Episode 119

Dan Persico CIO for the Virginia Department of Elections

Dan Persico CIO for the Virginia Department of Elections

Dan Persico served 15 years in the United States Air Force working a variety of duties including tactical aircraft maintenance, Command and control actions supporting homeland security, military police, security forces, and advance program management that included protection of classified and unclassified systems, designing continuity plans, and oversight of information assurance officers.

Dan was most recent CIO/CISO for the Virginia Department of Elections.  Responsible for overseeing business operations, technology support, software development, project management, cybersecurity, data privacy and governance within the unique realm of elections oversight, designated as national critical infrastructure. Uses knowledge of elections policy and procedures to drive initiatives within the organization.

Plans, organizes, and controls all activities and services ensuring the effective, efficient, and secure operations of each product line within the portfolio of services and offerings.

He is also a season Ski Race coach instructor.

Connect with Dan on LinkedIn

Transcript
Speaker:

Welcome to the business samurai podcast.

Speaker:

I'm your host, John Barker.

Speaker:

I am pleased and excited to be joined by the Tesla owner.

Speaker:

Dan Persico his youth, Dan was a cadet in the civil air patrol.

Speaker:

And the only reason I bring that up is because anybody that does anything related

Speaker:

to aviation, I bring that up just to, because it's, I'm enthusiastic about it.

Speaker:

They answer 15 years in the United States air force working a variety of

Speaker:

duties, including tactical aircraft maintenance, command and control actions

Speaker:

that supported Homeland security, military police security forces,

Speaker:

and advanced program management.

Speaker:

And those tasks included production of classified and unclassified systems,

Speaker:

designing continuity plans and oversight of information assurance officers.

Speaker:

Dan was most recent CIO slash schisto for the Virginia department of elections.

Speaker:

He was responsible for overseeing business operations.

Speaker:

Technology support software development, project management, cybersecurity, data

Speaker:

privacy, and all the governance that are unique in the realm of elections

Speaker:

oversight, which now has been designated as national critical infrastructure.

Speaker:

He used his knowledge of elections, policy and procedures to drive

Speaker:

initiatives within the organization.

Speaker:

You plan and organize and control all of the activities to ensure

Speaker:

effective, efficient, and secure operations of each of their product

Speaker:

lines within the portfolio of everything that he was an oversight,

Speaker:

which was, as CIO, CSO, everything.

Speaker:

Dan, appreciate you taking the time to be here, man.

Speaker:

Thanks John.

Speaker:

Appreciate you having me.

Speaker:

She's going to have a fun and hopefully not make you cry conversation.

Speaker:

As we discussed before I hit the record button.

Speaker:

So don't make fun of me.

Speaker:

Okay.

Speaker:

I'm sensitive, right?

Speaker:

Yeah.

Speaker:

I th you know, those air force guys I'm used to talking to Marines,

Speaker:

used to tell me was a former Marine.

Speaker:

I have to say former Marine can't say experts.

Speaker:

No.

Speaker:

There's no, my dad and granddad.

Speaker:

So what, give us a little bit, one of the things I, I really want to talk to you

Speaker:

about was the role within Alexa security, particularly with all of this junk.

Speaker:

That's been in the news for the last couple of years, but before

Speaker:

it gets to that point, how did.

Speaker:

Your career in the air force and your experience lead you into that particular

Speaker:

role with the state of Virginia?

Speaker:

Great question.

Speaker:

And I'm like, how did that happen?

Speaker:

Know, I, I've been to a technology since I was 15 actually before then, but 15

Speaker:

employed, I worked for best buy back before it was the geek squad, I was I

Speaker:

think I was a cashier and then I was doing computer sales and then I got

Speaker:

gotten to the computer repair business there and didn't do it very long.

Speaker:

But I did get my, a plus I think I was like 15 years old and, oh, wow.

Speaker:

And so I was, this was all while I was in high school and I was doing some

Speaker:

volunteer programs in high school where we refurbished computers for, folks

Speaker:

that didn't have the financial means to, to buy their own and things like that.

Speaker:

And so I was a lot of just.

Speaker:

Work, if you will just fix in computers, replacing parts and then handing them out

Speaker:

did similar at best buy troubleshooting, and home, consumer grade, computer stuff.

Speaker:

Sure.

Speaker:

Yeah.

Speaker:

Somehow I was working, I was doing my high school, doing some work with

Speaker:

our website and I needed to talk to I needed to talk to what was guess the

Speaker:

webmaster, I guess at the time for Stafford county in Virginia I reached

Speaker:

out to her to see if she can do a link to our site or something like that.

Speaker:

And.

Speaker:

I think after a few conversations with her, I said, Hey, do you

Speaker:

got any jobs intern or whatever?

