Ep.161 The CISO's 3-Step Guide to Building an Unstoppable Cyber Community with Candace Wynn is the Cyber Community Ops Manager and Warren Sponholtz is the Deputy State CISO at Florida Digital Service

Joe Toste [00:00:00]: Hey, what's up everybody? This is Joe Toste from techtables.com and you're listening to the public sector show by techtables. This podcast features human centric stories from public sector, CIOs, CISOs and technology leaders across federal, state, city, county and higher education. You'll gain valuable insights into current issues and challenges faced by top leaders through interviews, speaking engagements, live podcast tour events. We offer you a behind the mic look at the opportunities top lead ears are seen today. And to make sure you never miss an episode, head over to Spotify and Apple podcasts. Hit that follow button and leave a quick rating. Just tap the number of stars that you think this show deserves.

Joe Toste [00:00:34]: Welcome to the public sector show by techtables at the Florida digital expansion. We don't know what we're calling this.

Warren S [00:00:43]: Colab Annex, I think is what they call.

Joe Toste [00:00:45]: Yeah, everyone's got a different, everyone's got a different name. Warren, why don't you introduce yourself and then we'll introduce Candice.

Warren S [00:00:51]: Awesome.

Warren S [00:00:51]: I'm Warren Spahnholtz. I am the deputy state CISO over strategy. So when you think strategy, think pretty much everything except for the operations side of cybersecurity. So it's training, it's the community development, it's governance, risk and compliance, it's policy and rule development. And of course I don't do any of that. I've got a great team that works with me, including Candice here, and been here since December. Beginning of December, I was a CIO over at the Department of Environmental Protection beforehand, had a great time doing that. And there were some really exciting things happening over here at Florida Digital Service and I wanted to be part of it.

Warren S [00:01:26]: So I joined the team who was recruiting you. So Jeremy and Jamie both recruited me and they kept working on me until I finally said yes. So they're very persistent, they did a good job. Get me over.

Joe Toste [00:01:38]: I love it. Candice, for those who don't know you a little bit about yourself.

Candice Wynn [00:01:42]: So I'm Candice Wynn. I am the community operations manager here at FLDS. I am not new to state government. I have been with the state for almost twelve years, so quite a while. I started with FLDS in January, so only been here for about six months on Warren's team. I think I have one of the most fun jobs here. I get to bring the cyber community together, so think locals, agencies, we get to do all the fun stuff, socials, and just letting the isms connect and all the security folks from all over connect together. So that's what I do I love it.

Joe Toste [00:02:26]: Bringing the cyber community together. I bring the public sector community together. We have the same job, except I just sit behind a microphone is the only difference. Okay, we're going to have Candice for a little bit longer than Warren. I've got a very nice. This is my notebook. But Warren really helped me out because I didn't even have to have an intro call with Warren. So we're going to have Candace for a little bit longer, so we're going to come back to you.

Joe Toste [00:02:47]: But, Warren, a couple of things. Tell us a little bit about the grant program.

Warren S [00:02:50]: Yeah, so the Florida legislature appropriated $30 million this year for a cyber assistance program to be able to help local communities become more resilient, to be able to improve their cyber posture. That grant program was given to the DMs and to DMS or the Department of Management Services, and from Department of Management Services over to the Florida Digital service. So we set out to enable these entities with ways to be able to improve their posture. And again, it's $30 million. It's for one year. There was some other grant programs in play. There was a federal grant program that was less money and had some other conditions around it. But the Florida legislature just realized that it was a need and a need for the entire state, so they provided that funding.

Warren S [00:03:37]: And I think if you watch the news and you see a lot of these places that get hit with cyberattacks, it's usually not your larger state agencies, it's usually your smaller communities and those who just don't have big it teams or any it team at all. Being able to reach out to, especially those smaller communities and help them along was a large part of the intent there. And something I think was just a great move by the legislature.

Joe Toste [00:03:59]: I love that. Okay. When I look at what you wrote down, I've got grant program. I've got about.

Warren S [00:04:07]: So I just covered about. You just covered about. You can do a follow up if you need to.

Joe Toste [00:04:12]: Response.

