In this episode of The Public Sector Show by TechTables we interview Michael Gregg, CISO, State of North Dakota where we talk about cybersecurity OKRs, how his team is setting the bar with "Operation Limbo" for automated phishing defense, bridging the workforce gap with mentorships and apprenticeships, why continuous improvement in cybersecurity mirrors the disciplined effort of a gym workout, and Michael’s latest books.
Connect with Michael: https://www.linkedin.com/in/michaelgregg01/
Timestamps
00:00 Intro
03:52 How to have "Best in Class" vision & mission
05:33 Cybersecurity OKRs and strategies
16:03 Innovation mindset: hard-wired or learned?
20:08 "H3" leadership qualities
23:34 Removing requirements to open possibilities
30:13 Workforce retirement and recruiting
34:51 What book did Michael give out at Cyber Con?
⭐️ Leave a Review
If you enjoy listening to the podcast, please leave a 5-star review on Apple Podcasts and let us know who you want to see next on the podcast in your review. Thanks!
You can also Tweet us on @thejoetoste and tell us what lessons you learned from the episode so we can thank you personally for tuning in 🙏🙏
🔗 Connect with TechTables
LinkedIn TechTables https://www.linkedin.com/company/techtables/
LinkedIn - Connect with Joe! https://www.linkedin.com/in/jtoste/
Twitter https://twitter.com/thejoetoste
Follow us on Instagram! https://www.instagram.com/techtablespodcast/
Website https://www.techtables.com/
Joe Toste [00:00:00]:
You're listening to the public sector show by Techtables, a podcast dedicated to sharing human centric stories from CIOs and technology leaders across cities, counties, state and federal agencies, joining in the conversation and touching the hearts and minds of leaders across technology today, from mission driven leadership to cloud AI to cybersecurity, workforce challenges, and more. Never miss insights from peers and vendor partners across the public sector. And to make sure you never miss an episode, head over to Techtables.com and drive your email to subscribe. New podcast episodes come out every Tuesday and Thursday, along with weekly behind the Mic newsletter. And one of today's podcast sponsors is Techtables plus, an engaging new community where you can have early access to never before released episodes, early access to live event recordings, early access to weekly three interesting learnings, early access to live event ticket purchases, no episode ads and more, plus three extra special bonuses when you sign up today. Bonus number one, access to the CEO show bonus number two, access to the higher ed show and bonus number three, access to the digital show. Join Techtables plus today. As always, thank you for supporting the Techtables network.
Joe Toste [00:01:05]:
Awesome. Well, today we have Michael Greg Ciso for the state of North Dakota, an author of more books than years I've been alive. The question is, how old do you think I am? And Michael, on one of his podcasts, said he stopped counting the number of books that he's either written or co authored. I guess you'll have to go count the number of books to figure out how old I am, but you won't know how old Michael is. Michael, thanks for coming on tech tables. Thank you for having me. Yeah, no, I'm really excited. And we got to give a shout out to Ray Jeffers for introducing us.
Joe Toste [00:01:38]:
And actually, just right before we hopped on, you were telling me the story of how Ray met you. Could you actually just retell that story real quick for the audience? I thought that's great. Yeah.
Michael Gregg [00:01:49]:
So when Ray took over his position for the state of Colorado, I'd called him and we were talking, and when we were talking, I kept thinking, I know I have met this guy before somewhere. And we started talking about it and he said, sure enough, he said you were at a conference, and I was at a conference. And he said, I had you sign your book that I had a copy of. And he said, actually we did a picture together. So believe it or not, he actually found it and sent it to me.
Joe Toste [00:02:17]:
He put it in the text and.
Michael Gregg [00:02:18]:
Showed me the picture and how he had that picture from back around 2000. I don't know, because I've changed phones 30 times since then, but he still had the picture. It was like, yes, I knew that I'd met Ray before.
Joe Toste [00:02:30]:
They're like pre cloud. How did he get that photo? Did you print that out and take a scan of it? That's pretty funny. Yeah, I can't wait. I'm actually having breakfast with Ray in Texas. I'm speaking with the gal in Austin at a higher education event, and the morning I fly out, I'm going to get together with him. So I'm pretty excited to grab breakfast with him and actually meet him in person. That's always my favorite. But jumping on to our interview, I had a ton of fun prepping for this interview.
