Ep.153 The Motion Offense: Cybersecurity Strategies That Build Relationships First

Joe Toste [00:00:00]:
Hey, what's up, everybody?

Joe Toste [00:00:00]:
This is Joe Toste from techtables.com, and you're listening to the public sector show by techtables. This podcast features human centric stories from public sector, cios, cisos, and technology leaders across federal, state, city, county and higher education. You'll gain valuable insights into current issues and challenges faced by top leaders through interviews, speaking engagements, live podcast tour events. We offer you a behind the mic look at the opportunities top lead ears are seen today. And to make sure you never miss an episode, head over to Spotify and Apple podcasts. Hit that follow button and leave a quick rating. Just tap the number of stars that you think this show deserves.

Joe Toste [00:00:34]:
Today we have Chris Winnick, battalion commander and cyber operations chief, and Chris Humphreys, state of Texas Cybersecurity Council. Chris and Chris, double Chris's. Welcome to the public sector show by tech table.

Chris Winnek [00:00:46]:
Thanks, Joe. Good to be here.

Chris Humphries [00:00:47]:
Thank you.

Joe Toste [00:00:48]:
I'm very honored. I'm not going to lie. I'm going to even put this down. So this is the audible, right? I love this. So I had the honor of interviewing Chris on stage, Austin city limits in 2001. And if you don't have, you must go listen to that episode. It was just so good. Chris has got a really big heart, which is why we just really connect.

Joe Toste [00:01:08]:
And then I had the opportunity to speak at Camp Mayberry.

Chris Humphries [00:01:12]:
Yes, you did.

Chris Winnek [00:01:13]:
Killed it, too.

Joe Toste [00:01:14]:
Which I had the. I was really nervous because I went after Mandy Crawford, and so I was like, you got to give me the last one, the last speaking slot. But it was great. And we spoke on the dark side of you, big sports fan. And so we had Michael Jordan photos and analogies and all that kind of stuff. But humility is just like a fantastic, a really. It's a core trade across, whether it's the Navy or the army, because you put the mission first. Right.

Joe Toste [00:01:42]:
So anyways, that's my background context. And then actually, other Chris Humphries actually spoke to, and we were able to connect afterwards. And Chris is a really smart guy. He is a lot smarter than. So we. We are actually kind of spitballing right now like a cybersecurity podcast. Right.

Chris Winnek [00:01:58]:
It's happening. It's got to happen.

Joe Toste [00:01:59]:
It's got to happen. Yeah. We can get Matthew McConaughey on. I can just give him a call if that happens. I'm going to be on that podcast.

Chris Humphries [00:02:07]:
Should get Willie Nelson while we still have time.

Joe Toste [00:02:09]:
Yeah. So anyways, Chris, let's this. Chris. Chris Winnick, let's start off with you. This is your second Techtables live podcast, your event. You were first on the podcast at ACL just after you returned from duty overseas in Kuwait. You said it was like last night, you were like, it was kind of like a vacation in the Middle east.

Chris Winnek [00:02:28]:
It was because after going to Iraq and Afghanistan, doing combat operations, getting to travel around the Middle east and go to different countries and working with the partners there and doing security cooperation activities and providing tactical communications for the 36th Infantry Division, we got to see the Middle east as it is, peaceful, prosperous nations that are all doing fantastic. And it was a nice change. It was like kind of a victory lap, I guess, although things are definitely volatile still over there, and there's a lot of stuff going on, but it was just nice to be able to see some of the nice features of that region since I've been so much there, such a big part of my life.

Joe Toste [00:03:10]:
Yeah, one of the things I was listening back to the podcast you said was you're heavy into cybersecurity, and you were talking about, the story you told was there were people shooting at you, and you still had to also manage cybersecurity, which I was like, that is not a normal day for a.

Chris Humphries [00:03:29]:
Think.

Chris Winnek [00:03:29]:
That at the time. I think it is. It may not be like bullets or mortar rounds or rockets in my case, but I think people are coming under the realization now, Joe, in this day and age, that it may not be through conventional weapons, but we are constantly under attack by people out there, near peer other countries that are in competition with the United States. And there's this term called hybrid warfare, grace based warfare that we all belong. We all own equities in those as public sector, for sure. Critical infrastructure, private sector. They don't see green or blue or white systems. They see the US interests, and that's what they're targeting.

Chris Winnek [00:04:06]:
And we're all potential targets. And I think people are coming to the realization of that. Certainly in the Department of Defense, they're reorganizing to meet this new threat. And I think talking about the cloud migration that a lot of our speakers have talked about today, that we're all kind of going through that together, data migration and security are all going to be significant challenges as we migrate our information to the cloud and protect it.

Joe Toste [00:04:30]:
Yeah, no, that's great. Chris Humphreys. I know the two Chris's, you're a former pro soccer player, which is awesome. This is kind of the athlete we kind of connect on, also former military. So you two kind of speak the same us. For those who don't know, you give us a little bit of background and kind of why you care about cyber so much.