Warren S [00:04:13]: Response. Meaning we have two things with the response. Right. So here at the Ford Digital service, by statute, we have a security operations center. So whenever there are cyber events that happen with state agencies or even with locals, we want to be able to help them through that situation so that they can stabilize and shut down any kind of cyber situation as quickly as possible and get them on the road to recovery as quickly as possible with this grant program definitely positioning ourselves and our relationships with the locals so that we can be better partners in incident response. And the other part of response to that is the response we've had to the grant program. So we got over 300 respondents across the state. Almost every county except for one responded to this grant opportunity that's all the way from Pensacola down to Key west.

Warren S [00:05:03]: Advancing with around 200 will be awarded to the program. Wrapping that up right now and building those relationships, setting it up so that we can help them with their cybersecurity problems, be able to push this funding towards them, to be able to bolster their cybersecurity programs and just start building relationships. Because you mentioned community, and we'll talk about it more, but cyber really works as a team sport, so we work better together. When we can talk about vulnerabilities, we can try to respond faster whenever things happen in our Florida landscape. So that only works whenever we work together. And we stop hiding information and being willing to be open with each other and share what works and what doesn't work. If somebody gets compromised, having candy conversations about that is important because cybercriminals don't care. They don't care who you are, and they don't care what you do.

Warren S [00:05:55]: But we care about each other. So we need to build those bridges and build that community so we can defend ourselves the right way.

Joe Toste [00:06:01]: Yeah. Okay, so cyber is a team sport. That sounds, like, not really technical, and that's good, right?

Warren S [00:06:08]: Because I mentioned this is the non operational side of cybersecurity. So, really, our group is challenged to build those relationships, to be able to figure out where we have gaps. There's a whole team dedicated to engineering the right solutions for cybersecurity, for responding to incidents, to being able to monitor the network, not the area that candidates and I focus on both sides. I'm giving you a hard time.

Joe Toste [00:06:39]: The reason why you guys are perfect for this is the podcast is all about sharing human centric stories.

Warren S [00:06:45]: Gotcha.

Joe Toste [00:06:45]: Yeah, I'm just. I'm chopping a hard know I love. And, yeah, I think everyone has a technical team, right? But, yeah, I always love this concept. I've heard it several times. Tim Roemer, who is the former CISO in Arizona, echoes something very similar, that cyber is a team sport and that the weakest line of defense is us, is me. And this stuff's getting really sophisticated, too. Crazy sophisticated. I'm constantly now having, even on a personal level, working with family members.

Joe Toste [00:07:16]: Don't open that email. Don't click that. They're just spoofing. It's crazy. It's pretty nuts right now. Okay, we got five lucky golden minutes. All right, what else are we covering? What makes this program different.

Warren S [00:07:31]: So I'd say the biggest difference between this grant program and traditional grant programs is we are providing capabilities instead of funding. That's important here with this particular local program, because if we were to provide a bunch of funding for communities around the state, there are certain communities that would be able to excel with that and be able to purchase capabilities or assessments or just anything germane to cybersecurity, and that's great. But again, when you look in the news and see who's getting compromised and who's just not equipped to be able to respond to these kind of threats and these risks, it's the smaller communities around the state. So our approach to provide capabilities instead of funding really scratches two itches. One, we can enable these entities. They don't have to do a procurement activity. They don't have a bunch of audit requirements around the consumption of these capabilities. So that kind of just rockets them to the front as far as being able to utilize or use these capabilities.

Warren S [00:08:30]: And then I mentioned before about incident response is because we're able to have these capabilities and they have integration with a CSOC, we're able to have visibility in what's going on in the threat landscape around the state. So we're able to see if a particular county has an incident, and we were able to identify the vulnerabilities that resulted in that incident. And if we see those same kind of vulnerabilities in the rest of the ecosystem, that's something we can be proactive about instead of that incident spreading across the state.

Joe Toste [00:09:00]: That was fantastic. I know you're leaving right now. Favorite Candace, you've been here six months.

Warren S [00:09:06]: Six months.

Joe Toste [00:09:07]: Six months. Favorite thing about Candace and favorite thing you would like to highlight about the work she's done in the last six months.

Warren S [00:09:16]: So I hope she talks about this. My favorite thing about Candace. I can say three things, right? I can say three things.