Joe Toste [00:02:56]:
I'll be honest, I haven't read a single one of your books, but I did know you had all of the books. And I was talking to a ciso of another city or county or state yesterday. Forgive me, this is like seven interviews this week, so they kind of all blend together. But I was like, do you know Michael Gray? He's like, oh, yeah, I've read one of his books. And I was like, which one? And he's like, I don't know. I'm like, oh, that's really funny. So I got to follow up on which book that is. And maybe this folk out in Florida can get a photo with you the next time you're in person.
Joe Toste [00:03:31]:
Yeah.
Michael Gregg [00:03:31]:
And remember, the most important thing, always, when you buy books, always buy the new. You never want to buy used books. They might be written in germs, you never know. Always buy new.
Joe Toste [00:03:42]:
Yeah, that's where I'm at. So when I was Diving in, listening to some of the podcasts that you've been on, you were describing what you called best of class, vision and kind of heart for the mission and the work that you do, the state of North Dakota. And I just love that. And I was wondering if you could just help us unpack that for the audience as far as what you meant and give us a little bit more detail on that. Sure.
Michael Gregg [00:04:08]:
I think one of the things as a leader is that you have to have a good vision, you have to have a mission, and then you have to have a strategy built to that where people understand where you're going, what you want to do, what you're trying to achieve. So, as an example, when I took this role for North Dakota, the big thing that I put forward immediately was that we want to build a world class cyber operations center that leads as far as in the state and in the government sector. So that was our overall vision and our mission to build out this world class cyber operations center and the pieces that we needed for it. So once we're able to kind of do that and get that vision out there as far as where we wanted to go, then I've spent the last two, two and a half years then, with the strategy to try to move that forward.
Joe Toste [00:04:59]:
Yeah, I love that. And this actually dovetails really well, actually, into my next question and thought. So you talk about the vision, you talk about the mission. I think making it a reality comes down to how do you flesh that out in okrs, like creating very clear okrs and direction? And I was kind of curious. You've got a lot of wisdom. You've got 30 something plus books. And I think just for the audience of helping the audience to understand, could you walk us through an example of what a cybersecurity OKR would look like and how you keep driving those on a quarterly basis?
Michael Gregg [00:05:40]:
Sure. I guess I'd start off by saying that I've been lucky because a couple of positions back at one of the previous CISO roles I held, I had someone introduce me to okrs then, and I really liked the concept and I started to adopt it. So when I came here, that was one of the things that we adopted and we put in place. So basically what we do is we set up the key objectives that we want to move forward for the next quarter and out of those key objectives, then we build the results or the roadmap as far as how we want to get there. So what do we need to do to get there? And the most important piece is, because you don't always reach your goals, you don't always get where you want to get when you don't get there. Then at the end of the quarter, what we do is we do an autopsy or a post mortem, and we look at it and we say, what were the blockers? What kept us from getting there? What could we do differently next time to get around these barriers? But so for us, when we do these, we do them different ways. So usually we put some kind of goofy tag to them. So an example of one would be operation limbo.
Michael Gregg [00:06:46]:
How low can you go? So half our load as far as a cyber operations center, and we work about 50,000 incidents a year is what we actually see. Our total number detected is much higher than that, but we work actually 50,000. Out of that 50,000, probably about half are phishing. So what I wanted to do was automate that process because if my team's working phishing and they're working these items, it's a repetitive job, a repetitive task. One, two, there's more important things potentially they could be doing. Three, I don't have the cycles to grow their skills. So we built operation limbo. How low could you go? The first thing we did out of that was the first piece was we had to have the metrics.
