Ep.140 Lessons in Emergency Management and Enterprise Cybersecurity: Insights from Hurricane Ian with Jamie Grant, CIO, State of Florida & Jeremy Rodgers, CISO, State of Florida

Jamie Grant, CIO, State of Florida [00:00:00]:
Sa.

Joe Toste [00:00:40]:
So today we have Jamie Grant, CIO for the state of Florida, and Jeremy Rogers, CISO for the state of Florida. Jamie and Jeremy, welcome to the public sector show by techtables.

Jamie Grant, CIO, State of Florida [00:00:49]:
Thanks for having us, bud.

Jeremy Rodgers, CISO, State of Florida [00:00:50]:
Thanks.

Joe Toste [00:00:51]:
I love this. This is a long time coming. I'm super excited. And today's podcast episode is sponsored by Sentinel one. Sentinel one redefines cybersecurity by pushing the boundaries of autonomous technology with the singularity XDR platform. Sentinel one is the leader in endpoint protection and beyond. Simply put, they stopped the bad guys. And big shout out to Sentinel one for being the diamond sponsor today.

Joe Toste [00:01:10]:
Really appreciate the support of a small entrepreneur. Jamie, let's kick off now a quick word from one of our brand partners. Nagarro is a leading provider of digital government services, partnering with state, local and federal clients on some of their most strategic technology projects. Nagarro offers expertise in digital services, legacy modernization, case management, data and AI service desks, cybersecurity and more. Check out nagaro.com. That's nagarro.com. I love this quote that you had at Nasio where you said, we're a startup within government. We didn't inherit a program that's won a few championships.

Joe Toste [00:01:47]:
We inherited a program that's never won a football game. I can't leave till that changes. I love all the sports analogies, by the way, if you ever just Google Jamie Grant and you just get into football championships, and I don't want the folks in the audience to miss this quote or gloss over it like football programs or basketball programs or government. When folks don't know what it's like to win championships or football games, it's hard to know what winning looks like or what standards to set. One of my earliest podcasts actually was with this guy, Gary Brantley, who we tried to get here. He's a friend. He was my first public sector podcast. He was the CIO for the city of Atlanta.

Joe Toste [00:02:24]:
He's now the CIO for the NFL. And we were trying to get him here and the schedules didn't work out. But we talked about this too. The city of Atlanta had a massive cyber attack a few years ago and he came in and had to not just get the cybersecurity piece right, but he had to get the culture right, the team right. And you don't do that. It's hard to do that if you don't know what winning looks like or what standards to set. And we're going to cover the hurricane Ian and the digital response from that, which is actually fantastic. And we're also going to cover the $30 million cybersecurity grant program from the state of Florida.

Joe Toste [00:02:57]:
But I think it's important to dive into government as a startup mindset. So, Jamie, talk about setting the standard, raising the standard and being the standard across digital services in the state of.

Jamie Grant, CIO, State of Florida [00:03:10]:
I mean, I think you kind of touched on it, right? Like if you don't have the people and the culture right, nothing else matters. I've been fortunate to be in some locker rooms with some really talented players, and we've got a little sports team going today. I guess march madness going on. But the example I would give you is the three Auburn Tigers football. A lot of people talk about the four team with four first round draft picks, a couple of other tenure NFL guys. The three team was much more talented. It was tragically poorly coached at a coordinator level. And you watched a team that should have been winning championships struggle through just conference play.

Jamie Grant, CIO, State of Florida [00:03:43]:
And the only thing that really changed from three to four was leadership and buy in. And I'll give that as an example just because we're kind of here in the way you set the stage. But like step one in any organization is getting folks inside the locker room that have kind of historically lost. Florida has four times before the digital service created an office to do state technology only for the legislature or the governor to first get and then ultimately agree. So frustrated to abolish it. Right? So the old Reagan quote about nothing as permanent as a temporary government program. Florida has defied that a few times with state technology. And so we kind of cherish that a little bit as a team to know, know nobody's ever been able to do it.

Jamie Grant, CIO, State of Florida [00:04:21]:
But step one, before you can go out there and start accepting trophies, is just get in your own locker room and get folks to believe that they can win a single game. And when they start to see a little bit of success, they start to buy into a playbook, they start to buy into a culture. You're obviously going to have adversity. You're going to have losses, right. So you don't go from a perennial loser to winning championships in an instance. Right. You go from winning zero games to winning two or three games. That's still losing a lot of football games.

Jamie Grant, CIO, State of Florida [00:04:47]:
But letting folks understand that there is a plan and that you're going to ride with them through all of it. And so I think if you're willing to do that and you get the people right, the technology is actually very easy. Our challenges on the cybersecurity front or modernization front are not problems of can technology solve it? It's can we get people to buy in, can we get the moat dragons out of the way? And can we encourage and incentivize the good behavior and discourage the bad behavior? Moat Dragons is a term I've used for maybe a decade now. But like, if there's a castle full of success, there are certain people that just circle in the moat trying to make sure nobody gets to success. And they exist in every industry, they exist in every ecosystem. And so finding them and figuring out how to navigate past them to say, okay, let's get onto the mission of what the mission is. But I think whether it's coaching football, whether it's coaching basketball, or whether it's building enterprise cybersecurity, the recipe is the exact same. It starts with talent and buy in.

Jamie Grant, CIO, State of Florida [00:05:44]:
But one of the things that we say, and it's like you can take folks out of the athletic world or the coaching world, but you can't take that out of them. Reliability is the most important ability. We've had some really talented people that might have had abilities off the charts in certain capacities, but they just couldn't be reliable. And at the end of the day, you find people that are bought in and reliable and you can build with that. Anything you're trying to build.

Joe Toste [00:06:07]:
Yeah, no, I love that. And as a quick side note for I think we probably more folks listen to the podcast than they watch it. But so if you're listening to this, the sports team, if you're wondering, you might want to hop over to the video because they're wearing jerseys, right? So they're wearing the college jerseys that we got. We originally actually were going to hang the jerseys, but last night at dinner, Jamie really wanted to wear the Auburn jersey.

Jamie Grant, CIO, State of Florida [00:06:28]:
That's not quite how that went, but I'll let you roll with that.

Joe Toste [00:06:31]:
Yeah, in my podcast head, that's how this is my secret play, to get them to wear the jerseys. Yeah, the Moat dragon. Okay, so I love this. So I was listening to several while prepping for this, and the first time I heard it when I was listening to, because you've been doing the roadshow with the lieutenant governor and several folks. And the first time I heard a moat dragon, I was like, what is a moat dragon? And then I started using this. And so anytime recently an organization would say something to me where basically I'm like, they're killing themselves. I'm like off the phone, I'll be like, what? A moat dragon. Now some of you are like, did that guy go on.

Joe Toste [00:07:05]:
Me a moat dragon? Probably I did. Yeah.

Jamie Grant, CIO, State of Florida [00:07:07]:
If you're looking in the mirror wondering if you're the Moat dragon, you need to look in the mirror harder because you might be the Moat dragon.

Joe Toste [00:07:12]:
Yeah. And I think that's an important self assessment. We have the luxury, it's just me and my wife, so we can move really fast, which is for us a great blessing because there are other teams where it just takes an entire board to sit down and figure out, hey, who are you going to podcast? And I'm like, hey, Laura, you want to come on? She's like, yeah, that's how it happens. Love the sports theme. Love the Moat dragon. Last thing on the reliability I think is really great. You learn this with coaching, but you really play at least a basketball. So for those of you not familiar with basketball, so five people start and play on the court at the same time.

Joe Toste [00:07:46]:
For those, you're not sports fans. And reliability is huge because when the game is close, coaches only play those who they actually trust. And the kids really struggle especially. So I was the head JB coach, and you get typically a lot of all the best incoming freshmen come to JV and then those leave and go to varsity. And something that you kind of learn as a coach is like, who is the most consistent? And if someone shows up and puts up, we've had kids coach. I put up 25 points this night and I'm like, yeah, but the rest of the season you have seven turnovers each game. You got to sit. And they're like, no, coach, why? But it's a learning lesson of like, hey, we need to develop you.

Joe Toste [00:08:26]:
We need to get you better. We need you to have, you need to become more consistent. And those are the players you want on your team. So, Jeremy, I want to transition to you. There was a great book. I actually found this book off of your LinkedIn, bought it, and Jeremy's like, I don't even know if I read the questions. What is he talking about right now? So there's a leadership book from your friend and mentor and Navy shipmate Sean heritage titled connecting the dots, deliberate observations and leadership musings about everyday life. In the book, I did read the book, too.