Joe Toste [00:09:23]: Yeah, you can say three things.

Warren S [00:09:24]: Okay. So I'm going to say her organization skills, her ability to push through an immense amount of work and product, and then lastly, just her ability to bring people over to the community. Right. She's very personable, very charming. Just somebody you want to be able to spend time with, and it's genuine. Right. Those three things really just make her crush.

Joe Toste [00:09:51]: Can we cut to the camera?

Warren S [00:09:52]: I want to see for the work she's doing. She's doing a fantastic job, especially with, she'll probably talk about the cyber advisory council, but the work she's done with the Cyber advisory council has just really made it so the members are excited about engaging with us, and these are a bunch of people who are experts in their field and being able to have a program that they want to be involved with, and they know they're being taken care of and they can provide their input in a way that they know it's being taken seriously. And something done with it purposefully is something Candice has organized here, and it's really accelerated our ability to get the right advice from them, which kind of shapes the future of our cyber program.

Joe Toste [00:10:35]: Candice, you've been here six months. One thing about Warren, I can't top.

Warren S [00:10:40]: What he did a great job. He is a very great leader. He empowers people like myself to go forth and do good things. He's very level headed. There's so much I like about Warren and about working for him and working on his team. I can't even begin to describe the number of things that are great about.

Warren S [00:11:03]: So sounds like she really couldn't come up with anything. That's fine. It's good.

Warren S [00:11:07]: There's just too much.

Joe Toste [00:11:09]: No, I love it. I appreciate it. I think it doesn't typically happen where other folks are saying, like, hey, I noticed this, or, I appreciate you about this. And so I'm forcing you a little bit on the podcast. Cool question, Warren, super pleasure. At some point, we probably got to do a way deeper dive the audience. He hopped on for ten minutes. I'm like, I know he's a busy guy.

Joe Toste [00:11:33]: All right, Candace, we're going to move on and talk about community building. Cyber community building. I love that there's just like a boom. But before we get to this, okay, I'm super curious. What were you doing before community building? There has to be a story. Before you get to cyber community building, what got you into relationships? Were you an event planner before? Was there some background?

Warren S [00:11:58]: No, actually, I do not have a background in any kind of community organized anything. I worked as a cyber navigator for department of state before I came here. I worked remote, and I had been remote for about six years before I took on this job here. I went from being in an office by myself, at home by myself all day, to having to put clothes back on and be in front of people and talk to people and smile. But I've always been even working from home, I've always been customer oriented, just really big on customer service. So I think that's been one of the big things.

Joe Toste [00:12:40]: How did they sell you to come into the office?

Warren S [00:12:43]: So it's funny, I actually previously worked with two people that worked here. And they called me and they're like, hey, we really want you to come to work at FLDS. And I was like, no, I work remote. You all work in the office. I'm not doing that. They're like, just come on, you'll love this team. This team's going to love you. And it's funny, they're like, there's some jobs out there.

Warren S [00:13:04]: Just apply for all of them. So I said, okay. So I just went on, applied for all the jobs that were posted and they called and offered me the job and I declined it. I was like, yeah, thanks, but I'm not going to take it because I want to work from home. I don't want to come in the office. And they were like, look, Warren said, I know that you like working from home, but you will absolutely love after meeting in person because I did not know him before this job, and he's, you're going to love this. This is going to be a great fit. And so I took it.

Warren S [00:13:35]: I was going to. I'm going to take your advice and I'm going to go for it and see where it takes me.

Joe Toste [00:13:42]: Yeah. Okay. Because normally everyone's trying to jump to remote, and then you might be the only person I know that jumped back. I'm not, like, truly remote. I have an office where I record virtual content, but I'm on the road so much, it's like my office is flds for the next two days. Right. So cyber advisory council. Tell me a little bit more about that.

Warren S [00:14:06]: The Cyber advisory council was originally the cybersecurity task force. It was established in 2019 by Governor DeSantis. It was made up of public and private sector professional security professionals. And they originally provided a list of recommendations to the state of Florida to become secure. And then from that, the task force turned into the Cybersecurity Advisory Council. I actually facilitate that entire process. It's made up of, the lieutenant governor is the chair. She's done a phenomenal job.