Speaker:

And she's actually and then I ended up going to work in there for a

Speaker:

little while, which was pretty fun.

Speaker:

I learned a lot there also a brief stint working there after

Speaker:

school for a few hours a day.

Speaker:

And got a lot of got a lot of experience in, more of an enterprise environment

Speaker:

and it did everything from touch, endpoints to servers, to network.

Speaker:

I remember helping deploy the first wireless access points back in

Speaker:

the, the 8 0 2 point, what is it?

Speaker:

8 0 2 0.1 or 8 0 2 point 11 a way back in the day.

Speaker:

And deploying These these where else access points for the board of

Speaker:

supervisors, and I think that 1998 or nine or something like that.

Speaker:

And so I got a lot of experience.

Speaker:

I was also doing a Cisco CCNA class while I was in high school and then ended up

Speaker:

using my experience that I got working at Stafford county to go get my CCNA.

Speaker:

And so I had both an, a plus and the CCNA before I ever even graduated high school.

Speaker:

And that's unusual at the aisle at the time.

Speaker:

Extremely unusual.

Speaker:

Yeah.

Speaker:

And that didn't really think much about it didn't really care all that much.

Speaker:

I ended up joining the military because I wanted to pay for college.

Speaker:

Didn't really didn't have a, a college fund set up for me or rich

Speaker:

parents that I knew I was on my own.

Speaker:

I was like, wow, this will give me experience.

Speaker:

And also pay for college.

Speaker:

And they had no computer jobs.

Speaker:

Everybody wanted to do computers.

Speaker:

So I said, whatever, I don't care.

Speaker:

I'll just join whatever, but I want to, I want it to be something meaningful.

Speaker:

And so I signed up to be an aircraft mechanic and I was an

Speaker:

aircraft mechanic on F sixteens for my first four years or whatever.

Speaker:

And it, I was hoping that I would somehow go to the computer side,

Speaker:

but it really never happened.

Speaker:

And then I ended up becoming a cop, but intertwined with all of this in

Speaker:

those, 14, 15 years in the military I was always doing computers.

Speaker:

Even when I was an aircraft mechanic, everybody has everybody

Speaker:

in the military, has some sort of, at least in the air force.

Speaker:

Everyone, the air force has some additional duty that you do.

Speaker:

You can be the fitness monitor.

Speaker:

You can be the deployment manager while I was the computer

Speaker:

nerd for the group I was in.

Speaker:

So the aircraft maintenance group that I was part of I was like the

Speaker:

liaison between the communications group and the maintenance group.

Speaker:

And that also mean, I, did basic, endpoint, support when we had like

Speaker:

email migrations, I was, I would get involved with those in addition

Speaker:

to being an aircraft mechanic.

Speaker:

So that kept me sharp in, you were like a network engineer

Speaker:

administrator of their environments.

Speaker:

I did have privileged access, but I wouldn't say I was more like, if

Speaker:

somebody put a help desk ticket in.

Speaker:

Or need take it in.

Speaker:

I was like first here, basically, on-site there's so I could say

Speaker:

like little things, whatnot.

Speaker:

Again, when there was like bigger projects, like migrations or equipment

Speaker:

refreshes, I would obviously be a lot more involved with those things.

Speaker:

And so I wasn't doing this.

Speaker:

I'd say I spent maybe five to 10% of my time on a weekly

Speaker:

basis doing that type of stuff.

Speaker:

But it, what it did was it kept me sharp.

Speaker:

It kept me still, using the terminology and lingo and seeing how I remember

Speaker:

we did an exchange server migration one time and what was new learning?

Speaker:

What was new in that, the new exchange environment from the previous areas I

Speaker:

might have experience in that, that helped me a lot, honestly to keep sharp and then.

Speaker:

And then when I became a cop, I was doing that a little bit still, but

Speaker:

what ended up happening was is that I started getting into cyber crimes and

Speaker:

protection of classified information.

Speaker:

And they, at one point I, I got brought in as a cop because it was

Speaker:

a compatible what they call it, air force, specialty code or air AFSE.

Speaker:

I had a compatible AFC with the position that they could open up, but the primary

Speaker:

purpose was not for me to be a cop, was really for me to do, cyber security.

Speaker:

And that was more, I jumped into that and I did spend a little

Speaker:

time working at the FBI Okay.

Speaker:

As an I S why I went reservist for a little while, like a year

Speaker:

less, and didn't really enjoy it as much as I thought I would.

Speaker:

But my what happened was my old boss an older boss who was

Speaker:

a cop called me up one day.

Speaker:

He's I got this position as a composition.

Speaker:

It's got the potential to get promoted with promotion to this.

Speaker:

And you could fill it.

Speaker:

You, the bill at, for it is a cop billet, but it really needed to be an it

Speaker:

guy and helped me secure these things.