Chris Humphries [00:04:49]:
Well, I always chuckle when someone refers to me as really smart, because I'm not. I stayed at a Holiday Inn express last night or something like that. But I've got Forrest Gump. I can give Forrest Gump a run for his money on how random how I found my way into this is. But short and sweet is went to play professional soccer at 17. Did that for a couple of years and realized I wasn't going to be the next Maradona or Pele or Ronaldo or Messi. Didn't know how old you are, might not know who any of those players are. That's depressing.

Chris Humphries [00:05:18]:
But anyway, I realized I wasn't going to be that and had to finish school and figure something out. So I joined the army with zero expectations. But they said, hey, you're smart. We're going to put you in army intelligence because you speak languages. I'd played in several central and south american countries and spoke spanish, and I was like, sure. And lo and behold me into signals intelligence and counterintelligence and all this stuff. And then in 2004, this small little agency called the Department of Homeland Security was just starting. And general dynamics literally said to me, Humphreys, we've got this thing called critical infrastructure protection.

Chris Humphries [00:05:47]:
We don't really know what it is, but you want to run it? I go, I can say those three words, it sounds cool. Let's do it. And so those four years of cutting my teeth at every three letter agency, from doing research and technology protection to cyber to critical infrastructure protection, landed me back in Austin in 2008. But thank God I read the job requisition, because it was cybersecurity engineer. I'm not an engineer, but the role was to be the first regulator for all the NERC SIP standards for utilities, the cybersecurity framework that they have. So I was the first regulator here in Texas to audit everybody in the ERCOT region in Texas, and then chaired working groups to figure all that out. And first time I saw something that had such a putative model where it's a million dollars a day per penalty, so you're beating people with a stick. So I realized, well, gosh, I could be like one of those tax advisors on the commercials, say, if you get in trouble with the IRS, call me.

Chris Humphries [00:06:34]:
So, 13 years ago, I started my own firm, and that's evolved into other business, other industry sectors. And I was appointed through Governor Abbott's office when he was the attorney general led the appointment for me to the Cyber council, where I'm the public health sector rep and the utilities rep. And I just know. And simply put, my gift is to be able to speak to people at a third grade level without making them feel stupid. And that's extremely valuable in something like cybersecurity and emerging tech and things like that. Why do you need it? What's the big bang for the buck? What risk is this going to mitigate? And your engineer that's been complaining for years that he's overworked and doesn't have the resources he needs is because he can't explain it in a way that is tangible. So I'm kind of that Mediary I call myself. What is it? A synergist, a regulatory cybersecurity and technology synergist, because those are the three legged stools that I kind of navigate in between.

Chris Humphries [00:07:23]:
But yeah, that's very random. I still chuckle when people say, you don't look splinter smart. I'm like, yeah, I know. I don't know how I got here.

Joe Toste [00:07:30]:
I use similar language when I was like, I'm chuckling that I was standing up at Camp Mavery, and I'm like, these people are all staring at me right now, all in outfit, too. It was crazy. So, yeah, I feel the same way. Super random. I'm a high school coach who picked up a mic and here we are a couple years later. So, Chris Winnick, it seems like one of the most important pieces of cybersecurity is a strong and robust pipeline of not only cyber talent, but awareness of the bad actors, too. Walk us why you host events like cyber aware every year at Camp Mayberry and what you hope to accomplish with this year's event.

Chris Winnek [00:08:07]:
So that's. Appreciate the question, Joe. And by the way, you were my keynote speaker at the last event, and you absolutely killed it with your speech. And I just love the energy Joe brings. I mean, he just is a fireball. And I'm going to brag about you just for a second, but I was talking earlier. You're bringing recognition and making public sector leaders in tech, doing such innovations, you actually take the time and make people feel like, appreciated and supported and like celebrities, even for a brief moment before we all go back to fight for resources and do what we're doing. So I really appreciate what you're doing here.

Chris Winnek [00:08:39]:
And let's get that. Yeah, definitely. So I'd love to see the brand expanding. I heard you started some new things. I was kind of eavesdropping on your stuff yesterday. So that being said, I can't believe you have me back again.

Chris Humphries [00:08:53]:
Yes.

Chris Winnek [00:08:53]:
So I appreciate it. The reason why we meet and talk still is because of relationships and I think I'm a national guard soldier. I'm a citizen of Texas, I'm a soldier in the army, and I also serve the governor, and that's the guard mission. We serve the governor and the president, dual missions. So I have a unique position of recognizing and seeing all the capabilities that the federal resources bring to bear on our cyber, or actually it started with our ability to respond to a cyber incident and being able to go to our state partners and explain what we can bring to the fight and work through that. That's kind of the nexus of cyber aware that we have, bringing all the different agencies on the state and federal side together because we're all really busy and twelve months goes by and all of these initiatives that we're working on and our capabilities are constantly growing and people are solving problems that we are facing over here. And just to bring all those people together and share that and also to give them an update on what our current capabilities are, because honestly, when the crap hits the fan, like the people in this room, we should be on cell phone first name basis, because we're all going to be sitting in the state operations center together with all of our leadership, elected leaders, agency leaders, city leaders, and we've done it. We have to figure out how we're going to respond to support the state or the nation.