Warren S [00:14:48]: And then the state CISO, state CIO and several other just security, there's, I think, two cisos on there from private companies. And these people are phenomenal. So what they do is they essentially take everything that the state of Florida is doing. They look at it, they say, okay, this is what you're doing. This is how to get better. This is where you can improve, or they'll take best practices and they'll make recommendations to the legislature for us. So if they say, you're doing a great job here, but you really could do better, if you could do this, the they would make a recommendation and it actually goes to the legislature. So today we had a special meeting for the members to vote on those recommendations.

Warren S [00:15:37]: They get turned into the legislature on June 30. So generally what happens is those recommendations will come in and then I will work with members from flds to make sure that they are getting implemented and worked on. And the I also float those recommendations into the agencies. Like, we have working groups with the agencies. So we talk about some of the recommendations from the council, and then if we have questions or we have roadblocks, hey, we don't really understand what would be the best move here, and they can help guide us. I've gotten to meet some really great people through the council. They meet quarterly. The last one was in May, and we met at University of Florida, Mr.

Warren S [00:16:23]: Elias elderly. He is the CIO at UF. So he gave us a phenomenal tour of the UF hypergator. It was the most awesome experience, I think. You think about a data center and you're like, that's boring. But it was phenomenal. It was so cool to see just the technology and everything that has been put into that.

Joe Toste [00:16:48]: You're like, I'm a community builder. I don't want to go to this data center. This thing is awesome.

Warren S [00:16:52]: No, I'm like, oh, I like field trips.

Joe Toste [00:16:55]: Now, that's a term I haven't heard in a while. Okay, so let's talk about the cyber working groups. Okay, so we've got the advisory council touched a little bit upon it, but I think the working groups bleed into the kind of community piece. Bridge those.

Warren S [00:17:13]: Yeah, so the cyber advisory council has working groups, and then the agencies have working groups and with the agency working groups. So I facilitate those working groups. I have agencies that are the chairs over the working groups. And it's not just isms, it's other security professionals. And we have some that have the inspector generals in the working groups for like GRC and things of that nature. We have a community working group, a training working group, a solutions evaluation in which we review. The agencies come together, they review current solutions that are implemented through the enterprise, but it's also a place for them to connect on where some of their hardships are, where some of their gaps are, why they can't implement certain tools. Because a lot of times what happens is just as when we think about incident response, how if we can get ahead of it and we know that there is something out there that could affect the enterprise, then if you know about it, you could potentially stop it.

Warren S [00:18:18]: So during these working groups, it allows the agencies to talk and bring some of their problems, some of their hardships, to the table. And a lot of times when they do that, other agencies are facing the same issues. So just getting roundtable, having an opportunity to sit and talk through, and a lot of times they're able to find resolution together on how to move forward.

Joe Toste [00:18:44]: Do you know if anyone's. You just said agencies are all facing the same problem. Is anyone documenting? Like, hey, here's every single agency here are all the same problems that are getting listed up in the kind of a shared collaborative resource.

Warren S [00:18:58]: Yeah. So there's a few things that are done. So we do take notes in all these meetings, clearly, because what's the purpose of a meeting if you're not having anything productive come out of it? I take notes. But the other thing is, we have a shared space through slack where they can communicate some of their issues there. And then we have a shared sharepoint site where they can upload documents and collaborate that way on things that they have. But what I generally do is take the things that they're facing and take it to the cyber advisory council to say, look, this is where. Or take it to FLDS first. Can we help? If we can't help, why not? And then take it to the council.

Warren S [00:19:41]: So that's how the council and the state all work together.

Joe Toste [00:19:46]: Okay. No, that's great. So there's a slack sharepoint, and then it funnels up to FLDS. And then I guess whatever's either prioritized or most urgent thing kind of funnels up to the.

Warren S [00:19:58]: Yeah, and even if it's not prioritized, we let the council members tell us, hey, you know what? Even if you don't have it prioritized, this does need to be front.

Joe Toste [00:20:07]: And so something I'm curious about, and I think it blends in with what Warren has here, but on kind of a larger scale of how do you think about cyber community mixed with training? The intersection of those two.