Speaker:

Cause I have no idea what I'm doing.

Speaker:

And so I said, okay.

Speaker:

So I went back to active duty and did that for awhile until until I got out.

Speaker:

Okay.

Speaker:

And then when I got out, I was like, what am I going to do?

Speaker:

I love being a cop.

Speaker:

That was, I never had any ambition to be a cop.

Speaker:

That happened, there's a whole story there for another day.

Speaker:

That's a unique transition.

Speaker:

Yeah, it wasn't, it was, let's just say it wasn't completely my choice.

Speaker:

I had screwed the pooch on on some career progression things, had some issues

Speaker:

taking tests, to be honest with you.

Speaker:

And yeah, was pushed in that direction to put it nicely and did

Speaker:

not enjoy it really the first year or two, but then I really liked it.

Speaker:

Cause I, every day was a different day.

Speaker:

I was helping people.

Speaker:

I learned a lot about that world, but also about myself.

Speaker:

So it was a really good opportunity for me.

Speaker:

And when I got out of, I was like I really like being a cop, but.

Speaker:

I don't really, there's no reciprocity in Virginia as an example.

Speaker:

I can't, I'd have to basically start over and I don't really feel I don't feel

Speaker:

like starting over making 30, 40,000 a year when I'm, making almost six figures.

Speaker:

And or I have the potential to make six figures at that point and get shot at,

Speaker:

I have to put out a bullet professing, a shot at, I have a son and he was

Speaker:

like, if that's a downside, it was one of those things where it's do I

Speaker:

want to do I want to do what I really enjoy, but yet put myself at risk.

Speaker:

And it's right, threaten you know, the security of my family or just

Speaker:

go sit behind a desk and do computer stuff and make a lot of money, a lot

Speaker:

more money than me in a cop anyway.

Speaker:

And it was a balance between the two and, it's still I still.

Speaker:

I wish I was a cop some days, but I'm happy with, I'm happy

Speaker:

with the direction I went.

Speaker:

And so my first job out of the military, I was, I think it was, I

Speaker:

only spent my two or three months.

Speaker:

I was a consultant, but then I became like a I went, worked for another

Speaker:

company and became an it manager director type and been doing the same sense.

Speaker:

And that was 20 14, 20 15 timeframe.

Speaker:

And I was working for a hospital system, a regional hospital

Speaker:

system in Southwest Virginia.

Speaker:

At the time when I saw the advertisement for the CIO, for

Speaker:

the department of elections and it was just a blatant advertisement.

Speaker:

It was a, I li I think it was like a monster or a random person.

Speaker:

I wasn't even looking that hard.

Speaker:

I don't believe.

Speaker:

I wasn't really thrilled about that job.

Speaker:

I was in at the time, the job wasn't good.

Speaker:

I just really didn't agree with leadership in their direction.

Speaker:

And a lot of my peers felt the same and, it was funny.

Speaker:

I laughed in my boss there, who I was pretty close with.

Speaker:

We both left at the same time, essentially for the same reasons.

Speaker:

And but I got, I ended up applying to be the CIO at elect and I had never,

Speaker:

I was it director and I had never been a deputy or associate CIO before.

Speaker:

And I thought that I had no chance at it.

Speaker:

But when I went through the interview process had multiple interviews and

Speaker:

ultimately I was selected for the role.

Speaker:

And I literally, as a military guy, Never really care too much for

Speaker:

politics or was, it didn't intrigue me.

Speaker:

So I didn't really know a lot about it.

Speaker:

I knew technology, but I didn't know the business of elections.

Speaker:

If you will, at the time it's a completely different world.

Speaker:

You not having done a lot of things, whether it's, working at best buy duke

Speaker:

of yourself or working at Stafford county government doing computer

Speaker:

stuff or my various military roles.

Speaker:

And then even when I got out, I worked for multiple private sector organizations with

Speaker:

different missions or, business different business business types, if you will.

Speaker:

I never ever experienced anything like the elections business, to be

Speaker:

honest, it was very interesting.

Speaker:

When I first came on board, I was I was pretty surprised at the lack

Speaker:

of maturity in the it space, the technology space within elections, but

Speaker:

it started to make sense really quick.

Speaker:

And to sum that up, it was there.

Speaker:

Wasn't a lot of there wasn't a lot of drive or need, if you will, to

Speaker:

make technology put technology at the forefront of elections, 10 years ago.

Speaker:

So we had an my division in an elections back in 2010 had one full-time person

Speaker:

and one contractor from what I was told.

Speaker:

That's what I wanted to ask.

Speaker:

You don't mind interjecting real quick.

Speaker:

The structure of it.

