Live from the Hotel Kimpton Palomar for the Phoenix Live Podcast Tour!
Featuring Tim Roemer, Arizona Director of Homeland Security & State CISO, State of Arizona & Nancy Rainosek, State CISO, State of Texas
Show Notes:
In today's landmark 100th episode of The Public Sector Show by TechTables, we dive deep into the forefront of state cybersecurity with Arizona's Director of Homeland Security, Tim Roemer, and Texas CISO, Nancy Rainosek, exploring how they're pioneering defenses against digital threats and ramping up cybersecurity efforts across their states. Discover the strategies behind Arizona and Texas's leading cybersecurity initiatives and understand the critical role of preparation, practice, and partnerships in safeguarding the digital frontiers of our local governments. Tune in as we unravel the rising tide of cyber resilience in the Phoenix Live Podcast Tour Series.
Timestamps
0:00 - Intro
02:55 - Tim Roemer's pivot from college football to cybersecurity excellence
07:45 - The transformative incident: Texas' 23-governments ransomware attack response
10:20 - Nancy Rainosek on uniting the military and emergency services for cybersecurity
12:58 - Arizona's social media strategy for cybersecurity awareness with Tim Roemer
15:27 - Strengthening local government cybersecurity through collaboration and training
18:19 - Involving students in state-level cybersecurity initiatives
20:15 - Making cybersecurity understandable to legislators to secure crucial funding
23:40 - Using maturity ratings to showcase cybersecurity improvements to lawmakers
26:35 - Gamification and positive reinforcement techniques in cybersecurity training
29:12 - Steve Bell's exploration into the role of cyber insurance in risk management
31:46 - The preference for prevention over ransom payments in cyber-attack strategies
37:18 - The parallels between disciplined practice in sports and preparation in cybersecurity
40:05 - The necessity of having a detailed playbook for cybersecurity threat scenarios
43:10 - Adoption of regional security operations centers and their impact
45:32 - Successful local government engagement in university-partnered cybersecurity initiatives
⭐️ Leave a Review
If you enjoy listening to the podcast, please leave a 5-star review on Apple Podcasts and let us know in your review who you want to see next on the podcast. Thanks!
You can also Tweet us on @thejoetoste and tell us what lessons you learned from the episode so we can thank you personally for tuning in 🙏🙏
🔗 Connect with TechTables
LinkedIn TechTables https://www.linkedin.com/company/techtables/
LinkedIn - Connect with Joe! https://www.linkedin.com/in/jtoste/
Twitter https://twitter.com/thejoetoste
Follow us on Instagram! https://www.instagram.com/techtablespodcast/
Website https://www.techtables.com/
Joe Toste [00:00:34]:
We have Tim Roemer, the director of homeland security for the state of Arizona, and Nancy Rainasak, the CISO for the state of Texas. Welcome, tech tables.
Tim Roemer [00:00:44]:
Thank you.
Nancy Rainosek [00:00:44]:
Thank you.
Joe Toste [00:00:45]:
Yeah. Super excited to have both of you on. I don't have it in my notes, but Tim has been on tech table. We had two episodes in the show notes. I'll reference to those two episodes. Do you have a dog barking? I was trying to think the first time. Yeah, there's a dog barking.
Tim Roemer [00:00:58]:
I think he had the Amazon delivery guy that was coming like, six times a day. Yeah, absolutely. Telework challenges of 2020.
Joe Toste [00:01:04]:
Yeah, exactly. So today's podcast is titled unstoppable how Arizona and Texas are leading the way in cybersecurity. Now, Nancy flew in from Texas, which I was really grateful for. I've been trying to talk to Nancy. Fun fact. I've been trying to get in front of Nancy, but there are so many vendors at task and other events that she would go to. I couldn't get through the wall or circle.
Tim Roemer [00:01:26]:
You're popular.
Joe Toste [00:01:27]:
I don't know what to say. Yeah. Not everyone might know who you are, Nancy, out here in Arizona, but maybe just give a quick background.
