 user system told us she spends 0.01% of her time managing the system. That's what we want to hear.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:50:14]:
That's scalable, right. You don't want to hear that your admin spending a third of their day dealing with software. So I would say that's important. And then we talked about policy automation before. So control, so I won't spend too much time on that, but giving you guys back some control, giving you guys the capability to say, instead of having to train users and tell them exactly what to do with this type of file and that type of file, automate it. And I think, oh, and you said it, the user shouldn't have to see it if they are sending Phi, the system should just do what it needs to do because it knows it's Phi and it will do what it needs to do. The user shouldn't have to go check. Okay, what's the retention policy for this? What encryption should I be using? That's not a scalable product for you guys? And then lastly, usability.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:50:56]:
And we talked about that one too, making it so that folks can actually adopt it without you guys having to provide training, pay for professional services that you can hand it to a user and just let them go.
Joe Toste [00:51:06]:
We'll start here at the end. What's one, Cátia, what's one piece of advice that you can share for agencies and organizations looking to that everyone can take home to help increase their cybersecurity posture?
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:51:18]:
That's a good question. I would say I started with it at the beginning, but secure by design. So when you're looking for vendors, I know, and I don't actually know what happens when we fill out these third party security questionnaires or vendor questionnaires. I don't know if anybody looks at them or they just put them in a drawer and say, okay, yeah, we checked the box, we made the vendor answer 300 questions about their security posture, but making sure that. I think those are really good opportunity to make sure that the vendors that you're bringing in, what's the statistic? I think most attacks come from third parties. Right. So if you guys aren't protecting the third parties and the vendors that you're using, then I'm not sure anything else that's being done is really going to be effective. And so using.
Cátia Pereira, Manager - North America Sales Engineering, Kiteworks [00:51:56]:
Monitor your vendors, ask them the hard questions. AI. I get asked questions about how are you guys securing AI models? And I'm like, let's ask simple questions. Is MFA turned on for folks who are using it? Is encryption turned on for the LLMs? Are you guys asking vendors those questions? Is that in the security questionnaire? So really check with your vendors that they are secure by design and that they're doing what they're supposed to be doing from a security perspective.
Joe Toste [00:52:18]:
That's great, Owen.
Owen Zorge, CISO, City of Chandler [00:52:19]:
Again, the collaboration, right. It's finding those areas that you can have force multipliers, you can partner on things. You'd mentioned state ramp, right? I don't have. I don't have the team to be doing third party risk or you've mentioned Fedramp. Right. I don't have the team to go and do third party risk. All these assessments on all of our cloud vendors or otherwise. Right.
Owen Zorge, CISO, City of Chandler [00:52:36]:
So I partner with state ramp in order to help us with that. Right. To make sure that where we're storing our data and where we're storing our critical systems have gone through an assessment process. And that's really it. Right. Just working together, just understanding that we can't do it alone. Knowing your gaps, knowing where you're weak. Right.
Owen Zorge, CISO, City of Chandler [00:52:53]:
And accepting that one of the things that happened on our latest incident that we had in June is I get up and I see these alerts and panic sets in. Right. But the first thing after that is, okay, where am I going to need help, right. I know that my team and we were two at the time is not sufficient. Right. I know that there's some knowledge gaps across. So I partnered with Aaron Jones over in PD, brought him in. He's a cybersecurity expert.
Owen Zorge, CISO, City of Chandler [00:53:18]:
He helped with us, partnered with Ryan, and we brought in our risk management. So really, you can't do it alone and understand where your gaps are and work on that.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:53:29]:
I'll just echo. Yes. State of Arizona does do something with those 300 questionnaires that you have to fill out. We've got an analyst, Emily, that focuses very heavily on ensuring that everything that you answer meets the state's requirements. That's Asramp. Azramp. State ramp was mentioned. Fedramp was mentioned.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:53:44]:
We're doing all of that stuff. Know that your efforts are not wasted. And it sucks that Owen got to go first because he stole my answer. But I'll just continue to highlight that, right? We need to focus on the collective defense of all of us, and this includes other states. We can't continue to look at this as an individual problem. We can't continue to look at this as a siloed issue. Wherever, it doesn't matter. My house is fine.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:54:08]:
So go deal with your own rocks that are being thrown. We have to all come together to try to solve these problems together. Because, as you mentioned, the bad guys are doing the same thing, right? They're all working and collaborating and pulling their resources, and they're way better funded and they're way better resourced than we are. And the only way any of this stuff works is if we all continue to do this stuff and get together to make it happen.