Chris Winnek [00:10:19]:
And the lines between the two are becoming very blurred in this gray space that we live in now. So that's why we do it, and that's why we're going to continue to do it. That's why we come to these events. And that's why I appreciate the forum that you're giving all of us to meet and greet and share our lessons learned and some of our best practices.

Joe Toste [00:10:34]:
Thanks. Jamie Grant was talking about this in Orlando, and one of the things he was talking about was Hurricane Ian goes through Florida. And so there's a lot of challenges, right? So you've got a human aspect where there's bridges down and you're trying to help citizens. There's Jeremy Rogers, who's a state. CISO talked about the cybersecurity component because bad actors just seem to come out like when there's a natural disaster in droves, right? And so the, they had the turn Florida digital services into their cyber operations and kind of relief command center. And it's unfortunate that the only time people seem to come together is when there's a natural disaster. Right. So we're trying to change that because if you don't have the relationship becomes really hard.

Joe Toste [00:11:25]:
And when a bridge goes down in South Florida because a hurricane rolls through, no one cares. There's people stranded. And you're trying to the we talked about the mission of tech table is really trying to connect people and it starts through relationship and we see that again. I will preach it the same thing with the high schoolers. And I know it works because if it works for high schoolers, it works for adults, but you have to get the relationship right. And if the relationship is not right, it's not going to work.

Chris Winnek [00:11:53]:
And I just want to recognize the city of Houston because I can't think of a more resilient area of the state. I mean, they're constantly bombarded with emergency responses and some of the most extreme conditions. And being at the state operations center during these events, they're pretty much, hey, appreciate the support state. We got it. And they have a plan and they execute it better probably than any city in the country. The stuff that they've faced in the last ten to 15 years. I'm a twelve year historian myself, so I lived it firsthand.

Chris Humphries [00:12:18]:
Can I chime in on that real quick? A couple of years ago, Chris and I both had the opportunity to participate in an exercise called Jack Voltaic two here in Houston. And we were here and it was this national level exercise simulation, the port of Houston and hurricane and how vulnerable we are during a wet natural event. That's the prime time for us to be attacked from a cyber perspective, was essentially the script for the exercise. But the refreshing thing in silver lining, call it a silver lining, was, yes, there's a big shortage on human capital and people to do things in talent. But I also walked away from there and saying, we've got more than enough capability here in this state between everybody that's participating. We just don't talk to each other. Everybody siloed their own. The got to do cyber.

Chris Humphries [00:12:59]:
We got to do cyber to their own piece of the pie. But we have so many resources here in the state of Texas, more than enough that if we just got together and could cooperate, we would have all the capability. We need to be proactive in this kind of climate, which is where we need to be. It's not reactive once something happens and then we put it all back together, we got to take those lessons learned and proactively keep moving the ball forward and not wait for stuff to happen. But the city of Houston, that exercise was a great example of seeing, gosh, we're not short of resources. Not short of resources at all. We're just short of communicating between the resources we have.

Joe Toste [00:13:31]:
Yeah, no, I really like that. And the city, and I don't say this about every city, so I am honest. But there are a lot of really good people in the city of Houston. Before there was a podcast, before no one knew who I was, it just didn't exist. But there was a massive flooding in, and I don't know where any of you fall at, but I just felt like the Lord was calling me to come to Houston and help serve. And I landed in Houston and it was flooded. And I had a buddy who was in the army, and he had a boat, and we were just, like, picking people up and getting supplies. And I had to spend some time in Houston, and it was a really special time.

Joe Toste [00:14:07]:
And so I've been back a couple of times, been to some Astro games.

Chris Winnek [00:14:10]:
If you ever want to do that on a regular basis, just give me a call. We have people that do that.

Chris Humphries [00:14:14]:
Yeah.

Joe Toste [00:14:14]:
The funny part about that was, I was like, I'm going to go do this. And at the time, it was like, there were no flights from California to Houston, right? And so all the flights were leaving. Nobody was coming here. So I was like, but, no, I'm going to come. And I found a flight, and I think I might have been the only.