Joe Toste [00:08:55]:
So in the book it says, dots signify two things. First, they represent milestones large and small, happy and sad we enjoy throughout the journey of life. They additionally symbolize disparate pieces of data that by themselves mean far less than they do in the aggregate. This forum is all about celebrating the lessons of life, enjoying the journey, and making sense of things along the way, our quality of life and value we deliver have everything to do with our ability to deliberately connect the dots. I love the analogy of connecting the dots a lot. One of my favorite sections, I already use his word musings, was, it's the network stupid. So if you remember that chapter, which is pretty funny, and the reason why I thought that was really funny for me is people ask me all the time, hey, why has techtables grown the way it has? And I was like, I didn't say it's the network, stupid, but I'm like, it's the people. It's the relationships.

Joe Toste [00:09:43]:
It's nothing to do with me. And guess what? As a leader, it's nothing to do with you. It's your team that will drive the mission forward, and that's the most critical piece. But I was super curious for you. What was your favorite chapter or what spoke to you about connecting the dots? And how are you taking that with your current role right now?

Jeremy Rodgers, CISO, State of Florida [00:10:02]:
Yeah, so Sean's a good shipmate, a good mentor of mine from the navy side of the house when I came in and really just taught me a lot. And now he's doing some great work over at Mitre. I think one of the big takeaways on that, and Jamie touched on this as well, is in some of our previous conversations, even this morning, is if you don't get the people right, if you don't get the community right, if you don't get the players right, and the mindset right, the technology actually doesn't matter to some extent. So when Jamie brought me on to run cybersecurity, a big part of making sure we're going in the right direction is building those relationships. So if you look at the state of Florida, we've got a federated system of 30 something agencies. Each have their own CIO, and they're named security leader. Sometimes that security leader may be technical, sometimes they may not be getting us rowing in the same direction, getting the network working together, getting us sharing information, sharing intelligence, versus having 37 separate silos. So breaking down those barriers and just getting us in the same mindset, I think, is a big lesson from that.

Jeremy Rodgers, CISO, State of Florida [00:11:11]:
And it's been exciting, right? It's not perfect. We're still building it, but just getting face to face, where if you don't know somebody's name and you don't have that relationship when times are easy, it's going to be really tough when you're maybe dealing with a security incident together or when you have a strong disagreement on where technology should go. So building out that people network so you can work together and information can flow freely is really the first part of that. And I feel like where we were a year ago and building that with the state is probably about where I think we're actually in better shape with the locals now. So as we're kind of partnering across the cities and the counties and stuff, we're looking to grow that network now.

Joe Toste [00:11:52]:
Yeah, we've got. Later this morning, we're going to have Ramundo for those who are watching, is in the audience. And Tamika, come on from the city. And actually, I'm going to read. I don't even know if I told you, but it's. I hope it's okay. There was an email you sent me about the hurricane relief and your insights and response that I'm going to read and that I thought was super powerful from the city perspective with the state coming in and a lot of the digital. So I texted that to you, but I don't know if you saw that.

Jamie Grant, CIO, State of Florida [00:12:16]:
I didn't.

Joe Toste [00:12:16]:
Yeah, it's okay. I'll read it. I'll read it.

Jamie Grant, CIO, State of Florida [00:12:18]:
I'm not big on prep or script.

Joe Toste [00:12:21]:
I got you, Romundo. Don't worry. Okay. So, Jamie, our original live podcast tour stop was supposed to be in Tallahassee, which, from what I hear, I might have to come up to Tallahassee. Laura's like, yeah, can you come up to Tallahassee, please? However, due to Hurricane Ian in late September last year, we postponed the event so the state of Florida could serve its residents with its all hands on deck at the emergency operations center. And Governor DeSantis set the tone for a successful emergency response. It was really a great case study on cutting government red tape to help Floridians when they needed it most. And, Jamie, you're quoted as saying that the state's response to Hurricane Ian was the first response that we've ever had that's had a truly digital component.

Joe Toste [00:13:03]:
Can you talk about some of those digital success stories, from Starlink to missing persons to helping first responders avoid life threatening situations through data sharing and more.

Jamie Grant, CIO, State of Florida [00:13:12]:
Yeah. So I think one of the things that my granddad used to say, never known, but he'd say to my dad, and it's the six p's, we'll say five p's for a public audience, but planning prevents poor performance. Right. And so one of the things we've stressed to the agency community is have your binder ready to go. Right? Like, have what you need so that when a state of emergency shows up and all of the handcuffs of government go away and the speed limits of bureaucracy are removed. You can actually go. And so interestingly enough, we had asked for a CRM through the normal budgetary process of going to a staff analyst and saying, here's a budget request for a CRM. And they're like, why do you need a CRM? You have outlook.

Joe Toste [00:13:55]:
That's a great CRM, by the way, outlook, right?

Jamie Grant, CIO, State of Florida [00:13:57]:
I showed up and that was one of the major horror stories for me in 100 and something billion dollar enterprise to find out that the CRM was an email with either a deck, a spreadsheet or workbook or a word doc just circulated. And that was how we did some level of business. And it was like, man, this is a bigger lift than I thought it was. And I thought it was a pretty big lift when I said yes. And so we had asked for a CRM and the legislative analysts, the moat dragons, said, no, you don't need one. You have outlook. We're like, all right, we'll make it work. And then Ian showed up and we had our binder.

Jamie Grant, CIO, State of Florida [00:14:32]:
And so for the first time in state history, we were able to establish a CRM to truly serve the enterprise. So we set the record as we've been told. So somebody's going to have to prove us wrong. It's the only thing I asked for Servicenow to confirm for us coming out of it. But we've been told we were the fastest servicenow instance stand up in the history of the company, public or private, which we took a lot of pride in. It also takes a team like whether it was Jeremy Chandra, Adam Taylor, a number of folks in a war room going 20 hours a day for a while there, it's the only way you can get it done. But we stood up servicenow that first night. Big shout out to our partners at DEO, the Department of Economic opportunity, because when we didn't have a CRM and had to engage, they were actually going to give us their instance and we were trying to figure out how we could make that work for 24 hours and then go.

Jamie Grant, CIO, State of Florida [00:15:16]:
But we stood up the serviceNow instance, we immediately stood up missing fl Gov, where people could report themselves as needing help or family members could report people missing. We ingested what we didn't know existed of, I think like 48,000 something households deduplicated down to 20,660 households that had been offered a portal to, say, shelter in place. And when you think about digital service or government customers have a certain expectation when you give them the ability to fill out something. And if you're a Floridian in the impacted theater and you get a shelter in place survey, I think the most likely implication is tell us where you are so we can come get you. There were no plans to come get us if you were those people. We had been very clearly saying the administration get out of harm's way, right? And so we had to dedup all those records where we actually got engaged. And this is just kind of, I think, a little bit of an interesting behind the scenes look, but also like understanding how to take seize opportunity. The urban search and rescue, like the most critical cases, handled their ticketing system with a single email address.

Jamie Grant, CIO, State of Florida [00:16:24]:
Right, just as a ticketing system. Well, the storm took out most of the 911 infrastructure and the coast guard could only route cases to one email address. Not a big movie guy. We joke with Secretary Linda at DMS, he's got a movie. I swear to God, he's seen every movie because he says something like this in that movie. I'm like, you're going to have to break that one down for me. But it's like Bruce almighty when the emails are coming in. That's like, hey, we need help.

Jamie Grant, CIO, State of Florida [00:16:48]:
And so they called us and that's where step one, stop the triage of the email. Step two, stand up the CRM. Step three, anybody want to deploy network? Because we had been working with elections to figure out like doomsday election scenarios, we were pretty far down the path with SpaceX on a Starlink deployment to each county so that if their local networks where they did tabulation and or reporting went down, we could give them their own satellite network. We were far enough down the path on that that we could deploy. So that's way too many words to give you the conclusion of what we did. But the high level is we ingested 20,660 households of what I would say, less than clean data. We used the snowflake instance that we'd been using for data catalog stuff and kind of said, hey, put pause on that, come over here and let's clean this up. Let's figure out how to get that back into the servicenow instance to start resolving claims every way we or cases everywhere we could.

Jamie Grant, CIO, State of Florida [00:17:41]:
So if somebody submitted on missing fl.com. Fl gov. Sorry, I'm already private sector mentality sometimes. Gov, so missing Fl gov, they should also be able to come to safe fl Gov, right? Deployed AI contact center capabilities that we had used during the pandemic to go land and sell press one reply, are you good? Do you need help? Right, start resolving those most critical cases. Start deploying Starlink. So I think 48 hours after impact, we had our 1st 30 terminals. 56 hours after impact, we had them deployed in southwest Florida. The next day, I think we had a plane coming from California.