Ralph Johnson [00:54:28]:
Ralph, in addition to what they've all said, this has been fascinating, fantastic, but in addition, never forget the basics of cybersecurity. I talked to so many people, and they're all about all this advancement, all these advanced tools, but they forget about the basics. Find a framework that fits your organization. Find the gaps in that framework and plug those gaps, because every framework's got them, but you can easily find them. There are mappings between the frameworks all over the place. So focus on the basics and focus on your people. Train your people. Get them professional education so that they are capable of doing the jobs that you hired them to do.
Ralph Johnson [00:55:09]:
As we advance platforms. And if they decide to leave once they're trained, wish them well, because they're going off. They've got their career to pay attention to. As has been said, very few people are going to stay with a local government or a state government for 25, 30 years like they did in my generation. But give them the training, because while you still have them, they are now a better employee for you, and they are happier because they are more capable.
Joe Toste [00:55:39]:
What's the great quote?
Owen Zorge, CISO, City of Chandler [00:55:41]:
Train them to the level where they can leave, but treat them well enough to where they want to stay.
Joe Toste [00:55:47]:
Yeah, no, that's definitely one. There's another one where it's like the CFO talks to the CEO, and he's like, what if we pay all this money to train them and they leave? And the CEO's, what if they stay?
Ralph Johnson [00:55:55]:
What if we don't train them in this day.
Joe Toste [00:55:57]:
Yeah. What if we don't train them? Yeah, exactly. And with that, we'll wrap up with cybersecurity is homeland Security. Thanks for coming on the public sector show by tech tables.
Ryan Murray, Deputy Director and Chief Information Security Officer at State of Arizona [00:56:05]:
Nice. Thanks for having me.
Ralph Johnson [00:56:05]:
Thank you.
Joe Toste [00:56:06]:
Hey, what's up, everybody! This is Joe Toste from techtables.com and you're listening to The Public Sector Show by TechTables. This podcast features human centric stories from public sector, CIOs, CISOs, and technology leaders across federal, state, city, county and higher education. You'll gain valuable insights into current issues and challenges faced by top leaders through interviews, speaking engagements, live podcast tour events. We offer you a behind-the-mic look at the opportunities top leaders are seeing today.
And to make sure you never miss an episode, head over to Spotify and Apple podcasts and hit that follow button and leave a quick rating. Just tap the number of stars that you think this show deserves.
Deputy Director and Chief Information Security Officer at State of Arizona
Ryan Murray joined the Arizona Department of Homeland Security in July 2021 and currently serves as the Deputy Director for Arizona Cyber Command and as the Deputy Chief Information Security Officer for the State of Arizona. He also previously served as the Chief Information Security Officer for the Arizona Department of Revenue for three and a half years.
In his current role, Deputy Director Murray provides tactical and operational leadership for Cyber Command, and strategic advice to key executive stakeholders throughout the State.
Prior to joining the State in 2018, Ryan held several public sector positions throughout Arizona including in Maricopa County and the Crane School District.
He has nearly 20 years of experience in IT and Information Security, is a Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP) and holds a Bachelor’s in Cyber Security and Information Assurance from Western Governors University.
This year Mr. Murray looks forward to accomplishing several key initiatives, including a significant expansion of the Department’s Cyber Readiness Program for local cities and counties, and increased collaboration for cyber information sharing across the State.
CISO, State of Washington