What is your favorite part of your role and being in Cyber Security?
My favorite part of cyber security is that no two days are the same! I enjoy the variety problems, projects, and challenges we’re presented and finding creative solutions to helping IT and our partners achieve their goals.
I also enjoy the never-ending learning part of cybersecurity. This career field definitely keeps you on your toes and pushes you to be a better version of yourself day after day. Our knowledge, expertise and real-world experiences are constantly leaned on to help businesses make the best decisions for the business from a security perspective.
Your Panel Session- Adapting Infrastructure to Combat Cyber Threats will detail how the public sector is acutely aware of ongoing cybersecurity vulnerabilities in their information technology environments. They must also consider the technology that powers their infrastructure to be vulnerable to the same issues. Is there one principal of this that is essential to your department? Can you explain why?
Modernization of our legacy systems is a priority for us, whether that is through moving to the cloud or moving unsupported legacy type systems to a supported platform. Recent high-profile attacks by malicious actors against government entities have raised awareness and created a renewed sense of urgency for us to better understand our risk and protect critical operations.
We’ve heard stories of ransomware attacks at other agencies in Texas who ended up having a very hard time from recovering because their systems and software were way past their end of life. When these agency’s attempted to contact the provider, they were told by the provider that they weren’t able to assist them in recovering that data and/or rebuild that platform because it was beyond outdated. These agencies were then tasked with recreating a system from the ground up and losing valuable historical data, time, and resources.
We started to look at what systems have that fits that description, like old applications that are past end of life and support periods and determine our risk appetite for potentially losing that system if we were hit with ransomware. To help with our risk assessments, we adopted a framework, like NIST 800-53 or NIST CSF, that helped us find where we may have gaps in our systems and the controls that are applied to them. But technology alone is not enough to protect our critical infrastructure from the growing number of sophisticated cyber threats. We also have to reflect on the importance of people and process alongside technology when identifying and responding to risk.
It is imperative that state and local governments engage in information sharing via public-private partnerships, such as critical infrastructure Information Sharing and Analysis Centers (ISACs) that provide comprehensive sector analysis shared within our specific sector, with other sectors, and with the Federal government. The information we’ve received from our peers at other agencies has been invaluable in preparing for what could happen at our agency.
What is the #1 mistake that you’ve seen government leaders make while planning executing cybersecurity programs? How can those who have made this mistake begin to rectify it?
Specifically, in state government, we have a harder time recruiting and keeping talented staff who push our Cybsecurity program forward. Retention is very important, as being understaffed means new security initiatives are placed on hold and existing security projects may be delayed.
Private sector can offer a lot more as far as salaries and other incentives, so we need to explore different ways of attracting staff especially when the number of open cybersecurity jobs are in the hundreds of thousands. Security is made of mix of skills and we can’t have a true, 360 degrees approach, if this industry is continuously pigeon-holing people into narrow roles. There are tons of specialties, like forensics, threat intelligence and even security awareness training that can be an universe standing on their own, but the recruitment trends are killing those desire by pushing to study what you have to not what you want and you are better on.
One thing I’ve noticed when we post a job is that many potential candidates have been forced into a specific job role for years and not given the latitude to pursue their passion. For example, we’ve had people apply stating they’ve only been doing incident response or vulnerability management and are tired of the doing the same thing day in and day out but they don’t really have any other skillset.
At DFPS, we’ve given our cybersecurity team the leeway to pursue what their passionate about and finding how we can use that skillset to benefit the team. Of course, there are some parts of the job that are just mandatory but the other 50% of the time, we encourage our team to grow deeper in the parts of security that interest them! We have a healthy training budget where analyst can take SANS training or other vendor specific training in whatever field piques their interest.
Furthermore, I think as leaders we have make sure we’re taking care of our team because a lot of security professionals said they’re feeling burned out. We need to look into automating repetitive, tier-1 type task and shifting the staff we have to more engaging higher-level assignments. Also, consider condensing work weeks to something like four 10-hour shift, so staff in these highly stressful positions have time to decompress.
Lastly, we need think outside of the box, and make sure we’re hiring people that have the right attitude but may not fit a cookie cutter role. We’ve seen really positive results from finding people with the right characteristics, like initiative, top notch problem-solving skills and project management, and helping them learn the technical ins and outs.
Is there a future project you’re working on at the Office of Information Security at Texas Department of Family and Protective Services that you’re particularly excited about? What impact do you hope this will this project have on the agency & state at large?
DFPS is currently expanding services to our clients through partnerships in a Community Based Care model in which Child Protective Services (CPS) contracts with non-profit or other governmental entity to oversee the placement and services to children in DFPS conservatorship, work with their families, as well as manage the adoptions and kinship placements for these children.
CPS will be able to access the flexibility, innovation, and opportunities available to a non-profit or governmental entity in order to serve the children and families of Texas in the best way possible.
These partnerships have pushed the Office of Information Security to cultivate a robust vendor risk management program and how we evaluate the security posture potential partners. We’re also working directly with our partners for innovative ways to integrate our information systems to share critical data and materials about our clients quickly, but also securely.
What advice would you give anyone who is considering a career in the public sector?
Working in public sector has been the most rewarding job I’ve had. Initially, working in public sector wasn’t something I considered and or even on my radar. I wanted a job where I could help others and applied to the Health and Human Services because it checked that box plus it was a stable government job. You can see the fruits of your labor in public sector and truly make a difference in the lives of the people and clients we serve!
The pay and titles may not be as glamours as private sector but I encourage anyone who wants to make a difference in the lives of others to explore opportunities in public sector!