Speaker:

Did, were you like the first person that have a direct oversight of elections

Speaker:

that as a sole responsibility where you essentially the first CIO CSO of

Speaker:

that where you backfilling somebody's?

Speaker:

No.

Speaker:

Some so it was interesting.

Speaker:

We had a we had a long time CIO a great guy.

Speaker:

He ended up taking a role, working for a contractor.

Speaker:

I think he went to like an SIC or one of those that was supporting the

Speaker:

Virginia information technologies agency also known as Vita.

Speaker:

And he he and I worked together numerous times and had a great

Speaker:

conversations, a really good guy.

Speaker:

But he needed to change.

Speaker:

He went on, but when he started, he was, I believe the first CIO he started in, Some,

Speaker:

there was a lot of people that got brought in to do different it related things.

Speaker:

And a lot of those were contractors and there became a need to start flipping

Speaker:

those contractors to full-timers cause they saw a more inherent need

Speaker:

to put a focus on technology, but it started as small again, 2010, one,

Speaker:

two people, I think by the time 2015 came, maybe they had 10 people, 10

Speaker:

full-timers somewhere around that.

Speaker:

Might've been less and it was really really a still small, very small shop.

Speaker:

Most of the efforts were focused on software development around the Virginia's

Speaker:

voter registration database, which is, it was called it's called Barris.

Speaker:

And the, there was a company that built that was supporting

Speaker:

that for the most part.

Speaker:

But the agency, apparently again, this is second hand information

Speaker:

cause I wasn't there at the time.

Speaker:

It wasn't getting what it needed from this company and decided to bring in more

Speaker:

independent contractors and some more full-time staff to manage this platform.

Speaker:

And and then 2016 happened and everybody knows what happened in

Speaker:

2016 with the election between former president Donald Trump and a former

Speaker:

secretary of state Hillary Clinton.

Speaker:

It, and then the, initially the claims and then follow up with the intelligence

Speaker:

that Russia was interfering with our elections or at least attempting to.

Speaker:

And so that really highlight.

Speaker:

The technology and the election space more than they ever did.

Speaker:

So a lot of organizations in different sectors and the sectors or businesses

Speaker:

have had this experience at some point or another, whether it be financial sector

Speaker:

medical things, but all of those had kind of a trigger point that they all, we're

Speaker:

all a lot more well off, in 2015, 2016.

Speaker:

And it was, the election space time to get you will, and really put some emphasis

Speaker:

and focus on that because the lights on you, it was, there was a tremendous

Speaker:

amount of growth that, that came from what happened in 2016 and the it space.

Speaker:

With Virginia and I'm sure it happens.

Speaker:

Similarly in many states or localities every state

Speaker:

elections are a state run thing.

Speaker:

Every state has a different way of doing business.

Speaker:

Some really put the emphasis on localities, running elections in our case

Speaker:

in Virginia, it's we're a Commonwealth.

Speaker:

Look how these do have the most control over elections.

Speaker:

And my agency at, sole purpose of it was for oversight over, over making sure

Speaker:

that localities not only had what they needed, but that they were following all

Speaker:

the laws and applicable regulations that you know, that were in, Virginia's yeah.

Speaker:

What the constitution of Virginia, that was the main objective for the department

Speaker:

of elections, but every locality has a general registrar and usually a deputy

Speaker:

registrar and the buck stops with them more, more so than a and we support them.

Speaker:

So from a technology perspective, we provide them access to the

Speaker:

Virginia voter registration database.

Speaker:

We had a central database that the entire state used and that database

Speaker:

contains all the voter records, the eligibility, all that stuff.

Speaker:

And it was a massive, it's a massive product.

Speaker:

It's a very complex I can tell you it some somewhat overly complex, not just

Speaker:

from a developer perspective, but from an end user perspective, it wasn't

Speaker:

necessarily the easiest thing to use.

Speaker:

It didn't have all the greatest features.

Speaker:

And I think that they're addressing that post my departure.

Speaker:

Earlier this year, I, there was a active RFP in progress to replace verus.

Speaker:

And I'm not sure obviously where that stands today, but the idea was to

Speaker:

to replace it with a more modern and more scalable product that will serve

Speaker:

Virginia for a long time to come.

Speaker:

And but the idea was that, okay, so we got this voter registration

Speaker:

database that every locality, all 133 localities in Virginia use Howard H

Speaker:

how has that system Maintained how has it enhanced and how is it protected?

Speaker:

Became a big focus after 2016.

Speaker:

When my when the, when my predecessor left when I was mentioning that went more

Speaker:

for a contract company, they did bring in somebody for a temporary period of time.

Speaker:

And I'm not a hundred percent sure of the story there, but it didn't last,

Speaker:

I don't know if it was temporary on purpose or if it was just a situation

Speaker:

where that individual wasn't a good fit, but they brought me on and

Speaker:

when they brought me on, I was taken aback by the level of maturity.