Chris Winnek [00:14:31]:
But didn't it feel like. So, I have to say, the first time that I ever went to a hurricane, we were driving to Beaumont, Texas. This was Humberto, I think, and we were driving in army vehicles, and I was a lieutenant. And I remember everyone was evacuating, but we were driving towards Beaumont, and I felt so much pride that it was that sense of service, the honor and privilege of being in the military to do these things. And running to the sound of the guns, it's like there's no better feeling as a public servant to be able to run the sound of the guns and help people when they're in need. I mean, that's what keeps us going. But, I mean, I know you must have felt that when you saw everyone leaving and you're like, I'm coming in.

Joe Toste [00:15:07]:
I would say getting to meet the residents. I definitely had that sense of, this is awesome. When you're doing the hard work of tearing down walls that have been flooded, it smells really bad. So that you're like, I don't really like that much, but actually being with the community there definitely, like, sense of this is awesome. Love helping these people. And I think today it's really easy in the world where it's not your problem, so you don't do anything about it. You can tell I'm very opinionated. Even the kids, the high school, are like, we set the culture, and I'm like, hey, if it's like, oh, it's not my problem, I'm like, jeremiah, I really like you.

Joe Toste [00:15:42]:
I don't care. It is your problem. Right? And go pick up that trash. Right, the right. Is that a caddyshack reference?

Chris Humphries [00:15:51]:
It's unfortunate, but it's great that it takes an event like that to still have hope in the human spirit. Like, when you go help people, there's no one thinking about poverty or rich or skin color or anything like that. People are stranded. People are stranded. People break all that down in that moment as humans to be human. And it's sad that it takes something like that for us to see those things, but it still gives me hope that we're capable of doing those things. It's very hard in this day and age, every day, to see that we have that capacity. And I wish there were some more positive things for us to see that versus reactive when crap hits the fan.

Chris Humphries [00:16:26]:
But we still have the ability to help our fellow man no matter what. And I think that's very few people have the opportunity. Us being army guys and serving in places like that. Few of us have. It gives you purpose for why you did what you did.

Chris Winnek [00:16:39]:
I'm sure that some people in here have heard, well, we're going to need a cyber 911 for us for people to take this seriously. And I'm hoping that we're moving beyond that because that is unfortunate. That's the mentality of people, that we have to have a cyber 911 for people to take cybersecurity seriously, to realize that we need to resource this stuff. But I think we're moving on. I'm feeling that people don't say that very much anymore, but that was a pretty hot topic. To get to your point. You have to wait for that emergency to bring people together to make them focus on the problem. And I think that those days are behind us.

Chris Winnek [00:17:14]:
I hope they are.

Joe Toste [00:17:15]:
So do I. Because my aunt was in one of the buildings during 911 and she made it out that morning. And looking back over a decade now, it's like the habits, right? You just fall back into. And I think we don't want to have the cyber 911. We want to have the right habits of people coming together and having community and those are the types of habits that we want. Chris Humphreys. Something that we really connected offline was the need for cyber awareness in a fun and entertaining way. I love fun and entertaining stuff.

Joe Toste [00:17:54]:
If you haven't noticed, at the Phoenix Live podcast tour, I spoke with Tim Roemer, who's in here, who said that people are always the weakest link when it comes to cybersecurity. I am the weakest link. I like to think, actually, and this is probably my ego, if I was going to confess, I feel like I'm pretty good. You're not going to get me because I grew up in like, when it was just starting and I was buying and selling stuff on Craigslist, and you start to see the scammers on Craigslist, right? And so now that was like the genesis of now I'm always coaching Jamie.

Chris Winnek [00:18:25]:
I'm like, hey, are you a Craigslist influencer?

Joe Toste [00:18:28]:
No, I was trying not to get scammed. Yeah. But anyways, that was a super random tangent, but we're always the weakest link. And I kind of have the mindset of I don't really trust when emails come in and it's accenture and I'm like clicking because I want to know, is this a real email? Right? So anyways, we are the weakest link. I'm the weakest link. Even if I think I'm not. I know I'm the weakest link, but. Chris Humphreys, any ideas on how to incorporate more fun while building out a strong cybersecurity workforce that is highly adept at protecting the citizens?

Chris Humphries [00:19:03]:
Yeah, kind of. You're very much true. The human factor will always be the issue. It's not a. To all we've heard this morning about the right technologies and the right people and the right processes. We have the right technologies. If you don't have the right people in and the right maturity in your processes, that technology is going to fail. But here's the biggest example I like to give.

Chris Humphries [00:19:22]:
When I do vulnerability assessments or security assessments of places, I purposely go out and drop thumb drives in the parking lot, every single one of them get brought back in and plugged into the network. That's the kind of learning curve I'm dealing with here. The days of, oh, my God, I got to change my password every 90 days, and it can't take one of my other passwords. It's too close to this, and blah, blah, blah, it can't be my pet's name. I'm like, folks, those days are over now. Multifactor authentication has come into place now where that makes it sort of easier. People get that because it's a smaller thing to remember in a token that you have, and it adds that layer of security. But we call it cyber hygiene.

