Texas and Nebraska's state CIOs spoke to Ask the CIO: SLED Edition about local government ransomware attacks, trusted vendor advisers and more.
The National Association of State Chief Information Officers (NASCIO) celebrated its 50th anniversary recently at its fall conference in Nashville. Federal News Network’s Ask the CIO: SLED Edition was on the scene for the festivities, and I was honored to mark the occasion of my quarter-century association with NASCIO, interviewing a number of state chief information officers and NASCIO officials which I will discuss in a series of broadcasts and articles.
Getting to share common challenges and solutions among industry peers is not a privilege afforded to everyone in IT. But Texas state Chief Information Officer Todd Kimbriel said it’s especially valuable to the public sector.
Speaking about his favorite session from this year’s NASCIO annual fall conference in Nashville in October, Kimbriel praised the “open mic” which kicks off the event’s opening day. Participation is strictly limited to the state attendees, but Kimbriel said his years in the private sector lacked a similar experience.
“We start at nine in the morning; we go until four in the afternoon. And it really is the place where all the states come together to share what are our common challenges, what are our successes, how did people overcome certain objectives or certain barriers,” he said. “This never happened in the private sector, and I spent most of my career in the private sector. The ability to come together and share openly is something that is so unique to public sector and it’s so rewarding and gratifying to be able to share projects that we’ve done that have been successful, and share that with other states through the NASCIO connection.”
Leading up to the conference, the NASCIO executive committee solicits topics for the open mic session from membership and assembles a dozen or so for discussion.
“One year it’s cloud, maybe it’s Office 365, email, or it might be database related. Another year it might be how do you solve a ransomware attack? How do you prepare and prevent for ransomware attacks,” Kimbriel stated.
Once they start on a topic they watch where the conversation goes. They may spend a 30 minute dialogue with the first 15 minutes of conversation addressing that topic and then in the next 15 go off on a tangent that was completely unexpected.
“It delivers a tremendous amount of value because the audience jumps in and engages completely. So it’s very, very meaningful,” Kimbriel said.
We also spoke of the increasing custom of creating new “chiefs” within state government organizations in addition to the CIO and chief information security officer. Recent examples include the chief innovation officer, the chief data officer and the chief privacy officer, among others. It’s tough to keep them all apart and their positions in the organization charts are all over the place. And this can lead to problems.
“For example, from my perspective organizations that have created a chief innovation officer have to be very, very careful. The creation of that role sort of absolves the rest of an organization from trying to be innovative because they think ‘That’s that guy’s job, so I don’t have to worry about it anymore,’” Kimbriel explained. He insisted that in reality, a good strategy for a chief innovation officer is not to actually be the source of the innovation, but to be the leader responsible for creating the environment that fosters such innovation.
We also covered the recent scourge of ransomware attacks which have afflicted local government operations in Texas. This past summer over 20 Texas towns have been struck by a coordinated ransomware attack, according to the state’s Department of Information Resources. He recalls it quite vividly.
“We did have a broadly communicated ransomware event on Aug. 16, Friday at 2:46 in the morning. Twenty-three organizations were impacted. It was all local government organizations that were attacked simultaneously,” he said.
Kimbriel stressed the fact that your organization has to be able to respond to the attack when it happens. Texas had spent several years preparing for such an event and had established a statewide incident response plan centered within their state operations center.
“We had cleared the decks with the folks that run the state operations center to get them to incorporate cyber as part of their mission,” he said. Previously, they had only been activated for a natural disaster event and a cyber event is dramatically different. “Having that mechanism activated was critical to our success by being able to adequately respond and eradicate the threat within a week.”
Our final guest was Ed Toner, Nebraska state CIO, who as expected chose to highlight a somewhat different aspect of the conference. Toner really appreciates the opportunity that NASCIO provides to reconnect with vendors, especially their leadership.
“I often think a lot more work gets done in the hallway than in the conference room,” he said. “NASCIO is where vendor reps bring in their execs and so I have a chance to talk with them and see how things are going. I really get a lot more value out of talking to the upper management of each of my critical vendors and letting them know where maybe some improvements can be made in interacting with my staff or interacting with the state of Nebraska.”
Toner explained that those kinds of conversations, especially if they’re not positive, are quite difficult to have over the phone.
We proceeded into a discussion about a vendor’s primary objective, i.e., becoming a trusted adviser to a state CIO. It’s a role that all naturally aspire to, but very few make it to the end of that race. I asked Toner his advice to vendors that want to become that trusted IT adviser in Nebraska.
“Get out of your lane; don’t sell your product, sell a service,” he stated. He emphasized the fact that if this means that this particular vendor’s advice actually benefits a different vendor, all the better. “Even when they’re not going to directly benefit from it, they will benefit because of the fact that they’ve pointed me in the right direction. And so they become a trusted adviser right there.”
Toner’s boss is Gov. Pete Ricketts, whom Toner worked with at TD Ameritrade, a company founded by the governor’s father, Joe Ricketts. Toner explained how he and the governor first discussed consolidation.
“We started out the very first day I was there. The governor and I talked about the fact that we were very siloed in Nebraska,” he said. The governor as a former businessman compared the 20 plus state agencies to companies that never merged well. “Essentially we had gone through eight mergers together and he just said, ‘Well, you’ve done this before, just merge these folks, and we did.”
But what’s most interesting is that their vision was broader than that.
“We are the cloud provider now for the state of Nebraska. All the agencies of course were consolidated, but we also have 84 of the 93 counties in our cloud as well. In our rush to consolidate agencies, we ended up consolidating the state. So now we just call it the Nebraska Cloud.”
Now almost every day they are getting inquiries from local governments about joining the Nebraska Cloud.
“We’re getting calls now from cities that are worried about ransomware and things of that sort, asking ‘How can you protect us?’” he said. “And my answer is, ‘Well, come on in.’ Right? That makes a lot of sense.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.