Jamie Grant, CIO, State of Florida [00:18:17]:
And uniquely, this wasn't a plane full of people fleeing for economic opportunities and freedoms. It was people packing starlinks on a plane to come support Floridians. So the first about 300 terminals showed up. We now have the largest Starlink fleet outside of Ukraine. It was the first ever Starlink deployment in history that was for a natural disaster and then ultimately kind of culminating. When you think about the full ecosystem of, we stress kind of the CRM being a utility that people can build on, but the full lifecycle, within ten days, we had ingested about 100 and something thousand waypoints that people had tagged, right? So search and rescue goes and touches a car or they touch a house and they tag that waypoint, because government, they tag a waypoint in a system that gives you a latitude and a longitude that's a little different than an address. And we weren't going to ask people on missing fl Gov to give us their latitude and longitude. And so our data team and a group converted those and we were able to map at a household level, I think, within ten days of impact, where there was a missing record and somebody hadn't been touched.

Jamie Grant, CIO, State of Florida [00:19:21]:
Right. So to give intel to the front lines. And then the last thing I'd say on that front was like, the ability. Actually, I'll say two things, because one's maybe a good place to land, the ability to give the Department of Transportation and Urban search and rescue network capabilities in the field beyond sat phones. And you start thinking about how you open bridges and you start thinking about how you do things forward facing when you can actually access the Internet or access the applications you operate in, rather than just a sat phone from the front lines. And so there was some really cool stuff that came out of that. And I'll close by saying, one of the challenges, if you're in the CXO seat, whether it's a CIO, a CISO, a CTO, a CDO, or any other Alphabet soup, is like, you have to play the conflict of accessibility and security. And, you know, there's not a scenario where you can walk in and brief the governor and go, governor, I'd love to give you satellite Wifi.

Jamie Grant, CIO, State of Florida [00:20:13]:
It's just not secure following a hurricane. And so we deployed Starlink, and then our team and Jeremy very quickly started figuring out, okay, you've just opened up access to the Internet everywhere for people to show up. And so within ten days, we were actually routing that traffic through a zero trust framework. And so we were actually able to secure it, right, within ten days. And then our network team, given some permissions to play around, has a pelican box with an antenna, a cradle point, and a SEM that we can deploy now because as they've quickly kind of learned, the new baseline is the expectation. So well done, but what are you going to do next? And so we like to make some first. At the Florida digital service, the hurricane was an opportunity for us to do, I think, five years of innovation and transformation in about 45 days. But I'll go back to where we started.

Jamie Grant, CIO, State of Florida [00:20:59]:
I got the call about 930 that night that the infrastructure broke. And there was about three or four phone calls I made to Jeremy and Adam and Chandra and said, look, guys, I'm getting in the war room. Anybody want to go? And we went 20 hours a day for, I don't know, a month or whatever it was. You don't have a lot of people inside government that are used to having to do the things to generate the revenue to keep the company alive. These folks didn't necessarily, the mission was the motivation. But if you don't have those people at the time of crisis, it doesn't matter what's in your binder. So I could design the response all day long in my sleep pretty easily. You can't design for having the right talent bought in, willing to play together in that moment.

Jamie Grant, CIO, State of Florida [00:21:39]:
So, yeah, it's cool. We bought a bunch of stuff and did some really cool stuff. I think more fun was to get to see people experience things they've never experienced before under timelines and pressures that they've never experienced before, only because they believe in the mission and what we're here to do. So it was a pretty cool experience for our team.

Joe Toste [00:21:55]:
No, thank you. That was fantastic. Jeremy, I want to continue on the kind of the bad actors. So, hey, we deploy Starlink, but now there's potentially this other cyber front that we have to take care of. Could you maybe just talk about that part of the experience?

Jeremy Rodgers, CISO, State of Florida [00:22:13]:
Yeah, absolutely. Jamie's probably remember, I think you said you got the call at 930. I got a text probably 20 minutes later and it wasn't, hey, I need you in. It's, hey, if you want to come in, I think we've got some exciting stuff coming up. And when you think of government work, you don't think of work in 20 hours, days, and you don't think about your team stepping up to work there with you. And I would say it was a grueling month and some follow up stuff, but it was also probably some of the work that I'm most proud of, that we got to do together, and my team's most proud of. And when you talk about the Starlink deployment, and it's really our security team that worked to overlay the product's great. You're giving Internet access in a spot where towers are down and cables are down, but for the first time, you have these search and rescue teams, the fire teams and the firefighter teams and the police that kind of come together and create these search and rescue teams from all across the country that come together to help all across the state and all across the country.

Jeremy Rodgers, CISO, State of Florida [00:23:08]:
And they're like, wow, they're able to have c two command and control to go. And, hey, where are these missing points? Where do we need to be in minutes, hours instead of days and weeks? Where lives matter. So to be able to provide that and get those folks up and running and those operators and not just them, but also the deo economic recovery, and the dot stuff, to have people be able to get their lives and businesses back up in order in again hours, and that's the expectation that Governor Santos put on us. So saying no and not being able to deliver was not an option to be enabled with that. And much like when Jamie asked me, like, hey, do you want to come in this? Absolutely. And it wasn't always fun, but it was exciting. And I remember it was Jason Burtock, Josh on my team. This was probably 10 hours later when I was talking to him, because we knew we're standing up kind of the hired contractor team, but that takes a little bit longer than the folks that you have on your immediate team.

Jeremy Rodgers, CISO, State of Florida [00:24:02]:
Going back to the people side of it, I remember Jimmy was talking to me. I'm like, you want me to gather a team together? He's like, yeah, I think that's the only way we get this thing done. And when I was talking to Jason, my team, within a minute or two, he's like, you're asking me to go down to the emergency site, aren't you? And he had a glimmer in his eye and a little smile. So within less than a day, we have state employees just heading down there to set this up and do some cool stuff. But to bring it back to the SpaceX Starlink product in a day, it's to get Internet out there. But how does the state put our security apparatus on top of that? How do we monitor where it's going, especially when it comes to state it government? So we've got this really cool, innovative solution. And when you think government or state government innovation probably isn't the first thing that a lot of people think about when you have state innovation. But when you look at what the Florida digital services, dunning and our security team, they're now talking to us and saying, wow, this is awesome.

Jeremy Rodgers, CISO, State of Florida [00:24:54]:
We haven't seen someone kind of bring this box together with the, know, the hardware and the software and the applications and the cloud security and kind of the great infrastructure environment in a way that we can monitor it, know what's going on, block what we need, know a governor is looking to block some foreign activity and stuff. So how do you do that? How do you make sure you're blocking the foreign actors? And it needs to be tailorable. So that's the solution that our governor, our CIO set, and we're doing some pretty cool stuff, I think, at the state.

Joe Toste [00:25:25]:
Yeah. If you listen to any of the interviews, a common theme that I've heard is like, Governor DeSantis is like, hey, I expect excellence. Which if you go to the techtables.com website, you will know that's actually one of the things we value. Right? So tech tables is all about creativity, excellence, and darn good conversations. And there's a reason why we actually value that. It's kind of a rare trait. People don't demand excellence. Now, excellence isn't perfection.

Joe Toste [00:25:52]:
Don't get those two confused. But nothing's perfect. But you want to strive for excellence. And I think I really like that. And then being accountable, hey, are you going to get these results? And I was going all the way back to when I think it was when the governor was, there was some article where it was like, you were just coming on as state CIO, and then maybe if you just 30,000 foot overview, just kind of that conversation of like, hey, he's charging you with becoming state CIO and you're getting ready to take that task on. Could you just maybe talk about kind of the mindset of like, hey, this failed four times before, and now I need you to go execute.

Jamie Grant, CIO, State of Florida [00:26:35]:
The cliff notes. I was pissed as a legislator, right, because it's an area I cared about. Spent my, I mean, I practiced law for a year and a half before I saw the suicide rates and was like, I'm out of here. And so spent my life and my livelihood in the tech space. And so I would get really frustrated. It kind of culminated, I think, my boiling point. There's something called a claim bill, and it's a way for the legislature to sue itself, right? So sovereign immunity exists. If you're going to get hit by a truck, you want to get hit by a FedEx truck, not a dot truck.

Jamie Grant, CIO, State of Florida [00:27:07]:
FedEx doesn't have sovereign immunity, right. So some cases are so bad that government says, hey, we'll sue ourselves. We'll waive sovereign immunity to pay more money than the $300,000 cap, or whatever it may be. And in a couple of different situations, a foster child and a sexual predator had been put in the same household. And it happened because two different agencies controlled two different lists. One would control the list of foster parent applications or placements. The other would keep sex offenders. And in at least one situation that came before my committee, an API call that we could have written in a week would have said, one, two, three, main street, red flag, no chance.