Speaker:

That the organization was at within the IP space.

Speaker:

And I was warned my boss, the commissioner had warned me about this throughout

Speaker:

my hiring process, but I didn't really understand how the maturity

Speaker:

was lacking, how bad it really was.

Speaker:

And there was a lot of reasons for that funding being one of those.

Speaker:

And just having, a big picture oversight.

Speaker:

I came from two previous roles where I was in, hospital system and then

Speaker:

a truly private sector organization.

Speaker:

And those two organizations help give me a really good insight

Speaker:

about the way things should be.

Speaker:

And so when I got to the department of elections I immediately, within

Speaker:

my first week I was like, wow Yeah, I've got a lot of work ahead of me

Speaker:

and and I hit the ground running.

Speaker:

I did hit the ground running.

Speaker:

Were you talking about kind of oversight and making sure the

Speaker:

localities could run the elections?

Speaker:

Were you responsible for not just the database, but like the voting machines

Speaker:

and things of that nature as well?

Speaker:

Yeah, so we had we had a few divisions within the department of elections.

Speaker:

I was just one of the divisions, the it division, and, but we had our election

Speaker:

services division and they held.

Speaker:

Make elections happen.

Speaker:

We had a, we had policy folks within that space as well.

Speaker:

We had a communications division.

Speaker:

We had training folks to help train registrars and things like that.

Speaker:

We had an actual business part that also controlled the, the business aspects.

Speaker:

So there was multiple divisions, all had different things.

Speaker:

The it thing, the, it divisions primary focus was providing

Speaker:

these products and services.

Speaker:

Just like anything, just like any organization it organization providing,

Speaker:

we had our, we had customers let me back up first, we had the, our biggest system

Speaker:

was the central voter registration data, but we also had a campaign finance system.

Speaker:

It is required by law that the political candidates and such have to.

Speaker:

Be very transparent about where their money is, where the money's coming from

Speaker:

for their campaigns and things like that.

Speaker:

Even just down to putting signs in front yard, if you don't have certain things on

Speaker:

it who this was, who the page sponsor was or endorsed, or who's endorsing this th

Speaker:

those rules about that, but the campaign finance system was used to for anybody who

Speaker:

had any campaign that had the file what was, what the, where the money was coming

Speaker:

from and where it was going essentially.

Speaker:

And that was one of my, that was.

Speaker:

Second largest system.

Speaker:

We also have our website, our citizen portal website which, you, me as residents

Speaker:

of Virginia could go in and register to vote request an absentee ballot.

Speaker:

Since we knew that now I think different things like that.

Speaker:

Change of address type of stuff make sure that we're still registered

Speaker:

properly, all those things, so that's our citizen portal.

Speaker:

So those are our three main major products.

Speaker:

Obviously one of them was completely public facing the campaign finance one

Speaker:

was for the campaigns themselves, and then the central voter registration

Speaker:

databases meant for the department of elections staff, but also all

Speaker:

of the registrars and their staff.

Speaker:

And so we had a lot of different users.

Speaker:

Accessing a lot of different systems.

Speaker:

We had internal stuff too.

Speaker:

We under my purview I implemented the Atlassian suite of products.

Speaker:

If you're familiar as an example, JIRA confluence, I was really

Speaker:

focused on bringing knowledge management and collaborative, project

Speaker:

management approaches using those systems to bag it through, when I

Speaker:

got there as an example agile was talked about, but it really wasn't.

Speaker:

And so I really had a strong push to get us, My division because it was, primarily

Speaker:

our focus was software development.

Speaker:

We needed to be doing software development.

Speaker:

The rest of the world is doing it, which is mostly agile, some form of agile right.

Speaker:

Scale or whatever.

Speaker:

So we started we started moving towards that and having systems

Speaker:

like JIRA and confluence were really important to make that happen.

Speaker:

And we use, we replaced a few of our other things like we had different ticketing

Speaker:

systems for software development and we had a different ticketing system for

Speaker:

just like normal help desk requests.

Speaker:

And.

Speaker:

I'm like, why are we using all these different systems and support

Speaker:

for licenses let's unify it.

Speaker:

And that actually talks to itself, living up to the government a

Speaker:

trend of inefficiency is the key.

Speaker:

Yeah.

Speaker:

And that was really a huge focus because, I've majority of my life, in public sector

Speaker:

whether it'd been the military organ at the FBI Stafford county, the majority

Speaker:

of my life has been public sector.

Speaker:

And I've seen this, all too often these inefficiencies and in a lot of

Speaker:

ways, wasteful spending and really wanted to But that was, that's always

Speaker:

in the back of my mind, whenever whatever decision I was making, about

Speaker:

how we were going to move forward.