Warren S [00:20:25]: So my job, I actually have two parts. So I'm training coordinator, but I'm also the community person with training. I think that it works. As far as some of the things that we're doing is trying to streamline requirements. The biggest issue that I see is that a lot of the agencies do not have the resources available to really run a mature, stout training program. They do a great job with what they have, but the resources are the issue. So being able to work together and collaborate on show they're maintaining training, how they're presenting it. That is one of the biggest things, I think, for bridging community and training.

Joe Toste [00:21:15]: For the other CIOs out there across the country that are listening. What advice would you give to them if they're looking to hire someone like you? They want to build a community, they want to incorporate specifically on the cyber side. They want to build this out. Where do they start? What advice would you give the. How does it look like?

Warren S [00:21:35]: I think outreach is the biggest thing. Just building trust, building that community, being able to talk to people. And that's why it's so important to be in person. Like, you can put a face to my name. It's not just somebody saying, yeah, I'm here for you. Yeah, let's build this community. It's actually somebody who's spending time with you, who's listening to your problems. I always say that I am the agency's friend.

Warren S [00:22:02]: I am there for them to tell me the good, the bad, the ugly, the beautiful, the great, the best. So everything that they have, I'm here to listen and do everything I can to make sure that they feel and are supported.

Joe Toste [00:22:17]: Do you work with Brad Oswald at all?

Warren S [00:22:19]: I do work with Brad.

Joe Toste [00:22:20]: Okay. So Brad came on this morning, man, how many episodes was that? The whole day is just blurring together. Brad was fantastic. One of the big things he talked about this is it listening, building that relationship and empathy, which I think goes really well with what you just said about trust. People kind of. You can't have that relationship virtually. It takes time to be in person and build that relationship, which is super powerful. Here at FLDS, do you work across everything or what does it look, it's.

Warren S [00:22:58]: My area does touch many different areas. So if you think about what I do and what service experience does, which is where Brad is, it does seem like we do the same things. But my goal is mainly to connect the agencies and the locals together. In May, I hosted a security social with isms. So I did isms plus one so they could bring one security professional from their agency. And we get there and we go to this place and people start coming in and they're like, ok, Candice, are you going to introduce everybody? And I'm like, what do you mean? You all have been coming to meetings together for a long time. And they're like, yeah, we don't know each other. Like we've never spoke.

Warren S [00:23:46]: We come and sit in meetings together. We don't know who each other, we don't know what agency we're with. So my job is connecting those agencies together so that they will talk, so that they will pick up the phone and have trust in somebody else and say, look, I'm dealing with this. Maybe you are feeling some of the same heartaches. They should not have to go to someone to connect. They should be able to go straight to another agency to talk and have that friend relationship because they're dealing with different things. But anyway, meeting that, having that social, doing things like that has been extremely helpful, I think, for the state of Florida.

Joe Toste [00:24:27]: I love that. Yeah. Anytime you can come together and collaborate, good things are going to happen. Okay, so you're hitting the roadshow, connecting the agencies.

Warren S [00:24:37]: So what we've been doing is the quarters that we have cyber advisory council meetings. We also have a local town hall meeting to meet the locals. So in May, we were able to meet in Alachua county and we invited all surrounding counties and we ended up with a packed house. It was me, Jamie, Jeremy and Warren. And so we got to meet a lot of the locals. It was really fun, really cool. So we're hoping to do that with the next meeting. So the next one we have is in August and we're going to be in Orlando, and then I think November will be in Miami.

Joe Toste [00:25:13]: Anything else before we jump off the pod?

Warren S [00:25:16]: Nope, that's it. That's all I got.

Joe Toste [00:25:17]: Hey, what's up, everybody? This is Joe Topsey from techtables.com and you're listening to the public sector show by techtables. This podcast features human centric stories from public sector, CIOs, CISOs, and technology leaders across federal, state, city, county and higher education. You'll gain valuable insights into current issues and challenges faced by top leaders through interviews, speaking engagements, live podcast tour events. We offer you a behind the mic look at the opportunities top leaders are seeing today and to make sure you never miss an episode, head over to Spotify and Apple Podcasts. Hit that follow button and leave a quick rating. Just tap the number of stars that you think this show deserves.