N.C. Risk Officer on Zero Trust, Protecting Resident Privacy

Rob Main was named North Carolina chief risk officer in October 2021 after two years in the deputy role. He oversees state cybersecurity and talked to GovTech at the National Association of State Chief Information Officers Midyear conference in May about zero trust, privacy and North Carolina’s whole-of-state approach to cyber.

1. Do you have a zero-trust posture in North Carolina?

Zero trust is absolutely essential to ensuring the confidentiality, integrity and availability of state data. However, weeding through the different flavors of zero trust, some which may not allow you to leverage your existing investments and infrastructure, is quite challenging, so having a consolidated picture or a standard for zero trust would be extremely helpful.

At the beginning of the pandemic, we went from having to protect dozens of networks to over 80,000 networks because of remote work. So as we move forward, we need to look at opportunities to realize work is done remotely and not necessarily in an office, leverage our existing identity and access management solution as we mature that model, and account for the workforce challenges presented by companies that we’re competing against for cybersecurity talent. So trusting no identity, allowing those workers to come from wherever they’re at across the United States and do work for North Carolina will be a strategic advantage for us and bolster our cyber workforce. 

2. What’s one thing that can take state security to the next level?

Maturing our cybersecurity practitioner pipeline is essential to be able to continue to support North Carolinians and the services they expect from government. Right now we have a significant gap in the amount of talent that is coming in through our pipeline from K-12, community colleges and universities. So if I could wave a magic wand, I would have a mature pipeline model that provides an education to a student graduating from high school, coming into a two- or four-year degree program, or transitioning from the military so that they get the education they need and in turn they give us an equal amount of time back in the public sector in cybersecurity roles. 

3. How do you balance privacy and security?

Privacy is of the utmost importance in maintaining the trust that needs to exist between state government and the citizens we support. In recognition of that, North Carolina recently onboarded our first-ever chief privacy officer. Oftentimes jurisdictions have a dual-headed state CISO and state chief privacy officer, who does privacy functions as well, but in recognition of the different lanes that we travel that are parallel, that’s going to be a strategic advantage to North Carolina and it’s going to provide that assurance to citizens that their data is in fact protected when we are entrusted with it. 

4. How is the state helping local governments bolster their defenses?

We have a whole-of-state approach to cybersecurity, and in modeling or providing services to our local governments, we first look at where the gaps are, where our most economically depressed counties are. If funding were no object, I would be able to provide them 24/7 support and visibility into the threats facing their environments and provide them tools they can use to see themselves and where they fit in North Carolina in a consolidated risk picture. We’re getting there, we’re not quite there, but we’re going to take advantage of funding opportunities as they become available to really push cybersecurity from Manteo in the east to Murphy in the west.