Nancy Rainosek [00:01:34]:
Okay. I became the CISO in 2017. I've worked for Texas for years, a lot of years. Started as an auditor, it auditor, and then eventually became an enterprise security manager at a very large agency, and then eventually moved to dir and had the fortunate opportunity to become the state CISo. And I can tell you a story about that. When I got the job, I was, like, so excited. And that's the thing you want to tell your mom and dad, but that's not going to happen. So I called my brother, my big brother, and I said, hey, I got this job.
Nancy Rainosek [00:02:11]:
And he says, you won. And I was like, what did I win? You guys make a lot more money. He's smart. Way smarter than me. And he was like, you've got the best title. And I just thought, this is ridiculous. It's not a competition. Who cares? And a few years later, I was thinking about it and thinking about the work I get to do and the direction I get to drive and the change I get to make in Texas.
Nancy Rainosek [00:02:40]:
And I think, yeah, I won. So it's pretty cool.
Joe Toste [00:02:45]:
Yeah. And I didn't hear how many years you've been working. I think you were, like, mumbling, was I in diapers when that started?
Nancy Rainosek [00:02:53]:
You might not have been born, Tim.
Joe Toste [00:02:55]:
You were actually once the state and then moved over to become the director of Homeland security. Maybe you just talk about.
Tim Roemer [00:03:01]:
Yeah. So I started my career working for CIA as a 20 year old intern, as a student trainee, and I did that entire program. And I converted to full time staff after I graduated from ASU and worked at CIA for ten years, spent two years in the White House situation room. And after that, I decided I wanted to move back home to Arizona, where I'm born and raised and work on issues of homeland security, national security and public safety that are really important to our states around the country, because it's really fun to be focused on national security issues around the world. But what I really was focused on is how do we protect our families and our communities? And Governor Ducey provided me an opportunity in 2015 to move home to Arizona and work on these issues. And I've spent the last seven and a half years in just a variety of different roles having fun, but served as the governor's public safety advisor and our deputy director of homeland security and our CISO. And now I'm just honored to lead our department of Homeland Security and continue to be the CISO.
Joe Toste [00:03:52]:
That is fantastic. And I don't know if it's still on your LinkedIn because I haven't creeped on it in a while, but you had this photo. It was like you and Obama. And I remember we first met and I was like, did he Photoshop this? But it's a real photo.
Tim Roemer [00:04:06]:
It looks photoshopped. Because the funny thing about that is when you take a picture with the White House photographer, it's on my departure day. Their camera resolution. Speaking of, technology is so good that you can zoom in on yourself. And I'm not saying I've done this, of course, but hypothetically, you could zoom in on yourself and crop yourself, and it could be your headshot for work. That's how good the resolution is in that photo. And that's why it looks fake. It looks like I superimposed myself into it.
Tim Roemer [00:04:35]:
I think that camera quality is just really good.
Joe Toste [00:04:38]:
Yeah, there's the camera quality. And then if you actually look at the photo, he looks like ten or 15 years younger. No gray hair. Yeah, exactly. So there was a recent 60 minutes interview with Jen Easterly, who is the US director of cybersecurity and infrastructure security agency SISA. There was a quote she had said, and you had tweeted it. It's all about preparation, not panic. I actually also really love that.
Joe Toste [00:05:05]:
How are you positioning and preparing Arizona to stay in front of nation states like Russia who are looking to harm the state of Arizona?
Tim Roemer [00:05:13]:
Mainly it's that it's preparation. And so I was fortunate when I became our CISO, my predecessor had done amazing work to further the cybersecurity mission, the state of Arizona. And I was inheriting a just phenomenal team. And I remember, I think on my first day, and I know he's here. Owen. Zorge. Owen. I had worked, and we had gone to conferences before, and we had talked about cybersecurity strategy.