Michael Gregg [00:07:30]:
So if you're going to set a goal, you have to have a way to measure and say, is this goal we're trying to reach? Did we reach it or did we not? And that's what the metrics piece gives you. But then behind it, what we did was we worked with our vendor, Palo Alto, and we developed what as far as I know, really the first machine learning AI approach to handling these phishing incidents, really as far as I know, in a security operations center. So we actually were able to put this in place, then we had a period of time where we had to get the system to actually learn and adapt and be able to pick this out. But in the end, what we were able to do is drastically reduce the amount of these phishing incidents that our analysts actually have to touch and remediate. We can handle a lot of that on an automated means now.
Joe Toste [00:08:19]:
Yeah, no, that's great. Did you ever catch Google kind of had this famous OKR talk, how Google sets goals? OKR kind of startup? Okay. Yeah, I think it's like an hour and 20 minutes. We'll probably link to that video in the show notes. It's really great. My domain is more like setting okrs for the podcast and stuff, but it's interesting because I haven't heard too many folks in the cybersecurity space talk about okrs. And I think that's a really important topic just because, well, there's always a million things going on and so how do you stay focused on what you're trying to drive forward?
Michael Gregg [00:08:58]:
And that's really what it is for us, because if I'm being honest, we get pulled away and we get pulled away to incidents and events and we spend a lot of time working that, putting out fires, so to speak. But when we come back to the day to day work, what do you focus on out of the million bright and shiny things you can do by setting the okRs? That gives us our three to five items we're working on and allows us to pivot back and just focus on those. Because what I would tell you is at the end of the day, being successful as a leader is about execution. You have to be able to execute, and you can't execute a million things. You won't get a million things done. You have to pick those top two or three and focus on those and put all your energy there.
Joe Toste [00:09:41]:
Yeah. If people are wondering why I really like Michael, it's because not only can he set okrs and he's got a mission and a vision, but it comes down to execution. I coach high school basketball, and this is the same thing I tell my players at the end of the day, they have to execute. And when they come to me asking, coach, I want more playing time. And we pull up the film tape, we did not execute. You do not get playing time. So I love this. So we've got the mission and the vision.
Joe Toste [00:10:09]:
We've got the okrs. You're rounding with execution. The other piece that really stood out to me thinks a little bit rare in the public sector is that you have what I would call an entrepreneurial mindset, which I absolutely love. I love this. And so on this previous podcast that you were on, you had said you are not interested in managing a shop. I love that. No one wants to be managed anyways, so let's just get that out there. Unless the one exception would be unless you're very young and looking for that.
Joe Toste [00:10:43]:
So some of the high schoolers like being directly managed, but at some point, when you get to kind of the varsity level, they take more ownership and they can start to move. But once you kind of get out of that earlier part of your career, so to speak, no one really wants to be managed. They want to be transformed. They want to grow, they want to evolve. Could you tell us how that plays out in the state and how your thinking around that is helping to kind of propel the next generation of leaders?
Michael Gregg [00:11:11]:
Yeah, we've done that a couple of different ways. The first way that we really approached that and took that on was internally. So to me, I would call it sharpen the saw. And what I mean by that is I want my team to grow. And I want my team to grow not only in their technical skills, but I need them to grow in their non technical skills. So we've actually set up a program where our team does, on average, at least one technical course a year, be it sans others that are out there, those type of technical courses. Also, we have the do at least one technical conference a year, but in between, I have what I call the gates, and the gates are our non technical training. So we use things like Udemy, LinkedIn learning, and others that I've invested in heavily.
Michael Gregg [00:11:57]:
And what that means is, for example, you want to do that next malware class and learn how to do static or dynamic malware analysis. Well, first you have to do a training class on how to hold better meetings, how to better prepare PowerPoint presentations, how to write reports, and how to do better reports. So we do a series of nontechnical training as a gate. Then the individual goes through to the technical training, then they do conference or event, and then they do the next piece of the nontechnical training. So, like, for example, we talked about okRs. When someone comes on board, that's part of our initial training. It's OKRs and some stuff on project management because you got to be able to move your activities. You got to be able to determine what you're going to move and how you're going to move these.
Joe Toste [00:12:44]:
Yeah, that is absolutely fantastic. I'm kind of curious, what's your favorite technical cyber security conference that you like to go to or you recommend to your team?