Speaker:

I always thought about the taxpayers first and many of my staff or

Speaker:

former staff would say the same.

Speaker:

They would tell you.

Speaker:

Yeah.

Speaker:

Dan was always like taxpayer this taxpayer that, and it was true

Speaker:

because I'm a taxpayer, Virginia, this is my money going to this stuff.

Speaker:

So I want us to do this, I want us to be efficient.

Speaker:

I don't want a million products all in place.

Speaker:

It also makes it harder.

Speaker:

I was going to say, make your jobs easier when you start consolidating

Speaker:

your tool suite to a handful of things versus 9,000 exactly unified

Speaker:

experience, helps reduce administrative overhead as what I always said.

Speaker:

And so those were some things, just small things that I tackled especially

Speaker:

early on, it took a long time to make some of those things happen, but

Speaker:

that's the government way sometimes.

Speaker:

So anyway, yeah, that was a major focus to bring external best

Speaker:

practices to the organization as well, to reduce inefficiencies and

Speaker:

to reduce administrative overhead.

Speaker:

And again, that was like really important as a Seattle, but then there's

Speaker:

a lot of other things going on too.

Speaker:

And one of the reasons my former boss brought me on is because of

Speaker:

my best cybersecurity background.

Speaker:

We had one information security analyst.

Speaker:

Wow.

Speaker:

When I began and that individual did not have all of the.

Speaker:

What they needed to have to be successful, to be honest in the role.

Speaker:

And it was very hard, but you asked about like voting systems and w and I kinda went

Speaker:

off the rails a little bit there trying to talk about the organizational structure

Speaker:

and how our customer, who our customers.

Speaker:

Yeah.

Speaker:

We had our public, we had our internal to the department customers, and then

Speaker:

we had all the registrars and then anybody, any of the campaigns, one,

Speaker:

one of the, we had different areas.

Speaker:

We had these voter, we had these platforms or general it systems, but then we also

Speaker:

did have to support the certification process of all the voting technology.

Speaker:

And that was one of the strangest things to me, because like I'm coming in.

Speaker:

I don't know anything about.

Speaker:

These scanning, these scanners these electronic devices use the check voter

Speaker:

voters in that polling locations.

Speaker:

I had no idea.

Speaker:

And there's multiple vendors out there that are approved in the

Speaker:

state and they're all a little bit.

Speaker:

But what I did find out is that our certification process was very new and

Speaker:

in its infancy, when I first got there we, and we were revamping it at the time.

Speaker:

It was started before I got there the revamping of that, and it really

Speaker:

made us we created a certification process that helped match the election

Speaker:

assistance commission at the federal level and exceed their standards that

Speaker:

they recommend for states to follow.

Speaker:

And it's now being fully implemented and it get where

Speaker:

there's a lot of focus on security.

Speaker:

Even down to wiping thumb drives that, that, that are

Speaker:

putting these computers there.

Speaker:

They have so many like different audit trail type of things associated

Speaker:

with how you transfer data is very spelled out so that way there's

Speaker:

nothing knowing the various activity.

Speaker:

And then once it's done and over with you, or whether you're done using the

Speaker:

device or it's brand new, it's got a, you follow like DOD wipe standards, seven

Speaker:

pass, white, since things like that.

Speaker:

Those were never really spelled out before where they are now.

Speaker:

And a lot of work went into that and I can not take much of the credit there

Speaker:

because when this was all happening I was dealing with a lot of other things

Speaker:

that I'll get into here in a minute.

Speaker:

But what am I one of my counterparts who left the agency before I did

Speaker:

he spent lot of time working with different vendors, different localities

Speaker:

and other experts, and to come up with this to make it a really solid.

Speaker:

Plan.

Speaker:

So bottom line is that if any vendor wants to sell election equipment such as

Speaker:

scanners or about scanners or whatever, they have to go through a rigorous process

Speaker:

it's gotta be approved all the way up to the state board of elections, which is the

Speaker:

oversight for the department of elections.

Speaker:

It's it was when I was first started a three member board.

Speaker:

Now it is a five member board as of, I think, okay.

Speaker:

July 1st, I think it became a five member board and they fill those slots.

Speaker:

They, that board has to approve any changes that are not like

Speaker:

super minor, like typo type thing.

Speaker:

They have to approve any change as recommended by the security team that I

Speaker:

did eventually stand up and myself and the commissioner once that all, once all the

Speaker:

internal approvals occurred, then it would go to the state board and we would have

Speaker:

to present it to them in public session.

Speaker:

Wha you know, and they would have to say yay or nay to it.

Speaker:

And then once that occurred, then that vendor could then sell whatever

Speaker:

product it is to the localities.