Tim Roemer [00:05:34]:
And my first day on the job, we had a conversation that was, we are going to continue to be, like my predecessor said, the most exercised cybersecurity state in the country, because we recognized as a team the importance of not just having a playbook, but practicing those plays so that when it's game day, you perform. So, Joe, you're a basketball coach. You don't just roll out there on game day and say, hey, we're going to do this thing called a pick and roll. I'm sure you practice these types of things. And as you said in a previous podcast, you're a big Oregon football fan and Marcus Mariota. So what makes Oregon's offense great is not just because they can play fast, anybody can play fast, but it's that they execute quickly and they play fast and they catch the defense off guard. The only way that Oregon's able to do that is a lot of preparation. And so, as a former quarterback, I remember when I played high school football here, we had really great success in the playoffs when we got down and we had to move into a two minute offense, and the media wanted to know why we were so good in our two minute offense.
Tim Roemer [00:06:40]:
And I said, because our coaches make us practice two minute o at the end of every single football practice. Every single football practice is a different two minute o, and you move the ball down the field and see if you can score. When it came game time, we had already practiced that we were more successful because we didn't just have the playbook, but we had exercised it. Cybersecurity is no different. Have your playbook, so have your emergency action plan, and practice it regularly and exercise it so that it doesn't just turn into panic and that you and your team will feel prepared to handle that cybersecurity merge.
Joe Toste [00:07:15]:
That's really great. And I know you go around and you have a lot of speaking engagements with different cities throughout Arizona. And going back to sports, there's nothing like asking, and you can do this with your team, but nothing like asking a bunch of high schoolers to go run a play. So I might yellow like a sideline play. I'd be like, kentucky. And then you see kids scramble, and you're like, okay. They don't know the same thing with cybersecurity. You start seeing the moment that you actually ask people to be prepared and go out and run.
Joe Toste [00:07:42]:
You figure out the level of preparation, which a lot of times could be zero or near to zero as you can get. So I love that. Did not know that you were a quarterback in high school. That's great. Any aspirations to play college?
Tim Roemer [00:07:54]:
Yes, I had the aspirations. Took a football scholarship to play at NAU. Red shirted my freshman year, got a lot of concussions, ran the scout team, tried to get bigger. But being a college quarterback is difficult, and I think the more I worked out, the skinnier I got. And so it didn't really work out, and I transferred to ASU, sat out a year of eligibility, and the next thing I knew, I was interning at CIA and never looked back.
Joe Toste [00:08:19]:
I wish I could get as big as you, but my arms don't. I tried doing push ups, but it doesn't work out that way. Nancy, you have a great story. You were on a podcast with the ransomware files, and I forget the exact episode title, but, yeah, I'll link into the show notes. It was really great, but there was a bad actor who had infected a number of devices. But there was one box. The specific story was there was a sheriff in Texas, and I don't know if it was you and Mandy Crawford went out to go investigate this box, and the sheriff took his guns out and shot the box when you had asked for it. Hey, we need to have this computer.
Joe Toste [00:08:54]:
And I think the sheriff said, quote, I took care of it. And then the next question is, well, what does that mean? Means the sheriff took his guns out and blew the box up, which I think is, like, the greatest story and one great way to stop cyber hacks from happening. So, I know you love Texas and guns in Texas, and you don't have your guns right now, but what other initiatives are you looking at to help the great state of Texas?
Nancy Rainosek [00:09:18]:
We have a number. When that ransomware event happened, there were 23 local governments all over Texas, and Texas is very big. And just getting to the panhandle or getting to East Texas, west Texas, south Texas, took time, and we wanted to execute. We wanted to execute quickly. We had a water system that was impacted, and so when we did the hot wash afterwards, we were like, okay, what if it had been 50? What if it had been 100? Could we have handled it and been as successful in responding. So we put forth a number of initiatives. First, a volunteer incident response team. Because we had a number of vendors, the vendor community was just so generous.