Michael Gregg [00:12:54]:
Oh, that's tough. I mean, honestly, I like the all Barce, black hat, Defcon, you name it. I've just had some team get back from the Wild west hacking event. So I had team members there. So it's a variety of different events. And I mentioned the training earlier. The training is really only half of it. The other half is we have a dedicated cyber range.
Michael Gregg [00:13:17]:
So every month we bring our team together. And that's not just our analysis and response folks. That's people from security infrastructure, from active defense, from our automation engineering teams, and we bring them together and we put them in the cyber range because we're going to deal with events. So let's go through it and let's practice and let's drill. And the more we practice and we drill when we get these live events, our team is much better as far as being focused and coordinated and have that vision to be able to drive forward and remediate those issues quickly.
Joe Toste [00:13:51]:
Yeah, no, that's great. So I talk to a lot of folks every single month, and even some of the younger folks who have come up to me who have felt frustrated at either their bosses or their team members because they want to affect change, but nothing is moving. And you had a great example of kind of what I call leading up. Can you tell us a leadership story early on in your career when you were taking ownership during these monthly meetings and jotting down the action items afterwards that were required to actually execute on? I thought this is a great example of coming in, and you weren't asking anyone, should I go do this? You were taking ownership, taking leadership. Could you just maybe tell us that story? And how kind of younger folks who want to lead up today can get started doing that, too?
Michael Gregg [00:14:41]:
Yeah, I'm not sure which one you're talking about, because I've given different ones, different examples.
Joe Toste [00:14:46]:
You're on 34 podcasts, too.
Michael Gregg [00:14:48]:
Yes, I've had different ones over the years, but the one thing I always tell people is leadership is not a position. It's what you do. So, as an example, for me, early on when I was at a team and I was just a rank and file employee, I noticed every time when we would go in and we would go into the big team meeting in the huddle, everybody get in the room. The managers, the directors, the team leads would be seated at the front of the room, and the rank and file employees would be at the back. It wasn't that anybody told you had to be back there. It's just how we kind of segregated ourselves. So one of the things I did was move up toward the front of the room. One, because I could hear more of what was going on, and I knew I'd retain more.
Michael Gregg [00:15:30]:
And two, I wanted to be a part of what was going on, so I tried to take that leadership role. So what I did early on in that case was built out, basically the types of activities we were doing, which was pen testing and other types of activities, how we could do that with other entities that needed it, the other department and agencies that we worked with, and basically built a catalog out of these services and put it together and then volunteered to present on it at the next meeting because I wanted to lead and I wanted to see this grow.
Joe Toste [00:16:01]:
Yeah. No, that is fantastic. Where did you learn or have that desire? I really want this to grow. Was that just always within you, or is this something you kind of do at a mentor along the way, or is it just how you're wired?
Michael Gregg [00:16:15]:
Yeah, that's a good question, too. I think it may be different. People see things in different ways, or you grow over time. Because for me, one of the things that I realized over time, but it took me a while to kind of put this together, was like, I'll buy old cars, and then I'll restore them. But then after I restore them, it's done. Okay.
Joe Toste [00:16:36]:
I like it.
Michael Gregg [00:16:37]:
It's really cool, but it's done. And then I'd move on to the next project. I flipped some houses where we would go in and get the contractor and do the house and do it. And I finally realized that the part I liked was the building improving and making it better. That's the part that really brought out the best in me and that drove me to do better. So that's kind of what I've tried to focus on and focus on that piece. So maybe, as you said, it's how people are wired or it's a skill you learn.
Joe Toste [00:17:05]:
Maybe both. Yeah, some good combination. Did you ever read zero to? Yeah, I think I'm pretty much in that category. I love creating building, and then after that, I tend to get highly bored and my mind just like, strays when there's just more and more meetings and other things that are not required. I'm definitely in that zero to one category. I love creating love building, but I do think there's some combination of both, which is totally great. Folks often think cybersecurity is kind of this one and done event, rather than treating cybersecurity like working out at a gym, which I love this analogy that you gave. There's no standing still.