Speaker:

So that was a big deal.

Speaker:

Standing up, but a lot of other states or were pretty impressed with it.

Speaker:

And even maybe starting their own certification process to match ours.

Speaker:

I know that a lot of states like to look at us we looked at other states too.

Speaker:

We, I, Colorado is a a really good they set a really good standard when it comes

Speaker:

to elections and are a lot like us.

Speaker:

So I was Al I got converse with the Colorado my CIO equivalent in Colorado.

Speaker:

Quite often, I was going to ask if you interacted with a lot of your

Speaker:

other counterparts in the other states to do, to kind of information

Speaker:

share, here's what we see works.

Speaker:

Here's what we don't see works.

Speaker:

I know that.

Speaker:

Like you said, each state has their own set of rules and the kind of things,

Speaker:

the way to execute, but there are still best practices within security.

Speaker:

And there's also things like, if somebody is becoming a test bed of

Speaker:

bad things, it's oh, Hey guys, just be aware where we're experiencing

Speaker:

this, be on the lookout type of stuff.

Speaker:

Absolutely.

Speaker:

And we definitely got a lot better over the three years that I spent there almost

Speaker:

three years I spent in the department w there was a lot of collaboration between

Speaker:

Our state are different states, our federal partners, and even local partners.

Speaker:

And then some even, partners that are private sector, CIS they have

Speaker:

the ice ax information sharing and analysis centers and they have them

Speaker:

for financial well, there's a Ms.

Speaker:

Multi-state Isaak and under the MSI sack, they stood up and elections

Speaker:

infrastructure Isaak which I also S sat on their executive committee for

Speaker:

a period of time while at elections.

Speaker:

And that brought a lot of us together talking about different things and how

Speaker:

we can make things better, but also offering, intelligence to the best of

Speaker:

the ability without getting too crazy in the classified realm from national

Speaker:

the national security aspect, but there was intelligence sharing about threats.

Speaker:

There was we've had different.

Speaker:

Different big ransomwares that come out, right?

Speaker:

That would say they would send out messages.

Speaker:

There's what you're looking for.

Speaker:

Here's where you can report issues.

Speaker:

Here's where you can get help if you were attacked or whatever.

Speaker:

Like they're really good.

Speaker:

Everybody bonded really well.

Speaker:

In my opinion.

Speaker:

As time went on from when I first started elect and it was

Speaker:

really, actually felt very good.

Speaker:

It's not people really care about our democracy and want to collaborate and

Speaker:

want to share and want to be better because the building blocks is country

Speaker:

are at risk, essentially post 2016 and coming together was really good.

Speaker:

Technology.

Speaker:

Being, as immature in the election space was, it was really important

Speaker:

to, to recognize that and to put a lot of effort and energy into that.

Speaker:

And I think that we are in a lot better place.

Speaker:

I, I hear a lot on the news about this.

Speaker:

I got a thing in Georgia, this Arizona, that following this last,

Speaker:

the last presidential election.

Speaker:

And, I can't speak to any other state, but I can say that holy cow, we were

Speaker:

night and day from when I first started to when we had the last few elections we've

Speaker:

had major elections with our ability to.

Speaker:

To protect ourselves to share intelligence, to recover, if there

Speaker:

is an issue to get the right people.

Speaker:

I had FBI says slash DHS on speed dial.

Speaker:

I can call them anytime and say, Hey, I, this is an issue

Speaker:

I need help here or whatever.

Speaker:

And they were there without a problem.

Speaker:

And it, honestly, I don't, I didn't ever needed help with my area.

Speaker:

Thank God I my department, but I did support a lot of localities

Speaker:

who really, some of them.

Speaker:

Yeah.

Speaker:

That's call this the salacious part of the conversation, or at least a

Speaker:

little bit, if you experienced it, you, I remember you making a comment.

Speaker:

I think we talked at some point last year where you were talking about the national

Speaker:

exposure that Virginia had in this last election, because it was only one or two

Speaker:

governor's races in the whole country.

Speaker:

So when something like that happens and you've got that spotlight

Speaker:

on you, are you getting, do one?

Speaker:

Do you feel the pressure, but two, are you getting a lot more

Speaker:

outreach from those other places?

Speaker:

Because they're, the national focus is very limited.

Speaker:

So were you getting proactive phone calls from CYSA and FBI and absolutely.

Speaker:

Absolutely.

Speaker:

And it wasn't just this election, to be honest with you.

Speaker:

It was, it, we, we had, there was a lot of productivity throughout the.

Speaker:

Last two years, I'll put it that way with my last few years there.

Speaker:

Even if it was smaller elections that weren't even on, they were always there.

Speaker:

And a lot of times proactive.