Joe Toste [00:10:00]:
In offering their guns. They were generous with their guns.
Nancy Rainosek [00:10:05]:
They're technical folks, but we didn't have a way to bring them in and put them to. So we're standing up a volunteer incident response team. We really want to locate them across the state. And we're also setting up, and I've got funded for additional people on my team, especially during this Russia Ukraine thing, we had a playbook. We practiced it. We were ready. When I got that call that morning in August 1 off, I was like, okay, here goes my. And then it became, no, this is what we prepared for.
Nancy Rainosek [00:10:37]:
This is where the rubber meets the road. And we're going to go do this. We're going to do it. And my favorite quote from Ted Lasso is, when I see impossible, I think I'm possible. And so we're setting up regional socks. We've got a pilot, and fortunately we were funded by the legislature and it was signed by our governor. So we are partnering with Angelo State University for our first regional SoC, and this is going to provide cybersecurity services to the local government entities in that region and educate the students. We're really excited about this, and eventually we'd like to have one at different universities all across Texas.
Nancy Rainosek [00:11:20]:
We just made the announcement last week that we selected Angelo State, and we're really excited about having that capability out in West Texas so that we can move forward and develop the workforce of the future, which is very.
Joe Toste [00:11:34]:
Yeah, that's really great. Not to be confused with ASU, which is Arizona State University here and ASU in Texas. So you jumped around a little bit. So I want to unpack this. So you combining questions that I was going to ask in that moment in August, what did you end up? Maybe there's one or two things that you took away that you learned, right? So you went from, oh, my God, I'm going to get fired to I'm going to lose my favorite job to, okay, hey, we're going to execute quickly. We're going to go make whatever adjustments we need to make and solve this. Is there maybe one or two things that pop out that you took away from that?
Nancy Rainosek [00:12:06]:
The thing that I keep learning is when ransomware hits a local government, it really has a greater impact on the citizens and their ability to do things. And it's things you wouldn't think about, like the ability to do a traffic stop because they're required to record video recordings of every traffic stop, and they get to the point where they can't download the film and their files. So it's just learning everything about local governments and how great of an impact it can have. The other thing is the collaboration and making sure you have good partners. We worked with the military department, the Department of Public Safety, the Division of Emergency Management. We had all the tools in place. And that's a lot of what made us successful was that collaboration.
Joe Toste [00:12:55]:
Yeah, I love that. Tim, I know you're on Twitter all the time, which I love promoting cybersecurity, which is great with local chambers, universities, other programs with a federated model in Arizona, much like Texas. What does the partnership look like with Arizona's department of Homeland Security and the local communities here?
Tim Roemer [00:13:14]:
When I first became the director of the Arizona department of Homeland Security, the biggest challenge was giving us a little bit more of a public facing identity. The department previously really didn't do a lot of interviews, was a little bit more secretive and not in a bad way. It reminds me of the first ten years of my career that I was in the intelligence community. I didn't really exist. And so it wasn't until, as from the first podcast, that the governor's office said, stop telling us to retweet things for you. You can open up your own account on your own. And I thought, oh, no, I'm not going to do that, because once I go down that path, there's no turning back. And there wasn't.
Tim Roemer [00:13:47]:
So I've had to embrace it. But we use it to our advantage, because one of the big things in cybersecurity is spreading awareness and outreach. And Twitter gives us a platform to at least reach more people. And it's so easy to tag a city or put a hashtag in there, and then you know that you can immediately, with the team of one, and I can be our pio and I can send out a tweet, but then, bam, I get to be the spokesman for our department. As you mentioned, I have a communications degree. There's no reason really to hire somebody to do it, use social media to our advantage. And so that was just the biggest challenge, was taking a department that previously never did any of the interviews, the social media, and then showing them the benefits of doing it and how our department could have more reach and more impact across.