Chris Humphries [00:19:58]:
It's just a way of life. I think the problem we have too, is in the business world, in the technology world, people are so quick to want to get that technology to market. Their posture is, let's wait for our customers to figure out what's wrong with it before we bring it in and when they know the default passwords are staying on there or the microphone is enabled on these devices by default and all that kind of stuff, I think there's a huge. That chasm is failing us from consumers to citizens to technology providers of bridging that gap out of their own selfish interest. But a way to make this stuff relatable and tangible is a cyberattack. To me. You can use a physical attack to simulate the same thing that makes it very tangible. You can say, look, we're seeing with the transformer attacks on substations where people are just shooting out the transformers.

Chris Humphries [00:20:48]:
We said for years for the sip stuff, I said, this cyber stuff is great, but if someone shot out three transformers at these three substations, we're done. But you can give somebody tangible, physical to see that, and then you equate that to, this is the equivalent of that on the cyber side. But again, how many times do we see ransomware getting hit where somebody forgot to look at the logs that had been there for three months, where the person was in there, right? We have the tools the people will always fail at, and we've got to somehow remove the stigma of, oh, you're going to the detention office, you're messing up. It's got to be a, hey, see something, say something. Let's figure it out together. And to your point, the phishing emails, I do a thing every month now where I send out to my constituents. They're very tricky now. They are very good.

Chris Humphries [00:21:31]:
Now, before it was pretty obvious that Wells Fargo is spelled with awelzfar. Like, you could see the things. But now I tell people, you have to right click on that originating email address and see where the domain came from. But it's very understandable that people get caught with these things. It feels like in Austin, I'm like, on CBS Austin, I'm like their PSA guy. Every month that these baby monitors have been hacked for whatever or Bluetooth tagging, how do we do that? And I'm happy to be that person in there because I'm like that. I'm going to date myself. Mr.

Chris Humphries [00:21:59]:
Wizard. Mr. Wizard, Mr. Rogers. Anyway, I'm that guy. That's, hey, guys, this is why you need to do that. When in my head, I'm like, you guys have to be knowledgeable of these risks. You have to unknowledgeable of the risk and accept the risk.

Chris Humphries [00:22:11]:
I think we're also so dependent on technology that we don't care. We don't think about that at all. I think this whole TikTok thing is crazy because I feel like we're the last generation that cares if they're mining our data. I feel like people these days, younger generations, that depend on these tools, yeah, you tell the that, but they don't care. I don't think anybody really sees what can be done with that. And even if you showed them, I don't think they would care, because it's just such a different world. So I think it's as technology and our dependency on that evolves and as stuff comes to market and as people continue to depend on that technology, I tell people it's an economy of scale. The stay at home mom doing her instagram influencing while the kids are asleep is susceptible to the same vulnerabilities that any multinational corporation is susceptible to.

Chris Humphries [00:22:56]:
So that scale can relate to everyone, and we've got to bridge that gap where everyone sees that.

Joe Toste [00:23:01]:
Yeah, no, that's really great. Let's jump to the audience. Q A, Shauna. And then we'll get Steve.

Shauna Rogers [00:23:08]:
I really like the fact that you guys are talking about trying to inform the public of the risk and safety of all of the modern technology platforms that they're using. Like you brought up TikTok, for instance. Right. And as a state government agency, we are now trying to govern having those platforms on any agency device. How do we work together as agencies to educate the public on the real risk that the are inheriting? I just don't see that people understand what's actually happening. There's no sense of reality as far as I'm concerned. So how do we work together to close that gap?

Chris Humphries [00:23:45]:
I think, for one, better late than never. But I'm shocked that we're taking this long to say TikTok can't be on any government or state issued devices. The big use case that I referenced, depending on. I don't want to get into the whole political thing, but the whole Cambridge Analytica thing, it was interesting to me when they did a documentary on that, and the were interviewing those folks, they wanted to sell their services to and the said every human on earth, whether they have a social media account or not, we have at least 85 data points on every person on earth, I think. And I co authored, I helped the co author of the Texas Data Privacy act legislation with representative Capriglione. And we wanted to put a GDPR like input in Texas before federal regulation got here. But of course the Google and Facebook people said we want to wait for federal regulation. Texas said, okay, we'll do it, but we'll do a viability study for everybody wants to say they're doing something, but they're not doing anything.