Jamie Grant, CIO, State of Florida [00:27:48]:
And a foster parent applicant had a clean record, but she had a live in boyfriend that was a sex predator. And because we couldn't do a rudimentary API call as a state, the worst of the worst happened. And so I kind of hit my boiling point then. And so I started writing policies, kind of like a chairman of a board, pissed off, ready to kick a CEO out of the chair. And it was like, the state CIO will do this and this. And then the administration came to me. We were like, we want you to take that job. I was like, I want to rewrite that job.

Jamie Grant, CIO, State of Florida [00:28:15]:
And so, candidly, Joe, like they first asked, my first answer was, hell no. And they said, why? And I said, because the job sucks and the pay sucks. Like, you can fix one of the two, and I don't really care about the pay, but fix it. And then we can have a conversation. And there's still a long way to go to structure it for success for generations to come, to deliver on what it should deliver on. But ultimately, I looked at it, and there was a little bit of two things at play. One, anybody who knows me well knows that if you dare me, you're going to get me to yes. And so I absolutely love being told it's not possible.

Jamie Grant, CIO, State of Florida [00:28:45]:
It's never been done, and it can't be done. I think some folks during the hurricane, if they were honest and I wasn't in the room, saw, like, sideline version of me a couple of times. And there were some people scared to walk in that war room because we were just focused on, like, we got to get to tomorrow. And if you're bringing me something that doesn't get us to the next 4 hours, then get out and you can come in here when. And so I think they saw a little side of me that probably my mom, Beverly, that she is probably wouldn't be proud of at times. But I love being told it can't be done. You can call me a failure, but you'll never call me a quitter. And so I think that was part of it.

Jamie Grant, CIO, State of Florida [00:29:18]:
And then two was the excitement. And Jeremy and I have talked about it in recruiting. Like it's a blank canvas. There's no other place in the world that I can think of that's $115,000,000,000 enterprise that's never built out. Enterprise data, enterprise governance, enterprise security. So it's kind of like being JPMorgan Chase or target when you look at the Fortune 100. If we were there, and my life in some ways would be a lot easier if I was Jamie Dimon, but in some ways harder. But literally, imagine being Jamie Dimon and Chase never having done security across the ecosystem.

Jamie Grant, CIO, State of Florida [00:29:47]:
You only get to do that once in your lifetime. And so really relishing that and then ultimately knowing kind of a rally to our team is like, look, if we fail, we're just number. Like, nobody else has been able to do it. So cherish the fact that everybody before you has failed. And that's not a knock. It's the encouragement of guys. One of the things we say everywhere I've been, it wouldn't surprise you there's a slack channel that's stuffed. Jamie says that they just over here.

Joe Toste [00:30:12]:
I got to join that Slack channel.

Jamie Grant, CIO, State of Florida [00:30:13]:
But what I would say to that, Joe, is the team hears all the time that you can make the same mistake every single day, and we will eventually promote you to customer or to constituent. Like, if you just keep screwing up the same thing over and over, we're going to find you a better fit. You don't screw up anything. We're going to find you a better fit a lot faster. Right? So everybody knows we have immunity on one mistake. Like, we have certain non negotiable rules, like zero tolerance things. So you bring a cancer in the locker room, you'll be gone. That's a zero tolerance policy.

Jamie Grant, CIO, State of Florida [00:30:41]:
You're a liar or a fraud, you'll be gone. That's a zero tolerance policy. You bust an assignment, that's all right, you got immunity. But I don't want to watch the same assignment on film over and over again. But if you're not going to make a bust, right, like, the simplest way to do that is not get on the field. And I need you to get on the field. I need you to trust yourself. I need you to play fast.

Jamie Grant, CIO, State of Florida [00:31:00]:
I need you to believe in the playbook that we've laid out and mistakes will happen. But if you'll do that, you can start to transform it. And so ultimately, we've tried to instill that culture of the most government job ever. And I'll tell you, Joe, it's funny, man. There's times where people are like, wait. So I said to somebody one time, some equivalent of like, you are doing an amazing job. This is the way I remember it. You're doing an amazing job.

Jamie Grant, CIO, State of Florida [00:31:24]:
You've earned the right to solve bigger problems, the opportunity to solve bigger problems. You're not entitled to that. And so we're going to move you here. And this person looked at me like confused puppy dog. And they're like, that's what government says right before they promote you to fire you. I'm like, what? I just said, you're awesome. You're doing great work. In what universe is that how we move you to fire you? So understanding the language that's a foreign language to private sector mentalities has been interesting.

Jamie Grant, CIO, State of Florida [00:31:50]:
But I think we've built a team of people buying into the tourist service to go, hey, let's break stuff and go fast and know that they have somebody that ultimately, and I think if you really sum up leadership, Joe, and you and I could jam out all day long about failures, things we didn't see coming and that kind of thing. But we win, I lose. And if you have that mentality as a coach, I think you get people to start understanding. We don't want to hear I in our locker room, we can accept a trophy. I get fired. That's acceptable. You invert that and you get a pretty toxic culture that's set to lose a lot of games. And I think we fall short of that all the time as a team.

Jamie Grant, CIO, State of Florida [00:32:28]:
But it's something that I, from my chair, really try and instill that the outside world can chatter all they want. They can shoot at us all they want. I kind of relish it. We will succeed together if we stick together. If it doesn't work, I'll be gone and the somebody else can take the chair.

Joe Toste [00:32:44]:
Yeah. No, that is well said. And I love what you said about the culture and in the locker room, and believe it or not, we've had high schoolers where fights break out. Some of you are like, don't know any high schoolers anymore, but it happens, like on the court and there's some stuff that's non negotiable and it's critical to get the culture right. And the kids who care more about their playing time than they do kind of about the team result really struggle because they have the kind of eye mentality.

Jamie Grant, CIO, State of Florida [00:33:11]:
The best locker rooms are the locker rooms I don't have to manage. The best players are the players I don't have to manage. Right. Like when an issue aroll when there's the players only meeting to solve the problem before we as a staff have to jump in. You know you've got it right. When you've got assistants or coordinators that are constantly problems and you constantly have to intervene, that's the kind of stuff that makes the hairline march back even faster because it's like, guys. And I think that's the thing, when you can build a team of people who protect that locker room with everything they got, that's when I think, you know, you got it right. And it's cool to see those moments in time sometimes where you've invested in people or you've mentored people and you start to see it click a little bit where they start to handle business for you.

Joe Toste [00:33:56]:
Yeah, no, I love it. And on the basketball court, a lot of times with the kids, especially the ones who are bought in, we're asking them in the real in game, like, what do you see on the court right now? And they're like, no, coach, we need to run Kentucky right now, right? Or we need help on the backside over, like they're coaching themselves. And I'm just the, I don't do a whole lot, except I'm like, you guys need to communicate. You need to talk, right?

Jamie Grant, CIO, State of Florida [00:34:20]:
One of my favorites, and it's adjacent, but it's a pat dye quote that we're going to make practice hell on earth. So the game seems.

Joe Toste [00:34:26]:
Yep.

Jamie Grant, CIO, State of Florida [00:34:27]:
And if you do those things when nobody's everybody, it's fascinating. Both of us get it. And sorry for going off script. I didn't read it, so I can, but, like, it's fascinating when you get to the public setting of keynotes and podcasts and all these things and people go, I want your job one day. I'm like, you want all of it, right? Like, you want everything. It's so easy for us to look at a starting quarterback or an opening day pitcher or a point guard or anybody else and go a CEO and go, man, I want that job. You don't just get the parts of the job that are when the lights are on and it's the fun part. You get the rest of the job when nobody's looking and there's zero credit, and you got to figure out, are you here for the glory, or are you here for the mission? Right? Like, it's the old.

Jamie Grant, CIO, State of Florida [00:35:14]:
Some people know what they want to be called, and some people know what they want to get done. And I don't think that's a Venn diagram. I think those are two different circles. And when you find the people that are here for a title or they're here for the glory or the credit, get them the hell out, because they will kill your locker room faster than anything. And it's also, I think, a truth that one person cannot make any organization a success, but one single cancer can kill it. And I think you have to be super zealous about it. And I made some decisions early on. My dad told me a long time ago, the Tampa Bay Times and now the St.

Jamie Grant, CIO, State of Florida [00:35:44]:
Pete times wasn't saying bad stuff about me. I wasn't doing anything constructive, and I've proven that. But I took heat for turnover. I'll never apologize for it. We were going to have zero cancers in the locker room. And I think if you're willing to go down with your playbook, you'll start to find you won't actually go down. It's the people that are scared to go down, the scared to take the punch that end up taking the punches just out of having done nothing constructive, maybe.

Joe Toste [00:36:11]:
Yeah. And in high school, we call them student athletes, which sometimes the students forget that they are also a student first, and then they're an athlete. Right, Jeremy, before we jump to the audience, Q and a, so, on the road show stop. Before, there were. I think I heard this. It was like, zero agencies have collaborated on cybersecurity since 1845. Right? You maybe talk about the data sharing agreements with the 30 plus state agencies and the team spirit that you've been able to kind of communicate throughout the state.