Joe Toste [00:14:30]:
And I like what you do as far as going to universities. I just think it provides exposure to kids who are in college of, oh, I'm getting a communications degree, but maybe cybersecurity is something that, you know, look into. I love that piece of it. So, Nancy, we talked offline about the regional security operations center, which you jumped to early. That's okay. So I was know, could you maybe just go a little bit deeper on the regional security operations center? Like why now? And then maybe what you're hoping other future centers would look like, too.
Nancy Rainosek [00:15:04]:
We're really hoping to have outreach to the local governments because a lot of times when we call and we'll get a message from MsISac and says, hey, city of XYZ has an issue. And so we'll try and figure out who to talk to in this city, and the guy will be out mowing the yard around the courthouse or whatever, and that's their it support, or it's the deputy sheriff who happens to know a little bit about it. So he helps. And we really want to be able to provide some good support for our local governments and have the ability to monitor their traffic, have the ability to do some training and do some assessments and help them build good security programs and then also bring the students in. And it was interesting when we had this August incident, a. M. University was there and they brought some of their student interns, and there was one kid that I kept talking to, and eventually I said, hey, when you graduate, look me up. And his mentors were like, you're never going to be able to afford him, Nancy.
Nancy Rainosek [00:16:18]:
And I said, sometimes it's not about the money. It's about the passion for the job and having the ability to really make a difference in the state. And the kid came up to me later and said, can I have your card now? I've not heard from him. I don't know if he's already graduated or what, but I think just showing those students that there's a place that you can go and really make a difference, that's a good thing.
Joe Toste [00:16:43]:
Yeah, no, I love that. Tim, when you meet with kids is one of your hiring tools to say, you can take a photo with me and it can turn into a meme. Do you have.
Tim Roemer [00:16:54]:
No. That's usually a reason for them not to come to work for us. They're like career know right there. I know the whole meme thing. And funny pictures of me came out because when I first came to Adoa and we mentioned this during Doug Lang's podcast, Doug had this phenomenal strategy of, for our department, ADOA asset, and under Jr. Sloan's leadership, to be our CIO, Doug had this strategy where for our employees to get to know us a little bit better as management. We'll do a speaker journey series, and we'll talk about ourselves, and we'll unpack who we are, and it's going to help drive some engagement and have a little bit of fun. And it really did, and it worked.
Tim Roemer [00:17:30]:
And so what I wanted to do was when I show my resume, people immediately think, oh, you've had this type of background, so you're really secretive, you're really uptight. You're going to be really hard to please, I don't want to be around you type of a thing. And I keep thinking, no, I think I'm a pretty fun, laid back person. So what I decided to do was Doug wanted us to talk about not just our successes, because people know your successes when you become their boss, because it's in a press release and your bio looks all real nice. And you know, what they don't put in your press release is your most embarrassing moments of your career. And so Doug had this way to let's have a little bit of a fun and have our employees get to know us. So I shared some of those with the team, and it really did work, and it really helped us have a phenomenal relationship across the entire department. But those are things you don't live down ever again.
Joe Toste [00:18:18]:
Yeah. No, I love that. The company that we named was Levity, media levity, obviously, meaning lightness, easygoing, fun, because I looked at the landscape and I was like, man, these people take themselves way too seriously right now. You need to have a little more fun in your life. So I love the levity that you bring. Popular from CIOs and state CISOs is how do you discuss cybersecurity RoI and investment with the governors and legislative body? What advice do you have to win over their cyber and budget visions that you could provide for other state cisos in large cities and counties?
Tim Roemer [00:18:53]:
You have to make it relatable, especially to elected officials. It's not just your governor's office, but it's your legislature. Cybersecurity is not something that most people understand right now. Worldwide and specifically nationwide, cybersecurity is a heck of a buzword. You can bring it up and you can get a lot of support, the legislature for more cybersecurity funding. And people don't even know what that actually means most of the time. And so you have to find a way to make it relatable, give them that reason why they need to care about it, why they need to fund you. For us, it was about finding a way to highlight the risks and the vulnerabilities within the state, why we needed to remedy that, and how we would actually go forward in doing it.