Chris Humphries [00:24:35]:
But to my point, until people actually see what nation state actors like China does with our data, GDPR is great because it now gives the consumer a little bit more rights to say, yes, you could have my data or no, you can't. And I have a say on where it goes legally and when you get to terminate it and all that kind of stuff. I think until people start really caring and seeing the damage that's done, when people hear on the news there was a data breach and x amount of Social Security numbers were compromised, what do you get like a notice from that provider saying we'll give you twelve years of credit monitoring or something like that. The consequences yet still are still very, I don't think they're tangible to the right to average people, to average folks today. And I think if you tell a tween or anybody right now to say they're to collect everything you're getting, they're collecting to use, well, so what? I don't care in the days too of why was I talking about this 2 hours ago and it shows up in my Instagram feed because you have your mic on by default and it's set that way. But people are now accepting that because that's a cool what some people, if they know that's happening, that's how you get your advertising now the stigma is changing where people now they understand what's happening, but they still have the ability to or mitigate that risk. I just think we don't have a cyber 911 and we don't have a data breach 911 yet that could show the true impacts of all the data mining that's being done. The stat is data.

Chris Humphries [00:25:53]:
Personal data is the most valuable commodity on earth right now. It's more valuable than oil. It's absolutely insane. So when you tell people that should resonate somewhat, but you're not going to fill your car with data. Every people don't have that tangible example and I think until we do and people understand that, I think that's the battle we're going to continue to fight.

Chris Winnek [00:26:12]:
I think to answer the question about what can we do. So we both serve on the cybersecurity council. That's how I met him. We're kind of the odd couple. Right. But he's got the energy and he says what he means, and he means what he says. But with the state cybersecurity council, we've talked about education initiatives. Those recommendations go toward to legislation every two years.

Chris Winnek [00:26:36]:
We have a task force we've set up. And right there in your building on the 13th floor, I think, well, that's kind of a, anyway, but there's a cyberstrategy task force, and I think one of the things you're getting at is how do we get a unified vision and message out. If you ask anyone in any different sector who's in charge of cybersecurity for the state of Texas, you'd probably get more than one. Don't think. I'm not implying that there's not a designated authority for that. I'm just saying that it's confusing who is driving the narrative and who's responsible for the training. Where does that training reside? How do you get to it? Is there a cost? And I think those are the types of strategy issues that we need, leaders like you and other people who can bring value to that discussion, because everyone on that council is just industry, private state agency leaders that are just trying to figure this out. And that council makes recommendations once every two years.

Chris Winnek [00:27:30]:
So we need to probably talk about, is that at the right frequency? Is that the right rhythm? Do we have the right people on the council? And if anyone's interested in that council, I'll be glad to talk to them about it.

Chris Humphries [00:27:41]:
Well, I want to piggyback on that, too. Texas is great at this. Like I said, we're great at showing we're doing something about something, but we don't do mean we have legislation in this council and all that stuff. And since we've started that council show long, it's been, what, six or seven years now. Every session that comes out, there's some new council in some industry specific sector that stands up that we don't know anything about. There's no coordination between any of that and who's on first. We have this thing that we're supposed to be doing, but it carries no, little to no weight and no one wants to say, put their hammer down and say this says this, we do this. This is how it's going to go.

Chris Humphries [00:28:17]:
Why would we put all this in place if it's just academic? And I've learned I'm not going to be a politician. I did four years inside the beltway DC, where it's a blank check, but I know how to play all that bureaucracy between three letter agencies in the White House and everything. But then I never thought Texas would be so much harder to deal with than DC because of everyone's self interest and not making anybody's hurting anybody's feelings and getting everyone to play together versus we're bullying you out. We're not doing that. We want you to enable you to do things better and make us do things simple.

Joe Toste [00:28:46]:
Yeah, I just want to make a comment on the state of Texas. So state of Texas right now is probably number one in the nation. I'm just across the board. I go to a lot of different states. I will say the state of Texas to this point, across the risk is exactly kind of what you just said. And Jamie Grant, who's the state CIO in Florida, and he talks about how his current job is getting rid of what he calls the moat dragons, right? So for those of you who are in Orlando and the moat dragons are any of those people who are stopping success or progress. And Jamie is an entrepreneur at heart, which is why I think I really get along with him and resonate who he calls it on a tour of public service right now. And the state of Florida has got the rap of being like the worst state in the nation for technology, right? Like the absolute worst.

Joe Toste [00:29:34]:
Like 50 out of 50. But then they're coming very quickly. Right now, a lot of things are changing and a lot of the moat dragon type of stuff of folks who are. We talked about this earlier, but just as the organization grows, it just gets so much harder. And so it's like you need the right leadership in the state and in the cities and in the counties to be able to focus on the mission and go out and actually accomplish the mission.

Chris Winnek [00:30:02]:
I think to Chris's point, I talked about residents earlier. That's what's missing. I mean, we have all of the virtuoso talent, but it's like you come into a symphony and everyone's doing the warm ups on their own. It's kind of this cacophony of just individual efforts, but they're all virtuoso musicians, and it just takes someone to take the baton, set up and hit and tap on that podium, and then let's get together and actually compose a plan and create beautiful music to the human capital.