Joe Toste [00:17:47]:
You have to put in consistent effort to show up.
Michael Gregg [00:17:50]:
Show.
Joe Toste [00:17:51]:
Is that like cybersecurity? Could you maybe just tell the audience that analogy and how you kind of see it playing in? Yeah, sure.
Michael Gregg [00:17:59]:
I really like that analogy because to me, working out is a direct parallel to cybersecurity. And what I mean by that is, you think of technical controls, you think of physical controls, you think of administrative controls, for example. It's the same way. If I just go and I just work out my arms, I'm really not doing what I should do. I should have a full body workout. So it should be arms, backs, legs, core. You have to do all this. And cybersecurity is the same way.
Michael Gregg [00:18:28]:
You think, well, you need things like user awareness training, obviously, but you have to have vulnerability remediation, you have to have strong authentication, so you have to have all these. And then the other piece is sometimes people have this paradigm or thought that you do it once and then you're done and that's it. But it's just like a workout, because when you work out, you don't keep that strength and you don't keep that vitality if you don't keep working out. So it's much the same way with cybersecurity. You're really never done. You have to in practice and keep improving and keep honing your skills, just like you would for a workout or getting fit.
Joe Toste [00:19:05]:
Yeah, I like this. I'm going to clip this and send this to my friend Tim Roemer, who probably works out really consistently. His arms are pretty big, which is pretty funny. I haven't actually heard that. When I was listening to this, I was like, oh, this is great. I'm going to clip this, send it to him, and I know he'll get a laugh out of this one.
Michael Gregg [00:19:27]:
And you remember there was that guy maybe a couple of years ago, he was in mixed martial arts, and he went by pypy, and he had these really huge arms. Do you remember? And he had these huge arms, like the biggest arms in the world. But every match he went into, he lost because he only had that one part fit and it wasn't the entire body.
Joe Toste [00:19:48]:
Yeah, you need a whole of body approach, just like a whole of state cybersecurity approach. Wow, look at that. We brought it full circle.
Michael Gregg [00:19:57]:
What a transition.
Joe Toste [00:20:00]:
It's almost like I had that teed up. Yeah. So I love this. I heard this on maybe another podcast that you were on, but you love to look for three qualities in a CIso. Let's call it h three leadership. You had honest, humble and hungry. And there's a great book on h three leadership that covers humble. The has a be humble, stay hungry, always hustle very close.
Joe Toste [00:20:31]:
Yeah. So I would just love. Tell us, why do you love these qualities so much? What has attracted you? Are these just the common denominators that you found over time, whether hiring people or just working within teams that you found? Hey, these are the three best give you.
Michael Gregg [00:20:48]:
I'll give you two examples in my current role here for the state of North Dakota. And previously I was an expat for about three years overseas. And in both these positions, I had a very hard time getting people that were mid career or they're later in their career, because honestly, we didn't pay what they could get at other organizations. So what I found was that I could teach the skills and I could teach those skills that were needed. If I got people that were driven, they wanted to do it. They were excited about what they were doing, and they wanted to learn and grow more. And that's why when I talk about that approach, we bring people in, we do the training, we do the cyber range. One of the other things we've done is we've reworked all our job wrecks.
Michael Gregg [00:21:36]:
So our job wrecks, you ever seen these, where they have, like, an entry level job and it says a CSSP is required, and you go, but a CSSP is four or five years experience at least. So we reworked all ours. So entry level positions. If you've got a certificate, you've been to a boot camp, you've got the experience, you've got a two year degree, we'll bring you on because I can teach you the skills, but I can't give you the drive. If you have the drive and you have that piece, I can introduce you to the technology. And I think the cool part about what we do as the state and what we do, at least in our area, is we give people a wide variety of tasks. So if you went to a major corporation, you were go to work and you did MFA or you did VPN. That's all you're going to do all day.
Michael Gregg [00:22:23]:
You're going to do that task over and over. We give people a variety of tasks and activities for them to do where they can branch out and they can see what areas interest them and what they like, and then they have that ability to move around within our team and to continue to grow that skill set.