Jamie Grant, CIO, State of Florida [00:36:39]:
In Jeremy's defense, we have not proven that the pony express and that the carrier pigeons didn't send indicators of compromise. That one just came out ad lib. I was like, well, we didn't have computers back then, but that's when we came.

Jeremy Rodgers, CISO, State of Florida [00:36:49]:
Yeah. So it's been really exciting. So I've been at the digital service for a little bit more than a year, and when I got there, no agencies had shared security information before it was on the path. Right. But Jamie brought me in to really build this kind of security mesh architecture, intelligence sharing, threat sharing. And at the end of the day, the governor and the legislature doesn't want to go to 30 something odd agencies and say, hey, are we safe? Are we safe? Are we safe? Are we safe? The bad guys don't care which agency they're in. They honestly don't even care if they're at state government or local government. They want to do damage.

Jeremy Rodgers, CISO, State of Florida [00:37:28]:
They want to make money, they want to make a name for themselves. But we're in a spot where you could get. One agency could get poned, they could have an issue, they could have a security incident, and you could take that more than likely, you could take that very same exploit that was done and go to the next agency and hit them 4 hours later, and you could go to the next agency and hit them 10 hours later. So we're really looking to build up, and we've started building this ecosystem where, okay, we have monitoring and intelligence sharing and security sharing, and a security posture across the entire enterprise. So, for the first time, you've taken and Jamie hit on this. Imagine coming to a hundred plus billion dollar organization, and all of the silos are not to each other. Some of them are doing pretty good jobs, honestly, in their own silo. Some of them aren't.

Jeremy Rodgers, CISO, State of Florida [00:38:19]:
Some of them are underfunded. We have the haves and the have nots, where you have some agencies where just security wasn't a cybersecurity, wasn't a focus, so it was a golden opportunity to kind of build it from the ground up and create a centralized view of what the cybersecurity posture was and start kind of going at this as a team. You can't have 37 different CIOs rowing in 37 different directions and given 37 different reports in 37 different ways on what their security posture are, and then fixing it in 37 different ways. Our adversaries work at asymmetrical speeds that if we're not all working together, we just can't address that. And I don't want to give the impression that we've got it all figured out. I think our posture has been, hey, we're just going to turn the lights on. We didn't even know how many endpoints we had across any of those agencies, and we're in that point now. Okay, we're at least starting to illuminate the problem and close out start.

Jeremy Rodgers, CISO, State of Florida [00:39:16]:
We're at a spot now where we understand the problem and we're addressing know from the most critical down. But it's a really exciting challenge.

Jamie Grant, CIO, State of Florida [00:39:23]:
Can I have him brag on something real quick before I want to brag on Jeremy and Warren and Leo and the entire security team, but we had a state first and the same way I did with our team when I showed up. Right? Like, there's at the time 100 and something employees who are like, great. We got some politician appointed to run the digital service. And so I told him, I said, look, I expect to find bad news and skeletons everywhere. You have an immunity period, right? Like, bring me all the skeletons. There will be no punishment for a skeleton once the immunity period ends. Don't let me find a skeleton.

Jeremy Rodgers, CISO, State of Florida [00:39:55]:
Take advantage of it.

Jamie Grant, CIO, State of Florida [00:39:56]:
That's a zero tolerance policy. I find you hide a skeleton, that's being a cancer in the locker room. Right. That's putting self preservation above the team. And so we started with us, and we've done the same thing with the agencies, right? To say, like, guys, we're going to turn the lights on. We're going to give you opportunities. You got to lean in. But unfortunately, that first couple of seasons, you had some agency CIOs doing some really questionable things and some things that are best, at best defined as self preservation.

Jamie Grant, CIO, State of Florida [00:40:21]:
They got hit. They don't want to report they got hit. Their strategy is say nothing. Hope nobody finds out. Hope, my secretary, who doesn't know what endpoint detection and response is, or hope, my executive director, who has no idea what capabilities are out there, hide information from the CEO of the organization and hope I never get caught. Right? So we had a couple of choices. We could come in with the heavy hand and say, hey, the governor's done that. Same agency cios, by the way, in some situations, and it's like any bell curve, you have those that are leaning in, leading the way and fantastic.

Jamie Grant, CIO, State of Florida [00:40:53]:
But you find this in this space, when we come back to, it's about people, the same agency CIO who says, I'm not going to agree to participate in cybersecurity till there's a data sharing agreement, has domain trusts with, like, 15 agencies and admin accounts with no passwords. And it's like you're worried about a contract on the front end, not worried about the sieve on the back end. Right? And so, again, coming back to the immunity to go, hey, guys, let's lean in. Let's lean in. Super proud of the entire ecosystem because I think we had a first in state history a few months ago, and Jeremy and Warren and Leo had the team from the undefined agency for public purposes, obviously, but talk a little bit about the first time in state history that a cybersecurity operations center without receiving iocs from MSISAC or any other ISAC without receiving iocs from the FBI or through FDLE, but 100%, a CIO showing up or a security team showing up, and instead of trying to hide the skeleton coming in saying, hey, I got hit and I got hit hard. Fortunately, we're a sophisticated agency and we could respond a little bit. But if I got hit hard, I wonder if anybody else is dealing with this. And it's probably one of the things that I'm most proud of from an output perspective at the state level, way easier to get buy in from the locals than state agencies, and we're seeing that quantitatively by the day with applications that are coming in.

Jamie Grant, CIO, State of Florida [00:42:18]:
But talk a little bit about that story, because the cycle of an agency technical leader coming into the CSOC to say, I got hit rather than I'm going to hide. And what that yielded, because for the first time in state history, three other unexecuted exploits across three agencies remediated before boom, because of what the team has been doing. And I think that's where the culture inside the locker room emanates out. And you just have to get people to trust you over time. But I think that's something that Jeremy should talk a little bit about, because if you can appreciate how far we've come in two and a half years, and to imagine a self reporting agency coming in saying, I got hit, and I want to help the other agencies. Radical transformation from the self preservation, the hiding of evidence, the burning down of servers, hoping we never find it. We eventually find it in incident response guys like, it's going to come out. So talk about how you've kind of expanded that culture, because I think that's a really cool thing that we touch on the roadshow.

Jamie Grant, CIO, State of Florida [00:43:17]:
More instructive than carrier pigeons doing IOC carrying in 1845.

Jeremy Rodgers, CISO, State of Florida [00:43:22]:
Yeah. So it was a great kind of great case study, I think, for our state. So again, a year ago, none of these agencies were siloed. And our CSOC, our cybersecurity operations center, is the clearinghouse for reporting, for incident reporting and threat intelligence. So we had an incident at an agency, one of our more mature agencies. And again, if anyone's ever been involved in a security incident, you get, oh, I don't want anyone to find out, protect my job. Shame. Burn it down.

Jeremy Rodgers, CISO, State of Florida [00:43:49]:
Don't report. Maybe it's not something just try to minimize, which is the worst thing you could possibly do, because first of all, you may not even clear the bad actors. You try to ignore it or minimize it, pretend it's not there. The head in the sand approach to security doesn't work. So we had an agency who stepped up, right? Hey, we have an incident. We're handling it. Can you engage at the digital service level to kind of give overwatch on this? And it was great because we were able to take those IOCs, those indicators of compromise, get them out to the ecosystem, and also do some with this enterprise security apparatus that we're building, do some searches on our team's level, pass them out and say, oh, look, we see there's an active incident going on. We see that there's a couple other exploitations that may be possible.

Jeremy Rodgers, CISO, State of Florida [00:44:36]:
Let's seal those up. Let's block them at patch here where we need to, block here where we need to. And for the first time in our state, we went from a system where, okay, what would have happened a year ago or a couple of years ago before we had the support that we've had from our governor and the legislature, we would have had four or five agencies exploited and much more damage. And again, so the agency that helped out, they contained this pretty quickly and were able to minimize the damage. If they hadn't have reported this, the other agencies that were there were not at this maturity level, and it would have been far worse. So you've got a little bit of smoke smelling a little bit of smoke in one area. Turn it off. Okay, we're good.

Jeremy Rodgers, CISO, State of Florida [00:45:16]:
We've got it contained. If we didn't have that collaborative mindset, that information sharing mindset across our agencies, you would have had probably three or five alarm fire across the state enterprise. And even better. And that was a huge win right there. What was even cooler from that is you then had that state agency do a, hey, let's do lessons learned. We hold monthly security leaders meetings across our agencies and CIO meetings across the agencies. So they came in and said, hey, open kimono. Here's what it's like to go through this.