Chris Humphries [00:30:36]:
The human factor being the weakness, it trickles down, especially, or trickles up to our lobbyists and our lawmakers. I'm sorry. When we did that Texas Data Privacy act, you had Facebook and Google lobbyists, which were some 24 year old lawyer reading a script that was prepared, saying that other states have tried to do this and we need to rate for federal regulation because they know it'll take ten years for that to get in place. Look at Google. What was their main revenue stream when they started? The data that everyone puts in there, they got to where they are because of the data. Of course they don't want to have any regulation on themselves. Of course meta doesn't want to be oversight because they can continue to generate that revenue from that. Lobbyists and people like that keep those self interest prioritized over consumers and citizens safety.

Chris Humphries [00:31:17]:
And it's just. It's really hard because guys like me and Chris, we care about what we're doing. We care, we don't want to have these long titles with all these groups we're part of and just sit in there and have it on LinkedIn that we're part of these groups. We care about actually doing stuff. Because it's also extremely frustrating for someone like me that I wasn't an academic. I'm not somebody that went to engineering school or computer science. I have a business administration degree that I finished years after I got started my career, because if I had a kid, I didn't want him to say, dad, you didn't go to college? Because I realized how much of an anomaly I was. But it's extremely frustrating that you see the capabilities we have, but the human factor is always the impedance from everywhere down from our lawmakers to our lobbyists to our technology providers themselves.

Chris Humphries [00:32:04]:
We just want to get to market and get that technology out there and start that revenue and capture the market, and we do not care what any consequences are. Sorry, I'm not bitter, but that's just the reality of what's going on.

Joe Toste [00:32:15]:
I'm just going to bundle what you said, care about the mission, and that's how you're going to change that. Steve, you got a question?

Steve Bell, SentinelOne [00:32:22]:
Oh, Steve Bell with sentinel one. From our conversation last night, which I really enjoy because you hit it, everything is about the mission and the people, and we just talked about doomsday, that nothing's going to get done right. We've got legislators that may not be technical. You bring it down to layman's terms. Can you give us an example. You can redact the organization. If we could all be like the city of Houston and work together with the county, the cities do that, but that's not what's going on, especially federated states. Give us an example where you went in and you've got the politics of no, or let's push it down the can, and you actually brought the behaviors and the problems, changed the culture of how to actually get this thing done and have.

Steve Bell, SentinelOne [00:33:07]:
Because if you think about one shared service that should be all the way across the board, I would think it would be cyber, because you simply don't have enough FTE to cover the problem. Because as soon as we educate them, they go to private sector, or at least I see that a lot. Right? So give us a good example so we all have a little hope.

Chris Humphries [00:33:23]:
So the keyword I used earlier is, I call myself a synergist. The synergies between things as great as that jackvall take exercise was, our attention spans are so short that month. After it's done, we're back to our old ways. It's so out of sight, out of mind that for a minute there, we'll all get together and figure it out, but then we go back to our own ways of doing things. But the three legged stool that you try to get everyone to unify around is you've got the regulatory risk and compliance risk that are driving things. You've got the operational risk, and then now you have kind of the reputational risk thing. But I asked earlier, do you have your lawyers writing processes? Because I go to entities where they're so paranoid about compliance, reputational risk. They literally have lawyers writing engineering processes, which is completely ridiculous.

Chris Humphries [00:34:05]:
I'm a counterintelligence guy, and Chris could attest to this. The way I simplify, counterintelligence is getting people to do stuff for you without them knowing they're doing it. So the utopia I try to sell people on in those kinds of instances are, hey, guys, if you own your processes that do these things right, that bake in whatever regulatory or legislative mandates you have that produce those natural byproducts, but you own that process, you'll never hear from compliance, ever. And then I make compliance job extremely easy. It's getting those, to be honest. I'll say it this way, by the time it gets to the legislative floor or anything like that, they said, the Russians and Chinese are here. We got to do something. Welcome to the party, pal.

Chris Humphries [00:34:41]:
Where have you been? It's too late by then. It really is. That's like the last thing that we get to finally, which is unfortunate, and it precipitates that reactive versus proactive model. But if you can get people to go in and say, hey, here's a list of 20 things from NIST that you guys can put in operationally that, oh, by the way, you're already doing, you just don't have it documented. Right. Those things will keep you ahead of your regulatory model. It'll handle these legislative things, and you're being secure by operationally owning it. Those are the things I have to.

Chris Humphries [00:35:11]:
The carrot that I have to put in front of everybody's face. And I've had success in doing that. Now, I mean, again, the electric utilities model came in and said the highest punitive threshold of any regulatory framework in North America, $1 million a day per penalty, per violation. And look at Texas's market. 70% of it is immunis and co ops. I go to places where the janitor is the IT guy. So what is that going to do? That's going to scare that 70% of the market to just be compliant, but that doesn't mitigate the whole risk to all of us as citizens. So being able to kind of sell to each department on how this is going to work together and stroking their egos, like you talked about at Camp baby Joe is the name of the game.

Chris Humphries [00:35:50]:
Kill the with kindness.

