This Q&A is part of a new GovLoop series called “CIO Conversations.” Through 2019 we’ll feature conversational interviews twice a month with current and former federal, state and local chief information officers to get know the people behind the titles. You’ll learn about the perks and challenges of their job, how they ended up in their current position, what’s top of mind for them, how they’ve rebounded from setbacks and more.
Before becoming the Chief Information Security Officer (CISO) for the Lone Star State, Nancy Rainosek was protecting the information of the most vulnerable at the Health and Human Services Commission (HHSC).
“That really is where I took the step into cybersecurity, and where I found that calling,” Rainosek said.
Rainosek sat down to talk to GovLoop’s Senior Online and Events Editor, Emily Jarvis, about 2020 priorities, 2019 successes and how she finds the right cybersecurity team.
The interview below has been lightly edited for brevity and clarity.
GOVLOOP: CISO is a big job. You’ve got some major priorities going into 2020. Can you tell us what some of the top things on your list for next year is?
RAINOSEK: Local government security, and what we can do to help the local governments in Texas. That’s kind of where the citizens have the most impact with government — at the local level.
Right now, we don’t have any statutory authority or responsibility toward the locals. But with the rash of ransomware that’s been happening lately, it’s just something that’s very important to us, and they’re reaching out to us for assistance.
Something else that we’re doing is rolling out multifactor authentication across the state. So that’s a big push for us as well.
This is for state agencies and institutions of higher education only. So it’s multifactor for state government employees. And then a third [priority] would be election security for the 2020 elections and making sure that’s secure.
How are you going about thinking about election security? I know some folks are going all digital; some are trying to retreat back to more paper-based.
The Secretary of State received HAVA funds, Help America Vote Act funds, for shoring up elections in Texas. They chose to use those funds to contract with us, through our managed security services provider, to do election assessments at all 254 counties in Texas.
So right now, we’re in the process of our managed security services provider doing those assessments. And then, once somebody goes to an assessment, then the Secretary of State has money to provide remediation services for those counties.
So it’s a big push to do 254 counties, get them all done and get some remediation efforts between now and then.
Besides this large cybersecurity incident that you were able to remedy, 2019 probably had some other success stories. What are some things that you guys have been working on that you thought worked well this year?
Something else is House Bill 3834, which is a very large bill where we have to certify at least five companies to provide cybersecurity training. And this has to be taken by all state and local government employees.
With state employees, there are different levels. For a state employee, if they have access to a computer for more than 25% of the time in their work, they have to take the training. In local, anyone that has access to a computer has to take the training. And then all elected and appointed officials have to take the training.
The bill took effect upon the governor’s signature, June 14. So we hit the ground running, setting up the certification program. Right now, we’ve received 51 applications to become certified, and our plan is to have the initial list published by the end of October.
Do the cybersecurity trainings have to do with cyber hygiene?
It’s end user — it’s all the above. The legislation has some very specific language. But it is pretty much end user training.
So we’ve talked about 2019, some of the things that you’re working on in 2020. Talk to me about your workforce. I know getting the right people in the right spot can always be difficult within the CISO office in general.
I’ve been really lucky. I’ve got an excellent team. Now, I don’t always hire cyber people. I find good people and then train them. So, I would say that three of my staff, I’ve recruited from other areas within the department, and we trained them up. And then I’ve hired some excellent people that actually come from a cyber background. So it’s a mix.
The workforce is very important to us. We have participated in Growth Skill CyberStart, to make sure that we’re doing our part to prepare the workforce for the future.
Something that our office has is an InfoSec Academy. We offer training and certification exam vouchers for state cyber workers in Texas, too. So that’s how a lot of that’s gone on to train my staff, where they can go take a CISSP (Certified Information Systems Security Professional) training class or a Certified Incident Handler training class, etc. through a prearranged contract we have.
How long does the process take when you are bringing in staff from other areas into your realm? How long does it take to get them operational?
It‘s really not that long because they’re bright, and they’ve got an aptitude to start with. They just go to the trainings, and we partner them with other staff members so that they shadow them for a while.
The last questions that I have are more about you. How did you get into this role? Why work for the state versus the private sector?
I think that government service is a calling and a passion. I moved to Austin and got a job with the state very young, and I just stayed. I started out as a COBOL (Common Business-Oriented Language) programmer.
As my career evolved, it went from doing IT and being a CIO for a while. And then, cyber was what was interesting to me.
Before DIR [Department of Information Resources], I was at the Health and Human Services Commission, in particular, protecting the confidential information of some of society’s most vulnerable populations, like children in foster care, or the aged [and] people that have developmental issues. That really is where I took the step into cybersecurity, and where I found that calling.