Tim Roemer [00:19:33]:
And my predecessors had this great plan of using a vendor that put our risk score as a state into a credit score. And it was great because you can go to the governor and you can explain to him, hey, our cybersecurity resiliency is a 600 right now in a credit score. And he can say, that's not good. We need to fix it. And then we can go to every cabinet level agency director, and we can say your specific credit score. So your cyber risk score is 550 or 650 or whatever it is, it made it digestible for them to understand where they had their problems, where they had their weaknesses. We sold why cybersecurity was important. And that would be my best advice to anybody that needs to find a way to drive their cybersecurity policy and priorities is you get to your c suite, even in the private sector.
Tim Roemer [00:20:23]:
How do you get your CEO to pay attention to cybersecurity? Put cybersecurity in a format that they can understand why they need to pay attention and why they need to fund it. Ours just so happened to be a risk score and a credit score, and it really helped us drive home the case of why we needed to pay more attention to it.
Joe Toste [00:20:40]:
Yeah, and when you mentioned that on the first podcast, I have not stopped remembering that. Whenever I talk with other folks, I'm like, I wonder what their credit score is, trying to figure it out and just ask them. And I think this is a great relatable model to be able to, because it'd be people like me. Cybersecurity buzzword, so complex, too much. And then you're like, that's 575 right now. And you're like, oh, that's terrible. We need to give you money just.
Tim Roemer [00:21:08]:
Like your credit score. It can be good one day and really bad the next day. So just like cybersecurity, it takes continuous improvement, it takes consistency. You can have a really good credit score, and you could be the victim of identity theft today, or your spouse could go out and purchase a brand new vehicle. Any number of things could happen, and that's going to go down. You could have one employee make one mistake. You could not patch a really critical vulnerability. Your credit score could be 801 day and 600.
Joe Toste [00:21:36]:
Nancy, how are you seeing this in Texas right now with the governor and the legislative body? How do you make them buy in?
Nancy Rainosek [00:21:41]:
We do maturity ratings for every state agency and university, and we have a cybersecurity framework. It's modeled after NIST, but we measure every two years and we do a report to the legislature and show where improvement is happening over time. And I think getting credibility that way is important. We're very fortunate we have the backing of the legislature and our governor in terms of improving cyber in the state. And those relationships have been built over time, and so it's working for us.
Joe Toste [00:22:16]:
I love that. Now, I know we're coming up and we'll get questions in a minute, but I wanted to end with positive reinforcement going back to when Jer and I were talking about leadership and team getting that positive reinforcement. So your team buys in. And the podcast we had, I loved because we were talking about not only the memes, but you were passing out swedish fish candy and even trying to find some chocolate bitcoins. So all this really great stuff. And even you would get folks to click on spam emails, which are really great. So I was curious, what advice would you give to Nancy about positive reinforcement that you've learned with your team in.
Tim Roemer [00:22:51]:
Arizona that you can't just do it once? Obviously, Texas is such a large state that things that we're able to do on a smaller level. I think the challenges for somebody like in Texas is the massive amount of employees they have, their human firewall and trying to continue to make cybersecurity relatable for all of their employees and make sure that Nancy's department has a pulse in a connection to all those state employees that, yeah, we've done some fun things, but you've got to continue to move it forward. And I'm happy to say that finally, the chocolate covered bitcoins, like the chocolate covered gold coins, to say thank you to some state employees and some state organizations that have done a good job on cybersecurity. We finally have that calendared in just in time before it gets really hot because we were really nervous that they were going to melt in Arizona, which wasn't my smartest idea when I originally came up with it, but we had talked about, my team came up with this great idea of the swedish fish and the goldfish as positive reinforcement for finding phishing emails. And then we were at one of our state agencies. We were at the Department of Revenue, which our deputy director and deputy CISO, Ryan Murray, now for our department of Homeland Security, he was at revenue at the time. And we came up with the idea of the thanks for saving the state of Arizona, bitcoin. So we're going to finally do that with one of our largest state agencies.
