Add if you consider those with both state and local government experience, as well as time in a federal government role, and top that all off with private-sector work, the number gets even smaller. In fact, I am only aware of one such person: Keith Tresh.
Mr. Tresh has an amazing background, which includes experience as the former CISO for the state of California, having been appointed by Gov. Jerry Brown in 2011 and remaining in that position until 2013.
Previous to that, he was employed for nearly 12 years with the California National Guard, working initially as a telecommunications manager before serving as the CIO and IT director from 2006 to 2011.
Between 2014 and 2016, Tresh was CISO for Orange County, Calif., and later served as CIO for the California High-Speed Rail Authority in 2016. He would go on to serve as the commander of the California Cybersecurity Integration Center for Gov. Brown's Office of Emergency Services between 2016 and 2018.
This Techwire.net video shows Keith being interviewed back in 2012 while in his California CISO role.
I have known Keith for more than a decade, first meeting him when I was CSO in Michigan. I have always been impressed with his knowledge and leadership skills, and I am delighted that he agreed to be interviewed.
Dan Lohrmann (DL): You have held several security leadership positions. What are some of the differences between your government and private-sector roles? What duties are the same?
Keith Tresh (KT): I spent about 18 months working in the private sector and the rest of my career has been in the public sector. I think there were two specific differences I experienced during my time working in the private sector.
First, since the focus of most private-sector entities is profit, it made my work more focused on targeted networking and at times making cold calls to folks for leads. I am not a guy who is good at that, so it was a struggle for me to manage my time and goals.
The second difference I experienced was that you must be much more aware of the leadership qualities and alliances and how that can affect your work and the climate of the workplace. One of the two companies I worked for had a dynamic and strong CEO whom I truly respected and thought was a great leader. He was focused and up front, but also very generous. I loved working for him.
DL: How would you compare your role as California CISO to being Idaho CISO?
KT: Being the CISO for California was my first experience in state government, so it was filled with new experiences and challenges every day. I enjoyed my time with and for Carlos Ramos, and I learned a lot about the differences between the sphere of influence and scope of the job federal folks have versus state employees. It was a great experience, and I worked with a lot of great people. And in California the scope of the position was very big.
When I entered my role as the Idaho CISO, I did not realize just how differently each state operates their IT and IT security. I also had to re-learn my sphere of influence and how to create and maintain trusting professional relationships. Having worked in California for so many years, I was a known quantity to most of the IT folks there. Here in Idaho, I am working hard to try to become known as a trusted partner and advocate for the security professionals in state government. It is not a quick or easy process, but it is my most important mission.
DL: Tell us about a few of the top challenges you’ve faced in 2020-2021 due to COVID-19 in Idaho regarding technology/cybersecurity?
KT: We faced the same remote worker struggles everyone else has experienced, but with a twist. Idaho is going through modernization, and so that exacerbated the level of challenges we faced.
DL: How did you overcome those issues?
KT: The Idaho Information Technology Services crew stepped up to make sure all the workers had what they needed to work remotely and that the network was equipped with different levels of security to minimize the risk.
I think that we were able to meet the challenges head on, and after some struggles in the beginning we put an efficient remote workforce program in place.
DL: How big is the shortage of cyber talent in Idaho? Are you finding the right people to fill key vacancies?
KT: Idaho is pretty much in the same boat as most other states and in the federal area when it comes to cyber talent shortages. The good news is that there are several different entities inside Idaho that have workforce development plans and are working with the state universities to create a larger pool of cyber warriors through their degree programs.
Another way we are addressing the issue is through my Idaho Cybersecurity Consortium. This is a public-private partnership of cyber subject matter experts that we put together whose mission “is to foster a culture of cybersecurity through education, information sharing, workforce development and economic growth to address the evolving cyber threat environment and increase overall cybersecurity resilience for nonprofit, private sector and governmental agencies within the state of Idaho.”
DL: What are your top cyber project priorities for 2021?
KT: First is making sure we support and oversee the security aspects of phase III of the Idaho IT Modernization Project that our organization (Information Technology Services) is preparing for.
Next, we are focusing on outreach to counties, municipalities, small businesses and the education sector (including K-12). Our goal is to help these entities assess their level of cyber risk and provide them with actionable threat intelligence and cyber education and awareness training.
DL: Describe your resource situation. Is funding/budget a significant problem right now? Is federal funding a help?
KT: Our funding is about the same as it has been for the past few years. We are hoping to be able to take advantage of the new federal stimulus money the state will be receiving this year to help fund some of our initiatives. This includes a statewide threat intelligence platform.
DL: How can security and technology vendors provide better help around the country in state and local government?
KT: Pay attention to the level of funding and manning resources each entity has. Cold calls without doing homework and research to see what we actually need can be frustrating to us and to vendors, and will probably lead to vendors not being able to close a deal for any state or local government business.
DL: What do you see as the biggest challenge that government CISOs will face over the next three to five years?
KT: I think the biggest threat everyone will face is the evolution of the threat landscape and the bad actors. So far this year we have had two new serious threats pop up that we had to deal with. This trend, I predict, will continue, and keep security teams on their toes. Creating and maintaining strong networks of trusted security professionals is one way to keep on top of the current threat situation, and is truly a must for all who are in this field.
DL: Any career stories that you can share about lessons learned as a government leader?
KT: I have worked at the federal, state and county levels as a cybersecurity professional, and I have experienced some true successes and a few shortcomings during my career. The best “lessons learned” advice I can impart to cybersecurity professionals comes from many years of experience from my work in the public sector.
First, never try to get people to support security by scaring them or being a “sky is falling” security person. This might work once or twice, but once people realize that “the sky is falling” too many times, they become numb and no longer trust you as a security person. If that happens, you will fail miserably. Always work with the business side to be realistic about what level of security makes sense for your organization.
And the other advice I give to cyber professionals is to always be honest, own your mistakes and do your best to create trusting relationships with all of the stakeholders within your sphere of influence for cybersecurity. If people do not trust you, you cannot be successful as a cybersecurity professional, and your program might end up being stymied due to lack of commitment from the business side of your agency. Work as a “partner” with your stakeholders and always remember that a good cybersecurity program is one that finds, assesses and manages risk efficiently and effectively!
DL: Is there anything else you want to add?
KT: I am passionate about this field because it is ever-changing and very important to the success of all public and private entities. But the threats continue to get more difficult to predict and prevent. Everyone in this field must keep up with the current threats and threat actors if they want to be successful. And just as important to your success as a security professional is a trusting and supportive relationship with the leadership of your agency. Without their support, you will always struggle to keep up with the threat actors and landscape.
DL: I want to thank Keith for the outstanding insights and perspectives on cybersecurity from your career roles. In my opinion, Idaho is fortunate to have you as their cybersecurity leader, and you bring a healthy approach regarding security, trust and relationships that is greatly needed globally. Congratulations on an amazing career in public service.