Jeremy Rodgers, CISO, State of Florida [00:45:49]:
Here's what it's like to partner with our team. And you just would have never had that. That's what's so cool. It's like you would have never had that before. I think the culture that we're working to develop, and it's not us, it's the team that we're building, the team that we're developing, the team that we're growing, by the way, we've got a lot of hiring so let me just put the word out. If you're interested in joining the state.

Joe Toste [00:46:06]:
Of Florida, we're putting the word out.

Jeremy Rodgers, CISO, State of Florida [00:46:07]:
We're picking up some talent where we can. But to take that kind of mindset and see the collaboration that's going versus the head in the sand mentality, honestly, we averted a lot of damage, and that's a big testament, I think, to the collaboration culture that we're building.

Jamie Grant, CIO, State of Florida [00:46:26]:
No, Joe, I think some of these folks don't. Every buying decision in the history of civilization, hope or fear. We're leaning in heavy on hope. Right. Offer them. Offer the ecosystem, whoever it may be, hope. But one of the things we've said is, don't put me in a position. You put me in a position of having to brief the governor or brief the legislature, and the answer is, hey, they haven't historically had the resources.

Jamie Grant, CIO, State of Florida [00:46:49]:
They bought in. They did the right thing. I'll take every bullet for you. You hide the ball and don't show up. I'm pulling the trigger. Right. And getting to a place where you can establish kind of the meritocracy of an agency leader coming in and saying, I got hit, I think is one of the most fundamental transformations if you're trying to roll out enterprise security, because from 1845 to before was like, hey, just hide. Hope my CEO doesn't find out.

Jamie Grant, CIO, State of Florida [00:47:18]:
Hope my secretary doesn't know what they're talking about. Hope they don't know what questions to ask. And I think at the end of the day, that's where our team has had kind of a unique time and opportunity, is some of the relationships we have that maybe trans end out of the little bubble and maybe have some relationships with agency heads and different folks to be able to go, hey, you got some challenges over there. We'd like to help, let us know how we can help. But ultimately, and I'd close here because I know you want to get to Q A, getting to a place where we can scorecard at an executive level. So secretaries and executive directors don't have to understand security. Like, our job is to be able to go into the governor's office or to go into any other executive's office and say, here's how you're performing, and here's how it looks on a trendline, and here's how it looks across the enterprise. You'll get the activity you need.

Jamie Grant, CIO, State of Florida [00:48:01]:
And we're just breaching that door now, which is kind of exciting, but, like everything, we eat our own dog food. So we scorecarded ourselves first, and the teams had some fun with that, but we're just beginning to start those monthly or quarterlies with agency heads to say, hey, if you want to have a briefing and you want to understand where you are, this is the scorecard. But it's also something we've transparently told that the CIOs is like, hey, guys, we're scorecarding ourselves. The governor's scorecarding us. You should be expected to be scorecarded. No secrets. Here's the test. Here's what's going to be on the scorecard.

Jamie Grant, CIO, State of Florida [00:48:31]:
The only question is what your numbers and what your trend is going to look like. We're here to make sure it's a green trend, not a red trend.

Joe Toste [00:48:38]:
Yeah, no, I love that. We're going to jump to audience Q.

Jamie Grant, CIO, State of Florida [00:48:40]:
A.

Joe Toste [00:48:40]:
The one thing I will say, and Jeremy, I got to send this to you. It's on techtables plus. But the interview with Nancy and Mandy, they talk about a ransomware attack where they go out to West Texas, and the sheriff's response to containing the cyber incident he thought was pulling out his gun and shooting the box would happen. And so Mandy and Nancy are like, look, West Texas.

Jamie Grant, CIO, State of Florida [00:48:58]:
Everybody talks about Florida, man, but West Texas is a different panhandle. I believe it.

Joe Toste [00:49:03]:
I don't know if central one handles cybersecurity response like that, but. Show guns in West Texas. But yeah, no. So we're going to jump to audience Q.

Jamie Grant, CIO, State of Florida [00:49:10]:
A.

Joe Toste [00:49:10]:
We've got a mic.

Jason Moreno, Quest Software [00:49:11]:
So I'm Jason Moreno, work for quest software. One of the challenges, not just at state and local government, but even in talking to customers in corporate America, is a retirement crisis. And Microsoft's gap, you might call it, between retiring technical certifications around active directory and their push for azure certifications. And one of the things that I've been hearing a lot and even been kind of talking to our customers about is how are you planning to fill that gap between possibly some of the MCses, the people that hold that legacy, active directory knowledge, they're exiting the industry in the next, say, five to ten years. Then you have that crop of people that are trained on the latest, and yet the state or many businesses don't see themselves fully adopted or slowly adopting. Maybe some of those moat dragons that you spoke about are those mcses, those people that are traditional ad security people saw the existential threat of moving to the cloud as a problem because they didn't understand it themselves. Could you guys possibly relate to that question?

Jamie Grant, CIO, State of Florida [00:50:41]:
We can relate to it. Why don't you answer it first?

Jeremy Rodgers, CISO, State of Florida [00:50:43]:
Sure.

Jamie Grant, CIO, State of Florida [00:50:43]:
We can definitely relate.

Jeremy Rodgers, CISO, State of Florida [00:50:44]:
We could probably have a whole nother podcast on that question alone. So from a technology standpoint, leaning in embracing modern technology and cybersecurity paradigms, things like zero trust and cloud first, and it's a challenge. Right. We have a couple of funny cybersecurity things. One of ours that we came up is it's not the zero day that worries me. It's the zero day from ten years ago. So how do we brace against that and how do we prepare for that, and how do we catch up on things like technical debt from when it was a different culture and different administrations and we didn't have this lean in, forward leaning buy in like we do in an environment today. So technically, we're working to get there from the people side of that.

Jeremy Rodgers, CISO, State of Florida [00:51:27]:
It takes deliberate work. And you touched on several of the concerns. So succession planning and building a pipeline of talent from folks who are coming out of school or maybe haven't gone to the traditional four year route or cert route. So training the folks you have now and making sure that they're staying current and also going after the future of the workforce. And that's something we're looking at very heavily with fellowships. It takes deliberate work and it's hard to do overnight. I would say the state's workforce is more like an aircraft carrier than a fast attack boat. So you can't take everyone from technology 25 years ago to where it's going tomorrow.

Jeremy Rodgers, CISO, State of Florida [00:52:10]:
And that's why we spend a lot of time on it. And I'm probably still in all the good talking points because my boss, let me say, go first, but we've got a collaboration lab, a collab where we bring in industry partners to bring in the latest technologies, and we're focusing very heavily on training across the board. So whether it's traditional training, on the job training, partnering, we're doing everything we can on it.

Jamie Grant, CIO, State of Florida [00:52:33]:
Yeah, I think Jeremy gave a really good answer. I wanted him to go first for a couple of reasons. You've heard too much of my voice already, but a few things I'd say, and you'll pick up on a philosophy pretty quickly. But free enterprise, truly free enterprise markets for all of civilization, are undefeated. I don't mean manipulated, I mean markets. And they're undefeated because incentive structures are undefeated. Right? So if we extrapolate back and we say, why am I getting this behavior? And I could tell you a story on a different podcast, how a $250 per doc spiff in our company toste us $60,250 because it was a really perverse incentive. Incentives always win.

Jamie Grant, CIO, State of Florida [00:53:13]:
And so if we think that the construct of government can solve the things that Jeremy was talking about, we're just flawed. I would bet you a body part, and not just a pinky toe, that if you went to agency heads or the governor's office or people in charge and said, what does Ism mean? Or who does the ISM report to? Or what is the structure in your agency? Do you have somebody that's actually responsible for cybersecurity? The have no idea. They may say, hey, I'm supposed to have an ISM because statute says I'm supposed to have an information security manager. They're supposed to report to the agency head, which means they don't report to the CIO, which means that might have a kind of perverse structure if it's auditor versus head of security, right? So if Jeremy was the IG living in my office, just questioning everything I did, that's a different relationship than being my defensive coordinator, making sure the Russians and the Chinese don't put points on the board. So how do you in policy then go incentivize agency heads to have a CISO? So that's something we're hoping to do this year, right? To go get an FTE on paper for each agency head so that they have somebody that's dedicated to cybersecurity and that they also have the information security manager to make sure they're getting true and accurate information. But let's not mash those two roles together. So the only other thing I'd add to keep the answer brief, because you could do like a day on the topic, 80 some odd percent of the workforce about to go. One of the jokes I make sometimes is that active directory is the new cobalt.

Jamie Grant, CIO, State of Florida [00:54:36]:
Like, there's going to be people that are 75 years old that are doing that instead of mainframes. When we finally retire mainframes, active directory will be the new thing getting government. And I think Chandra is going to laugh at me to understand fences versus fenceless in an architectural design, because there are limitations to fenced products and ubiquitous. Cloud doesn't have fences done right. And so you've got a fundamental, like the Ford pass is getting introduced to a game and you got people who go, I'm a running back or an option quarterback. If I embrace cloud, I'm going to be out of work. And we've had agency CIOs say it right. And one of the messages we've given to them is, I promise you, embracing cloud will not lose you your job.