Tim Roemer [00:24:03]:
We're excited about that. Little positive reinforcement, little outreach. But just. It needs to be constant. It can't just be once a year. And we need to do a better job of it as well to make it relatable and communicate it to all the employees.
Joe Toste [00:24:16]:
Yeah, no, that's really great. I actually tried to buy some chocolate bitcoins for you all here. They're just sold out. I don't know what to say. It's just. They're impossible. Yeah. You bought them all? Yeah.
Joe Toste [00:24:27]:
I think when you make it relatable, there's all these cybersecurity training, and they can be so boring and dry. So if you can get some humor in there, make people laugh, they're going to remember you and they're going to remember the training. So now, Nancy, I'm curious. I know no one's taken memes of you, because that would be crazy. But what advice would you give to Tim and to Arizona from what you've learned in Texas?
Nancy Rainosek [00:24:52]:
We've done some gamification, escape rooms, the election officers, we came up with a game where they had to look at pictures of an office and tell what's wrong with it. And it might be an open file cabinet or a sticky on a computer, but really trying to do something, because I know so many people, they have to do their annual training and they turn it on and surf the Internet or attend a meeting. And so trying to find something that's really going to catch their eye and be different is something that it works. The other thing we do is we offer training to the security officers at the other agencies and their staff for certification, and we pay for their certification testing. That's one way that they can develop their careers and move ahead. That's one thing I'm really into, is developing my people and trying to develop the other people. We've also expanded it to be like, secure coding, trading, and for the developers across the state. And I was amazed at the number of people that we use that budget every year, and I was really amazed at how much that was used in Texas.
Nancy Rainosek [00:26:07]:
So I think it's just offering services, looking at them as your customer, be it your staff or another agency, and just trying to push things forward.
Joe Toste [00:26:17]:
Love it. We'll take some questions from the audience. I know some folks. Yeah, Steve, I'm curious.
Steve Bell, SentinelOne [00:26:22]:
Cyber insurance is out of control right now with everything going on. There's so many hits going on. I love that both states represented here are putting a lot into the local government as well, which is where that training is needed. I'm curious, do you guys have programs, or are you looking at cyber insurance right now from a standpoint of it is not being, do I even need it? Do I move on and use that money somewhere else? Are you guys looking at that as far as the opportunities as education to help out not only at the state level, but at a local level?
Tim Roemer [00:26:53]:
Yeah, we are. I'll give the Arizona perspective and Nancy can give the Texas perspective because I'm interested to hear from Nancy on this. It's more of the latter part of your question, and that is, regarding cyber risk insurance, I think an ounce of prevention is worth a pound of cure, and cyber risk insurance has become so unbelievably expensive and difficult to purchase through so many variety of different challenges that I basically told our team, I said, look, I'm a big supporter of having the insurance. We do need it. But at the end of the day, I would rather have a fraction of that money that you give me right now to proactively go prevent the emergency. So I don't need the insurance funding. It's like your car, for example. Everybody needs car insurance.
Tim Roemer [00:27:34]:
You have to have it. That's fine. But if you only save up for your insurance and you don't do any preventative maintenance, you're really going to need that insurance. No air in the tires, no checking the battery, no oil changes. Well, guess what? You're going to need that car insurance. When you break down on what we've said is we want to put resources on the front end to proactively prevent against the emergency. Because at the rate of cyber risk insurance rising so much, we're trying to partner more, we're trying to purchase more of it. But at the same time, if that was our number one strategy was just on the insurance side, boy, we'd need a lot more money and we'd be using it.
Tim Roemer [00:28:11]:
I would rather have the money on the preventative side, but that's my opinion. I'd love to hear from Nancy on Texas and see if they've had more.