Chris Winnek [00:35:50]:
So I want to share a example of where I've seen it come together. And this happened after it happened after an incident. It was Jackson county judge Jill Scalar. She got hit with a ransomware. She called the governor, asked for support. We worked with our state partners. First time ever, we had deployed green suit cyber forces to an entity within Texas and helped them recover from this ransomware. It took about three weeks, and we helped them get on the right footing and establish their path to better cyber hygiene.

Chris Winnek [00:36:27]:
And we were talking about that and kind of going about, hey, lessons learned. Talking with some key stakeholders with TDEM and Dir and these different agencies responsible for these things. And within the next 30 to 45 days, Texas got hit in 2018 or 19, I think, with a statewide ransomware attack. And we used all of those lessons learned and those relationships, and we were able to respond, I think, to 17 different locations. And within, I think, two weeks, we had gotten everyone back to initial operating capacity to where their core functions had been restored, and they were able to conduct their city's business. And there's a lot of lessons learned after that, too. The one thing that I think that we left on the table was capabilities of the city of Houston, the city of San Antonio, all these other things, because those relationships and those trust relationships of what they have to bring, how they would bring them to bear, those didn't happen then. And that's probably the next step in our maturation, to bring in all the capabilities that you have, ma'am, and all the capabilities of the different major players in the state, and be prepared for the next or the first cyber 911.

Chris Winnek [00:37:38]:
I think they've already had a cyber 911. Right? I mean, we've had some major cyber incidents. It's just amazing how kind of in the blitz, people just get used to the current environment and they get used to the new threats and like you're talking about. You're right, and that's a great point. We have to fight the younger generation to explain why this is not the new normal. To have people stealing your data and using it, that's not right. We have to fight against that.

Chris Humphries [00:38:03]:
And I'll shift to something positive for once. I won't be negative the whole time.

Joe Toste [00:38:06]:
You know I'm positive, right?

Chris Humphries [00:38:08]:
Well, yeah. A realist is. What is it? A pessimist with experience? Is that the whole thing?

Joe Toste [00:38:13]:
I have no experience.

Chris Humphries [00:38:15]:
The weird kind of good thing to take away from these events that we've had is it's no longer hypothetical or theoretical. We now have the data sets to show this actually happened, and here's what happened, and here's what we had to do. Whereas ten years ago we had to say, guys, this could happen. This is probably happening. This is what the potential for this could be. We've had almost every scenario you could think of. Now that we're looking globally, the one I can think of the most is what I hear about is the Ukraine distribution network attack on their utility. Every year at Christmas, they got hit with this same black energy kit that anybody, my mother could download that kit and install ransomware on something.

Chris Humphries [00:38:50]:
That's show easy. It is. But the stigma was, oh, that's the Ukraine. Our grid is much more. It's the same thing. And distribution isn't even covered by the cybersecurity standards. Now in NERC, the NERC framework, too. We can't adopt cloud yet still fully and be compliant when these 70% of the market, they're dying for cloud services because they can't have the resources, and ftes, they can't hire the people, they need it.

Chris Winnek [00:39:12]:
I got to call them out. I'm waiting for the positive.

Chris Humphries [00:39:14]:
But the positive was. The thing I'm trying to say is the positive is we have the data sets to show what happens here. And these small to medium sized utilities that wouldn't stick their neck out before out of fear of compliance are now saying, you know what? Compliance is now third or fourth down on my risk. I'm going to adopt this whether they tell me or not, because I'll go to the mat with them and a lot of legal fees and all that crap. But the first guy over the wall is always the one bloodiest. But it's getting to the point where we have the data, people can see what's happening, and so people are more likely to take a proactive approach down than they were before. I agree with that, but we shouldn't be reading in the Austin american statesman when there's a ransomware attack in your sector. That's always pretty annoying, too.

Chris Humphries [00:39:54]:
So there you go. That's positive.

Chris Winnek [00:39:57]:
I feel like a kid holding a roman candle.

Chris Humphries [00:40:00]:
That's my positive note. We're all doomed. It's all over. No, it's fine. Don't forget how to do I was the last Morse code class in the army, by the way.

Joe Toste [00:40:09]:
Well, let's thank Chris and Chris for coming on the podcast. Hey, what's up, everybody?

Joe Toste [00:40:13]:
This is Joe Topsky from Techtables.com, and you're listening to the public sector show by Techtables. This podcast features human centric stories from public sector, CIOs, CISOs, and technology leaders across federal, state, city, county, county and higher education. You'll gain valuable insights into current issues and challenges faced by top leaders through interviews, speaking engagements, live podcast tour events. We offer you a behind the mic look at the opportunities top leaders are seeing today and to make sure you never miss an episode, head over to Spotify and Apple podcasts and hit that follow button and leave a quick rating. Just tap the number of stars that you think this show deserves.