Joe Toste [00:22:40]:
Yeah, that is really great. I think one from having the certificate option, that's a route you can go moving people around to keep them engaged. And that's got to be huge for retention, I imagine, which is totally great. Why don't you think more. So one of the big things I've heard is workforce challenges. And it's a huge topic. And sometimes I look at, because the nice thing is I'm not in per se in the public sector. I host a podcast.
Joe Toste [00:23:17]:
I go to a high school campus. I'm kind of somewhat there. You can reach me at J Toste at Santa Barbara Unifiedschooldistrict.com. No, I never answer it and it's full of administrative emails. But I'm not, like, in it. So I'm kind of detached. And so sometimes I look out at stuff and there's this huge disconnect where in the public sector I just come across because I'm researching for so many podcasts. This city or this state says you've got to have a bachelor's degree.
Joe Toste [00:23:48]:
You're like, okay, whatever. Maybe it's a check, maybe it's not. You got to have 20 years of experience. And they list the job description. I laugh because I'm like, no one would hire me to run their media. I don't have 20 years of experience. I'm barely 20 years. No, I'm kidding.
Joe Toste [00:24:03]:
And so how do you think we solve that disconnect between. I think the state of North Dakota has done a great job of actually illustrating and getting people in the door. But how do we fix that disconnect for so many cities, states, counties, the job descriptions just don't reflect the reality of the workforce today.
Michael Gregg [00:24:27]:
Well, I mean, that's a big challenge, and it's multiple pieces that really have to be addressed. So, as I said, for us, one of the things we did was work very closely with our HR team to be able to change the requirements for bringing individuals in. Second piece was we developed a much more tiered approach. So when people come in, I have the ability, hopefully, for them to bid on and move up and advance their career, even if it's in small steps, to move up to more senior roles. The third piece is building that pipeline of individuals coming in, and we've taken a couple of approaches for that. The governor, one of his main five, he's got five initiatives. Out of those five initiatives, one of them is cyber education. So with cyber education, for example, now we have cyber madness.
Michael Gregg [00:25:17]:
So we have this. Last year, we've had high school teams come together and actually work on these tabletops and work on these challenges together, and they hack each other and they target each other, and we get a winner out of that, and that's to develop that cyber skill. This year, we'll move that down to the junior high level. And when I was at the NASO event here a few weeks back, I actually talked to a couple other states that said, we'd like to be in that, too. And I said, this would be great because we could have a state to state competition. Let them come up through the states and let the states battle it out like March Madness, have this final out of it. The second piece is working with the colleges and universities. So we're working with the colleges and universities to stand up the first student sock in the state of North Dakota.
Michael Gregg [00:26:04]:
So what we want to do is we want to change the way education works now, because if you look at a lot of the cyber education today, it's what, firewalls, edge devices, it's stuff that's really ten years back at least. We've got this thing called the cloud now, and there is no edge of the network anymore. So we're working with them to help them be able to develop the skills, to have cyber analysts, SoC analysts, develop playbooks, get the coding, do the active defense work, and get this work actually in college. And then what we can do is we can use that as feeders into our teams. The second piece is give them the ability to come job shadow. So we do a job shadowing program. If you want to see what a day in the life is like, you can come do a day in the life and you can come do that. Third one is we've opened up an apprentice and an intern program.
Michael Gregg [00:27:01]:
So I'm happy to say for our last intern, we had over 150 people apply for one open position. For one open position to work part time with us. So if we can do that and we can act as that feeder in, then we can help change this paradigm. So as an example, in the last two years, I've got about an 85% placement rate of the interns coming in, 85% stay on and then transition to being full time employees. Because they see the work we do, they get engaged with the work, they understand there's a mission to our work, protecting the state, and they've got a chance for growth. And.
Joe Toste [00:27:40]:
That was. That was fantastic. I love this cross state NC Final four a lot. If I was a governor, obviously I'm not, but I love this idea. And I would almost structure it where if any of the kids make it into this bracket, you've got North Dakota versus Texas or whatever. If I was a governor and if I wanted to keep these kids in my state for my own economy, my own selfish economy, I think this could be a really great idea. I would give them scholarships to call it. If you just make it into the bracket, you're going to get a scholarship.
