State cybersecurity coordinator Kimbriel wants to make Texas cyber leader
Cyber attacks are becoming more common and even though we tend to only hear about the attacks of high-profile entities, no company with an online presence is immune to attacks. “We are only as strong as our weakest link,” said Todd Kimbriel, Texas Department of Information Resources (DIR) acting cybersecurity coordinator for the state. “There is a growing awareness that this is simply a way of life and we have to embrace the right sort of strategy to make sure that we are protecting ourselves to the highest degree possible. You can’t casually defend yourself in today’s cyber world. You have to be deliberate.” Cyber attacks seem to have increased in frequency with malware, phishing, rogue software, drive-by downloads and more, but the rise in certified cybersecurity experts remain stagnant.
Kimbriel, who is also deputy executive director of DIR and state chief information officer, saw the lag in the cybersecurity field and started forming ideas on how to fill that talent gap in Texas. He came up with the idea of an information sharing and analysis organization (ISAO). Today, this organization is purely theoretical. “This year has been all about talking about it and finding interested parties that are willing to participate either in the construction or the implementation of such an organization or would be interested in consuming services from this organization,” said Kimbriel.
The ISAO idea comes from the multi-state information sharing and analysis center (MS-ISAC) that is based in New York. The center is a functioning non-profit that is funded by the Department of Homeland Security and offers cybersecurity services to multiple states who pay to be a member. “They monitor our traffic and sometimes they see something that they think is potentially a threat and they will bring that to our attention if our own systems haven’t detected that same potential threat,” said Kimbriel. They also have a function where they provide forensic analysis on possible breaches. Services offered by MS-ISAC are also available in the general marketplace, but most often at a very costly rate. Since MS-ISAC is subsidized or funded by Homeland Security, it makes those services available at a reduced cost to member states.
More ideas also came from Kimbriel’s own workplace and current position. The cybersecurity coordinator position was a statutory requirement placed on DIR. During the 83rd Legislative Session, Senate Bill 1102 was passed that required the executive director to designate a statewide cybersecurity coordinator position. It also required DIR to form a council with a very defined set of members, so the cybersecurity council is intended to be the governance body that rules and directs the cybersecurity coordinator in their activities, such as moving forward with planed or unplanned activities that are in the best interest of the state and consistent with the statutory authority that the cybersecurity coordinator has been given.
DIR has a state chief information security officer, Nancy Rainosek, who responds to cyber incidents for state agencies. The cybersecurity coordinator is responsible for everyone else in the state.
“How do we fundamentally improve the overall posture of everybody else in Texas in regards to cybersecurity awareness and capabilities?” said Kimbriel. “How do we construct some statewide incident response plan that would bridge sectors? Really the charge is so broad that its coming up with a way to deliver and improve cybersecurity capabilities for small and medium businesses, private sector, critical infrastructure sectors, financial markets, non-profits you name it. Everybody that is doing business in Texas we want to increase our overall cybersecurity capabilities and become the foremost state in the country if not the world in terms of our general cyber preparedness and awareness.”
One of the big challenges we face today is negative unemployment. The United States Department of Labor shows that employment in the cybersecurity field is projected to grow 28 percent from 2016 to 2026, much faster than the average for all occupations. Every organization that touches anything electronic or has data of any kind is potentially in need of trained cybersecurity professionals. “If you look at how you secure the state then the first thing we have to address is the workforce issue,” said Kimbriel. “We need to produce more qualified, trained cybersecurity professionals than any other state is doing and have them be in the marketplace to serve for Texas based industry.” This is where Kimbriel’s non-profit idea, information sharing and analysis center, comes in. One plan of action is to implement more cyber training at the elementary, middle and high school levels. “San Antonio has done a fantastic job over the last 15 years of doing just that,” said Kimbriel. “The idea would be to take their lessons learned, what they have been able to do largely through passion and volunteerism, and construct that into a best-practices manual that we can distribute to all cities and the state.”
The non-profit would provide scholarships to students seeking a degree in the cybersecurity field. In return for the scholarship, the graduate would agree to go into the cybersecurity workforce and for two years spend half the time with the employer and the other half working within the non-profit. Now these graduates become no-cost labor for half the time and provide a service in protecting Texas from cybercriminals. These graduates would spend maybe three weeks at a time in a virtual center of excellence that would be located on a college campus, according to Kimbriel. Candidates who are working in this specific center of excellence would remotely connect in and use the toolsets to deliver the services that each center of excellence offers, such as dissemination and forensic analysis or threat detection. As they rotate through these 10 or 12 centers they become richly trained and by the time they go full-time with their employer they have much broader capabilities.
For those who are interested in cybersecurity, but don’t know what path to take, Kimbriel says Cyberseek.org provides a dozen or so different type of capabilities skills and credentials and career pathing of someone who would go from the basics of being a network administrator all the way to doctorate. As more cybersecurity graduates fill Texas employment vacancies, Kimbriel says that will become a draw for organizations who want to base their business in the state because it is a cyber secure place and location. “We need to make cybersecurity a priority in the state across the board,” said Kimbriel. “It will be attractive for people looking to base their headquarters here or if they are wanting to build cyber services or products. Ultimately, it’s about economic development.”
Kimbriel says his next step will be to put together a business plan as a non-profit just as any start-up business would do and decide what the objectives are and what the financial model and implementation is going to look like. “We also need support from the governor’s office,” said Kimbriel. “I think the governor has made it clear that cyber security and protecting individuals is a top priority for him and we will continue to keep him informed as we progress. We have had nothing but positive feedback from all of the various partners we have engaged with.”
SPI’s government contracting consultants have decades of experience and personal relationships at all levels of government. Learn how they can help your company grow your business by contacting them today.