Jamie Grant, CIO, State of Florida [00:55:18]:
What I can promise you is trying to resist the Opex SaaS cloud world will cost you your job. So we're here to help you train. We're here to help you upskill. But if you think that you can maintain an offense that doesn't throw the ball forward down the field, and you're going to maintain on the field or coaching that game, it's a matter of time before you figure that out. And so we try really hard with our team to get them to understand that there's a massive difference, a fundamental difference, between being unfirable and invaluable. Unfirable is the person that has the spreadsheet that nobody else knows how to work. Unfirable is the person who can operate a mainframe that shouldn't still be in existence and isn't doing anything to migrate off of it or trying to. Unfirable are the people who say, stay out of my office, because I can't teach anybody how to do this.

Jamie Grant, CIO, State of Florida [00:56:08]:
If I teach you how to do this, I'm less valuable. Turns out the people who can coach you up, train you up and make yourself like, I am trying. This is no secret. I am trying to make myself irrelevant at the digital service actively. Like, I tell the team all the time, I should be allowed to die in a plane crash, and nobody cared but my family. The place should be just fine.

Joe Toste [00:56:28]:
Chandra would care.

Jamie Grant, CIO, State of Florida [00:56:30]:
Friends. And I've given the example. Our board wouldn't let myself and our two co founders on the same flight. We had to mature as a company to where it was okay for the three of us to be on the same plane. And if that plane went down, everything would be okay, relatively speaking. And I think there's just this mindset in government that it's just a fundamentally different place, and you can't really make it the private sector. And I think that's been one of the biggest revelations and evolutions for me is that when I came in, I said something so stupid, and this room will get it. This is one of the dumbest things I said in my tenure.

Jamie Grant, CIO, State of Florida [00:57:05]:
And it was born out of a situation where our former vp of sales is at a company that does a lot of business with the state. I was getting a point. I said, hey, natalie, if I can be helpful, if I can introduce you to folks, let me know. He said, well, I'm on the commercial side, not the sled side. And I was like, what's a sled? And he starts explaining it, and I go, yeah, that's fine, but if it helps you tell your sled guy, give me a call. He's like, no, can't do that. And he finally gets down to telling me he'll get in trouble at the company if they cross the Rubicon. That is sled versus commercial.

Jamie Grant, CIO, State of Florida [00:57:31]:
And so I set out like an idiot on this one, and I said, we're going to change the way that government does business. So much so that your commercial team and your sled team don't have to be different. I have now realized how asinine that is because being dropped into government is like, and I'm not ethiopian or ugandan or ecuadorian, but, like, dropped. Know any one of the great partners that Lauren works with and dropped into their world without the understanding of how the currency works and what the culture is and what gets you arrested versus what lets you survive. And, like, you have to do business in that ecosystem. And so educating people and being willing to say, here's our secret sauce. It's not a secret, right? Just focus on the user, know who your customer is and make them have a delightful experience over and over again works no matter what any of you do. And I think just understanding that government is so foreign that there are some things in it, because government doesn't have to retire quota, government doesn't have to worry about rifts.

Jamie Grant, CIO, State of Florida [00:58:32]:
Government doesn't have to worry about earnings and quarterlies and all these different things government has to worry about. If you really boil it down to the employee, don't get fired. And historically, don't get fired means take no risk. And if you take no risk, you do nothing. And then the rest of us look around and go, how come we can't have a simple API call that says sex offender, foster child, not happening? And I get heated about it because it's so frustrating. But I think if you boil down to the incentive structures, we start to figure out how to translate and transact in a foreign ecosystem to make the incentive structures work for us. And so I'll culminate it by saying, I was asked at one of these, what do I want my legacy to be? Which I hate, is a question Omar and some good friends. Like, I look down at 02:00 on the floor if I'm ever getting a compliment, because I'm really wildly uncomfortable with it.

Jamie Grant, CIO, State of Florida [00:59:20]:
And so this question just bothered me. You were there. Yeah, right.

Joe Toste [00:59:23]:
I had answered, too.

Jamie Grant, CIO, State of Florida [00:59:24]:
Yeah. So Joe and I looked at each other at this dinner, and we're like, I don't like, you know, some people are going around the table and they're like, I want it to be this. I want it to be this. And I asked a couple of people, I said, who's your favorite sports team? And us, it's the Green Bay packers or somebody like that. It's a pretty tough question to answer. Who was their first head coach? Right? Like, you ask somebody, I can tell you who pat dye is. I can tell you who Coach Heisman is. I can tell you who Tommy Tuberville is.

Jamie Grant, CIO, State of Florida [00:59:47]:
I go down the list of Auburn coaches, you put a gun to my head, I'd tell you, pull the trigger, because I don't know who the first head coach was at Auburn, our goal as a team, because I've set it out for all of us, but my goal is to be able to walk in the digital service in three, four, 5510 years, and somebody go, who's that weird dude walking the halls?

Joe Toste [01:00:03]:
Right?

Jamie Grant, CIO, State of Florida [01:00:03]:
Because we built an organization that delivered value about the name on the front of the jersey, not the back. And I think if you do that, you start to at least chip away. But, man, the moat dragons are fierce, and the fire is hot, and you just have to not give up. And I think that's the one thing I would say about navigating bureaucracy, is be more stubborn than them, and then don't be scared to get fired like I set out at the beginning. I want to make myself irrelevant. I want to be able to go back to the private sector. It's what I'm wired to do. It's what I love to do.

Jamie Grant, CIO, State of Florida [01:00:34]:
I'm making a lot of enemies in government, but judge me by my enemies. They're telling the truth. And if I don't have any, I'm not doing anything. And so I need to make sure I have the right friends and the right enemies, and there are people that will fight and war against progress. And if I could give anything to what we do on a daily basis, it's don't give up. Know what you're there to accomplish and just refuse to take. No. And if you do that over and over again, you start to look back and go, man, we got to.

Jamie Grant, CIO, State of Florida [01:01:04]:
Yes. Whether they wanted us to or not. And that's the biggest thing I would say, is just be fricking stubborn, man.

Joe Toste [01:01:08]:
Yeah, no, I love that. I also, I think four months into the public sector, I didn't know what sled was. People kept you, and they're like, sled, this is our sled team.

Jamie Grant, CIO, State of Florida [01:01:18]:
Then they break up, and Ed and I'm like, which half of the sled are you on? Because there's an ed component and there's.

Jeremy Rodgers, CISO, State of Florida [01:01:24]:
Fed in there or not. It varies, right?

Joe Toste [01:01:26]:
Yeah, this is real talk. No, I was at NASTD, and this is literally what happened to me. I was sitting at a table with some folks from Texas, and they were telling me, like, sled ed federal. And then they asked me, what territory are you in? And I don't want to be mean. I don't have a territory. I'm an entrepreneur. It's so funny to me because I'm like, this isn't like a transaction. And then, yeah, the whole thing about being stubborn, we have to be pretty stubborn.

Joe Toste [01:01:52]:
We have a lot of people tell us we're going to throw these live podcast events. That's a dumb idea. Why? They're like, well, no one's done it. Well, we should do it. And they're like, no. So we don't give up. Yeah, we don't give up. We love it.

Joe Toste [01:02:02]:
Let's take one more question only because Jamie's going to come back on with more. And Wright, we've already been going 70 minutes now, so let's just say if there's one more, we'll take it. Andrea wants to take it.

Andrea Sherwood, NBC Universal [01:02:11]:
Yeah. Andrea Sherwood in cybersecurity at NBC Universal, but came from 15 years at Lockheed Martin. So just thinking from, it was really surprising to me to hear the innovation and how really from a regulatory compliance, it could be very stifling from that perspective just because people might focus too much on that. So I'm just kind of curious show that's kind of kept you all motivated and going. Just thinking from my days at Lockheed would just love the culture there where it was. Yep. We've got to go check these boxes, but we've got to look at the threat and we've got to understand really what we're focused on and what we need to do to protect. So just kind of would love to hear how you balance that to kind.

Jeremy Rodgers, CISO, State of Florida [01:02:56]:
Of build on what we were just talking about. Jamie comes founder mentality, startup background. I come from the commercial side on big tech ish, I would say, and some startup organizations inside of that big tech environment. And if you kind of go back to the previous question, I think there's a lot of overlap. If you look at unfirable versus invaluable. I feel like our job, my job at the day is to take technical risk, cybersecurity risk, business risk off the table, and nothing is more risky than that unfirable person. To us, that is the biggest risk of everything. So getting that innovative mindset and bringing in, and this is the case.