Joe Toste [00:28:15]:
If you stay in the state, I think that would be big time. And then the winner gets. I don't know, whatever it is. But you have a lacrosse state collaboration. I don't know why you wouldn't be able to get all 50 states to do this. I think it'd be great. I don't know how we do that. I don't know how to get a hold of all 50 governors or whoever is in charge to make that happen.
Michael Gregg [00:28:36]:
But we can start with two or three.
Joe Toste [00:28:38]:
We'll start with two or three.
Michael Gregg [00:28:40]:
Yeah.
Joe Toste [00:28:41]:
Okay, I got it. We get Rob Maine. We talked to Rob.
Michael Gregg [00:28:46]:
There you go.
Joe Toste [00:28:46]:
Because when I interviewed Rob, he told me there are 23 million cyber position spots open. And I'm forgetting the details on that stat, but that's a lot of people. That's a lot of openings. So we could get North Carolina. I am sure we could get Nancy and the folks in Texas. I am sure we could get Jeremy and the folks in Florida. There you go. Yeah, we could get Ray in Colorado.
Michael Gregg [00:29:15]:
I like this.
Joe Toste [00:29:18]:
Yeah, we could get Tim and the folks in Jr. Out in Arizona. We could get a bracket going. I like to think about this and I'll have to email everyone at once.
Michael Gregg [00:29:28]:
Because I'm going to need coaches. And you've said you're a coach, so here we go. I think there's a good fit for this.
Joe Toste [00:29:35]:
I'm popular with the high school students only because I hang out with them six days a week during the basketball season. So, no, this is great. I love this. I love this idea. A number of folks have been entering the high school and the junior highs, and you have to evangelize cybersecurity. I mean, when I was in high school, I had no idea if cybersecurity was a thing, and it probably wasn't because when I look at history, but, yeah, I think evangelizing this, going to the junior colleges, going to the universities, building that pipeline. Right. You can't build a pipeline if no one's aware that they should.
Michael Gregg [00:30:12]:
Yeah, that it's the, and it's critical because not just in our state, but in all states, we're facing a workforce that's aging. Many of those individuals are going to retire soon, within probably the next three to five years, start retiring. And we've got to have a way to replace that. And if we don't show the value of government work and the benefits of doing this for individuals, then we're lost. And the other piece is people think, well, you tell people about the insurance, the retirement plans, those items, but so many of the current generation, different than mine, they're not interested in the same things. They're interested in learning, growth. What's in it for them? What's the path? How can they advance? So we try to start that conversation as soon as we bring people in for an interview and ask them, where is it you want to go? Where do you want to be in five years? How can we help you get there?
Joe Toste [00:31:04]:
Yeah, no, this is really good. So I met with an individual who came on the podcast after the show confessed to me, and I will have them remain unnamed and said, joe. And there was a certain word that was involved, but basically the effect was, we are in a whole heap of trouble because all of our people on our staff are 60 plus and they're going to retire. And I was like, that is a hard problem. You need to start getting people a lot younger inside very quickly and having, I don't know if it's a knowledge transfer, but there needs to be like a rapid mentoring program or your state or city or county. I'm going to mask that up. You're going to lose everybody. You need younger people to come in just real quick.
Michael Gregg [00:31:54]:
The final thing that we've done here that I think is really great is my team is the first in the state that we've actually started an apprentice program. So we started with one this year. So if the individual comes in, they're currently in school, they're working toward their degree. They work a certain number of hours with us, which is about 30 hours. And if they stay, and they stay for three years, they get a portion of that education toste paid back. So we're looking to actually improve that and grow that. This next year is what we're hoping after we go into session, that we can get the legislative team to agree with us on this and grow this, because school is expensive. So if we can help with some of that cost and we can bring these folks in and show them the value of what we're doing, we've got folks that might stay there for some period of time and help grow the state and move our mission forward.