Nancy Rainosek [00:28:19]:
Success on the insurance side being federated. It's each agency for themselves, and they make those decisions. We haven't purchased it. At my agency, a number have, and there was a really large agency that got hit with ransomware, and they use their cyber insurance for that recovery. But that's the only time I've seen it used at a state agent. The counties and the cities and the school districts get it through their associations. So the Texas association of Counties, Texas Municipal League, Texas association of school boards. I'm amazed that they have these policies that are paying, and some have paid the ransom when they've got it with ransomware.
Nancy Rainosek [00:29:02]:
We don't believe in that. Again, we believe that you're better off spending your money fixing it rather than paying a criminal to restore your data. So that's the approach we've taken in Texas.
Tim Roemer [00:29:15]:
Yeah. And Nancy and I are fortunate to both be state cisos. So when the CISA funding is coming out through Congress from the infrastructure bill, they've come to NasIO and they've asked for our input as security professionals on what we think the funding should be spended on and what we think the funding shouldn't be spended on. And correct me if I'm wrong, Nancy, but we are pretty adamant as a group of cisos that the funding should not be allowed to be spent on the insurance side, because if you spend it on the insurance side, that's going to take up all the funding for your local government. They're barely going to get anything in return. And again, they're really going to need the insurance because they didn't do anything to prevent the cyber emergency from happening in the first place. So Nancy and I are fortunate to be part of Nasio and to be part of that conversation. And I applaud CISA for going to Nasio and asking for our input on this, and we look forward to hopefully putting that funding to good use later this year.
Joe Toste [00:30:05]:
I know there's some other questions out there, Nancy.
Tim Roemer [00:30:07]:
How have you seen adoption of the.
Joe Toste [00:30:09]:
Regional soft being felt in those regions.
Tim Roemer [00:30:12]:
Or in the other municipalities? They embracing it or are they hesitant?
Nancy Rainosek [00:30:16]:
We asked these universities to bring us proposals and we received some really good responses where they actually went out to the local governments in their areas and got letters and showed us where they got the buy in for joining that initiative. It's the first one. It hasn't been stood up yet. We just named it last week. But I'm really excited that we've got these partnerships with universities that are away from Austin that are actually trying to engage these local governments and they're bringing it forward in their proposals.
Joe Toste [00:30:53]:
Great. Nancy Tin, thank you for coming on tech tables. Appreciate it.
Nancy Rainosek [00:30:56]:
Thank you.
Chief Security Officer for GMI. Former Arizona Director of Homeland Security & State CISO
After 18 years of government service, I joined the private sector to focus on providing solutions to the government to better protect our society from physical and cyber threats.
I’m currently the Chief Security Officer at GMI in Scottsdale, AZ. I’m also an advisor to NightDragon, and a member of Dataminr’s advisory board.
Previously in my career I served ten years at CIA, including two years assigned to the White House Situation Room where I provided national security updates to the President, Vice President, and National Security Council.
After ten years at CIA, I returned to my home state of Arizona to work for Governor Ducey. I was appointed by Governor Ducey and unanimously approved by the Arizona Senate to be the Director of Homeland Security and was the only person in the country to run a Department of Homeland Security and at the same time be the Chief Information Security Officer. My responsibilities included cybersecurity, border security, and counterterrorism. I co-chaired the Arizona-Mexico Commission’s Security Committee, as well as being on the Arizona Human Trafficking Council.
Chief Information Security Officer for the State of Texas at the Department of Information Resources
Nancy Rainosek is the Chief Information Security Officer for the State of Texas at the Department of Information Resources. She has over 40 years of IT experience in Texas state government and private sector consulting. Prior to joining DIR, she served as the deputy Chief Information Security Officer and the Enterprise Security Operations Manager for the Texas Health and Human Services Commission. She was an IT Audit Manager and Information Resource Manager at the Texas State Auditor’s Office.
Nancy has a Bachelor of Business Administration with a concentration in Management Information Systems from Texas State University.