Jeremy Rodgers, CISO, State of Florida [01:03:39]:
And it's not just a government problem, right? I mean, you see this in the commercial realm, in the education realm, at the local government, state government, federal government, you have plenty of folks. It may be a little worse in the government section of this unfirable mentality, but transitioning, I think that mindset into a, okay, how do you become invaluable? Nothing is more invaluable than someone who is looking to push the limits and take a little bit of risk in addressing problems versus. I don't want to take any risk. So that's the biggest thing is take risks, calculated risk, where it makes sense technically, and avoid that. I've known this. I don't want to see the 20 to 30 year old technology and process change, because I'm the only one who knows that that is honestly the biggest risk in our world. So just pushing past that mindset, pushing through that mindset and getting as many people as you can in the boat with you to embrace innovation is the only way to go about it.

Jamie Grant, CIO, State of Florida [01:04:39]:
So this is another one that I think you could do a day on, right? Because one of the things going back to your first question, Joe, about like a startup from within government, I'm not all that bright. I just plagiarize what works, right, and pay attention to what didn't. More importantly, the best leaders to learn from are the worst leaders I've worked with. And that sounds kind of caddy or petty, but it's real easy to pay attention when you're accepting the trophy. You learn a lot more from really bad leadership. And so there's a few things I would say. One, when I was thinking about kind of the startup from within government early on, I kind of put it on a matrix, and it's like the bureaucracy of either government or big corporation, because there are some absolute parallels, right? And then resources. So if you have a little xy axis of size of bureaucracy and resources, the bigger the bureaucracy, typically the more resources you have, right? So big business, big rules and regulations, but also big resources, startup, no rules, no regulations, no resources, startup within government, all the rules.

Jamie Grant, CIO, State of Florida [01:05:42]:
You're like all the rules. And when you start boiling down, you find out one thing to tie one bow. I'll say in this space is in a role like this where I'm Quasi CEO, quasi department head, right? Like I don't work for myself. But you also have some level of build this thing as a head coach kind of thing. You can only go as far as your executive backing. So I don't care if it's Lockheed or the state of Florida. If you're in this room, the executive backing is the only thing that matters to get you that far. Two, one of my theories and somebody smarter than me will put this into, like, academic, whatever, but every organization has two strands to their dna, and it's the mission they're trying to solve, and it's their character at their core.

Jamie Grant, CIO, State of Florida [01:06:23]:
And you have a certain period of time to set that culture when you're starting a company or when you're taking over something. And so you said something earlier. I was listening to Simon Sinek the other day, who I love, and he had somebody on that was talking about the difference between excellenceism and perfectionism. And I thought that was a really good way to articulate it, because one of the things that if you make the mistake of looking at the digital service from the outside or seeing us off the field, I think you could fall prey to the common assumption that we just like to have fun and we're unfiltered. We take our work really freaking seriously. And the thing that I would stress from a culture inside is the amount of fun we can have is directly correlated to the excellence we produce. And so I think if you create a culture that says we have some zero tolerance on liars and frauds, we try and avoid insecurity, and we try really hard to reward anticipation and reliability.

Joe Toste [01:07:21]:
Right.

Jamie Grant, CIO, State of Florida [01:07:21]:
Like, it's easy to say, these are the people I want. But if we really boil down the traits we want, it's people who anticipate and people who are reliable, because if they see what's coming and they're reliable, problems get solved before it gets to us. On the flip side, if they're insecure, that starts to show symptoms that are really gross, that get real close to liar and fraud. And so know what the two strands of the organization are. I think it's why, you see some of these big companies struggle to become something new, right. When ingrained in their dna was, this is how we solve, or this is what we're trying to solve? And so a culture that refuses to quit, a culture that refuses to accept the status quo, it's why I laugh. People come to us, and they sell to us and, like, well, we did this in five other states. Cool.

Jamie Grant, CIO, State of Florida [01:08:07]:
We're kind of bummed we're not first, number one. Number two, you say it NASD or in Nasio. Like, you've seen one state, you've seen one state. Why are you talking to me about what worked over there, they don't have the same chessboard we have. So understand our problems, understand our chessboard, and now we can get to doing real business more quickly. But I would just encourage you that there are some similarities in bureaucracy, no matter what flavor, public or private. It's just that the tool sets change. It's that the ways to get to, yes, change.

Jamie Grant, CIO, State of Florida [01:08:38]:
And then I think I would say, because I've probably given off, like, a little bit of a wartime CEO vibe, which is probably feature, not bug, but know what stage you're in. One of the jokes I make is that if I'm ever the CEO of a public traded company, short the hell out of it. I will get bored. I will tinker. Something will be working just fine. And I'm like, that's old. Know what stage you're at in the team, right? Because I know I'm not wired to be in a Fortune 100 company. I'll go crazy.

Jamie Grant, CIO, State of Florida [01:09:07]:
I know where I'm supposed to be. At least I believe it. And I think that starts with another part of our culture that says, identify what you suck at and don't do it. Don't go anywhere close to it. And on company time, don't try and become good at it. You will never be good at what you suck at. Invest in what you're good at and figure out how to love doing what you're good at. And that's not to say you shouldn't want to get better at things.

Jamie Grant, CIO, State of Florida [01:09:31]:
It's to say that I'm doing a disservice to the company if I try and put Jeremy in a position to do something different and to go full circle. Joe, like, nobody said, how do we make Shaq a point guard? Nobody thought, like, how do I make Tom Brady a left? Like, nobody said, let's spend money figuring out how to make Randy Johnson a center. Like we said, these guys are elite at what they do. Have them do that. And then the last charge I'll give you. And this is something I'm going to say one more, because I'm on a soapbox about this one, Joe. I'm so at war and sick and tired of managing people being the definition of success, public and private. Like this notion that people.

Jamie Grant, CIO, State of Florida [01:10:09]:
I had to fight the legislature. I had to fight different people to pay my coordinators more money than I make. And I think that's crazy. Like, you tell me, how many managers made more money than Randy Johnson? How many coaches made more money than Tom Brady? How many coaches made more money than Shaq they don't. We invest in players, and government just fundamentally screws this up over and over that says, if you want more money and a better retirement and a thing, you have to be more sector to somebody that does the work, which means you have to make more money, because it's a problem if you don't make the work. Guess what? There's a few people on my work make a lot more money than me, and my choice was, I can either pay them more money and get the talent I need where I can have the lightning rod story of trying to get my money's like, we win. Everybody will do just fine. We're not martyrs here.

Jamie Grant, CIO, State of Florida [01:10:57]:
We're on a mission. We'll be fine. But, like, for right now, invest in the talent it takes. And I think that's one of the mentalities that Elon, not to cliche it, but he was talking to what we were talking about in our e team meeting, shows up. This is a total ramble. I'm sorry, Joe. But he shows up in an engineering meeting, and he says, how many of you have pushed code in? What? It was some extreme number of months, literally, engineers at Twitter. Yeah, it was six months or something.

Jamie Grant, CIO, State of Florida [01:11:25]:
How many of purely an audience of engineers, hundreds of engineers at Twitter. How many of you have pushed code to production in the last six months? And, like, two hands goes up. So what had happened was this toxic culture of incentivizing management meant that the best engineers were managing engineers who were managing engineers who were managing engineers, who were managing kids right out of Stanford who were actually writing Twitter nuts. But somehow we think that the people who are on the field making the actual product should make less than the manager. I'm replaceable easily. Who's not replaceable is the person who's making product happen. And I think that's something that y'all in the private sector are a little bit ahead of us, but it's a curse there, too. And I think, to quote a guy that I'm a big fan of, David Sachs, like, the surplus elites are getting rooted out left and right.

Jamie Grant, CIO, State of Florida [01:12:18]:
You look at these riffs, it's not product. You look at the riffs. It's the vp of something that nobody can point to and say, they made the product better. They invested in this, the innovated that it's the. We're here to manage. And that's the courage I would give to the managers, is own the space of being a positive addition to product, and you're not there. But at a corporate or board level, invest in the people who are making product happen because there's a whole lot of surplus elite running around. And we as leaders, just have to be willing to say, like, hey, I'm okay with you getting the credit or the money.

Jamie Grant, CIO, State of Florida [01:12:52]:
That's fine. We win, I lose.

Joe Toste [01:12:54]:
Yeah. And that was fantastic. And with that, we're going to wrap up this session. Big shout out to Jeremy and Jamie for coming on, and thank you for coming on the podcast, dude.

Jamie Grant, CIO, State of Florida [01:13:04]:
Thanks for having us. Happy game day.

Joe Toste [01:13:07]:
That's right. And then you guys are going to sign this ball, too. Yeah. Our.