Joe Toste [00:32:49]:
Yeah, I love it. Yeah, I absolutely love that. So I had a great. As we're wrapping this up, I had a great conversation. If anyone wants to actually follow the kind of workforce planning with John Rogers out at the Indiana office of Technology. Yeah, they got a great program out there about how they're trying to develop talent in house. I love this concept. And more states bringing on mentorship programs.
Joe Toste [00:33:11]:
And then exactly what you said, michael. Having them have the flexibility to move around within the state is genius because I'm a millennial. What am I, 34 next month?
Michael Gregg [00:33:26]:
I knew it was coming.
Joe Toste [00:33:28]:
I know. We get bored, and so at least the 20 year old version of me, mid 20s, got bored. So, yeah, keeping folks engaged is huge. It's totally huge. So I love that. All right, as we wrap up, one final question for you. Top three books that you either gift or like to recommend to folks that we should be reading.
Michael Gregg [00:33:49]:
Oh, now that's a tough question, because a lot of times I gift my own books, because usually when you write a book, they'll give you a whole box of them. So I gift those. I'll be honest there. But also, I recently went through collaborator Parish. That was actually given to me by Mike Garrity Ciso of New Jersey. And then the latest one is leading in tough times to John Maxwell.
Joe Toste [00:34:18]:
I like John Maxwell. He's great. Love that. Okay, so I'm not letting you off the hook. That was the first answer was super soft. You gift one of your own books. You've got 30 something books. Okay, you got to pick one book.
Joe Toste [00:34:33]:
What's the one book? That you're going to gift.
Michael Gregg [00:34:36]:
Well, if I was your gift one, it would be the one that would be most current because that's what they've given me at the time, which would be probably the ceh exam prep. Yeah, that's the last one I've done. So that would be it. So we did Cybercon a few weeks ago and I got the publisher to send out, I think 20 or so books. So I signed those and we gave those away there. So I'm always happy to give that stuff away when I can.
Joe Toste [00:35:05]:
Awesome. I love that. Well, this is fantastic. Michael, thank you for coming on techtables. This is a ton of fun. Loved hearing a lot of the leadership insights and lessons that you have. Any final thoughts? Where can people find you? Where do you like to hang out? Is LinkedIn the best spot? How do you like to stay connected?
Michael Gregg [00:35:22]:
Yeah, pretty well. LinkedIn is the primary one where I stay and stay kind of connected to folks, and I've just enjoyed our time here today. It's been a great conversation. Thank you for having me on.
Joe Toste [00:35:33]:
Yeah, appreciate it.
Joe Toste [00:35:35]:
You're listening to the public sector show by tech Tables, a podcast dedicated to sharing human centric stories from CIOs and technology leaders across cities, county, state and federal agencies. Joining in the conversation and touching the hearts and minds of leaders across technology today, from mission driven leadership to cloud AI to cybersecurity, workforce challenges, and more. Never miss insights from peers and vendor partners across the public sector. And to make sure you never miss an episode, head over to Techtables.com and drop an email to subscribe. New podcast episodes come out every Tuesday and Thursday, along with weekly behind the mic newsletter and one of today's podcast sponsors is Techtables plus, an engaging new community where you can have early access to never before released episodes, early access to live event recordings, early access to weekly three interesting learnings, early access to live event ticket purchases, no episode ads and more, plus three extra special bonuses when you sign up today, bonus number one, access to the CEO show, bonus number two, access to the higher Ed show and bonus number three, access to the digital show. Join Techtables plus today. As always, thank you for supporting the techtables network.
Chief Information Security Officer, State of North Dakota
Michael Gregg is the state of North Dakota’s Chief Information Security Officer. The state CISO is responsible for establishing and leading the strategic direction of cyber security for the state and advising the governor and legislators on key cyber issues. With Michael’s cyber experience span being over a period of two decades, he has been a pioneer of helping people interested in becoming IT professionals as well as seasoned IT professionals achieve by sharing knowledge by means of authoring over 25 IT cyber security books. He enjoys contributing his time and talents where there is a need to help others learn and grow by holding board, committee, and advisory positions for non-profit organizations. He holds a Bachelors degree, Masters degree, and many security certifications.