Speaker:

There was a lot of pressure on the agency, on the localities, the registrars in this

Speaker:

last governor's race, it was in a way it was worse than the 2020 election for us.

Speaker:

No, not in a way.

Speaker:

It was because, and we knew going into that that there was not many elections.

Speaker:

It was an election is off year for most people, but in Virginia and my, my, my

Speaker:

former boss used to say all the time, like we're always having elections.

Speaker:

People ask us, it's annoying.

Speaker:

I live in Stafford where you it's super, super annoying.

Speaker:

Sorry.

Speaker:

I had to enter.

Speaker:

Of course.

Speaker:

Yeah.

Speaker:

It's like all the time.

Speaker:

There's like an election.

Speaker:

I think.

Speaker:

On average, we're having six selections a year, the last pretty much every year

Speaker:

I worked there, it felt like it was like, say it could be something small,

Speaker:

like a special election, or it could be a little larger state level election,

Speaker:

or it could be a national election.

Speaker:

There's always, there was like, there was always elections going on.

Speaker:

And for me and my team whatever, whether it was a big presidential or

Speaker:

it was a Virginia governor's race, or it was a special election, honestly.

Speaker:

There's more attention with the bigger races, but the amount of work we had to

Speaker:

do on our end was the same, getting the systems ready and all that our election

Speaker:

services division, as well as my division.

Speaker:

I had to put about as much effort in for every single election,

Speaker:

no matter what the size was.

Speaker:

Obviously there's more, little bit more to it with the bigger

Speaker:

ones, but it sure felt the same.

Speaker:

And it was constant.

Speaker:

It was there, there was always an election.

Speaker:

There was always the same, concerns.

Speaker:

And that made some of my chain, most people at, in the previous

Speaker:

role in other previous roles will say, I'm a change agent, right?

Speaker:

Like I, I go in and I'm looking for problems and looking

Speaker:

out to solve the problems.

Speaker:

And that's one of my, one of my key contributions and in the workplace overall

Speaker:

it was really hard to push forward, change the way I want it to not just because I'm

Speaker:

in the government entity, public sector is not always easy and it's really slow.

Speaker:

And it, it gets bureaucratic at times.

Speaker:

When there's always an election going on, you can't be making changes to systems.

Speaker:

We will go and change all this other stuff.

Speaker:

And it really made it difficult to push the ball for sometimes.

Speaker:

So we really tried to like cram things in last year was a great example.

Speaker:

The Virginia information technologies agency had had a had to move the

Speaker:

data center that their on-prem data center to a new place.

Speaker:

And we knew about that for awhile.

Speaker:

Unfortunately some of their requirements and rules will not let us move some

Speaker:

of our physical servers away to their new data center because they were

Speaker:

virtualizing everything to make, to meet the governor's executive order

Speaker:

from a few years ago, which required all indices that get to the cloud by XYZ.

Speaker:

And R I spoke about verus the central voter registration

Speaker:

database and it was a beast.

Speaker:

And one of our database servers required a lot of memory, a lot

Speaker:

memory that they would not be able to get for us in that environment.

Speaker:

So we had to quickly pivot on a dime and make, I had to make a decision to move

Speaker:

not just that platform to the cloud, but decided that if we're going to do one and

Speaker:

the one that we're doing is our biggest.

Speaker:

And we have all these integrations with the other parts of it.

Speaker:

We might as well do it all.

Speaker:

And so we were also supposed to be doing redistricting based off

Speaker:

of the 20, 20, 20 census with.

Speaker:

I believe so.

Speaker:

I know some of that stuff is going on now or has just got wrapped up.

Speaker:

So it's now going on right now.

Speaker:

But we were supposed to start it last year on this time and it was like,

Speaker:

how are we going to do all this?

Speaker:

And thank God for at the time that the census and the state was not, they were

Speaker:

not ready to do it in the spring, in the late winter, spring of last year.

Speaker:

And so last year we migrated every application and everything

Speaker:

to the cloud to to Azure.

Speaker:

And that was a big win, but it was a nightmare.

Speaker:

And we were trying to do it in between special elections.

Speaker:

And we had the potential for having to start this redistrict team.

Speaker:

And we didn't know when that was coming.

Speaker:

So there was a lot, and it took us till I think the majority of the

Speaker:

guy done by June at migration and I think we were the first agency.

Speaker:

At least executive branch agency in Virginia to migrate all of

Speaker:

its applications to the cloud.

Speaker:

Meanwhile, while dealing with elections and whatnot and getting ready for

Speaker:

this big gubernatorial one that we just went through in November,

Speaker:

like there was so much going on.

Speaker:

I thought 2020 was bad, 2021, honestly put 20, 20 the shame.

Speaker:

And in retrospect I cannot tell you how last year was a lot.

Speaker:

There was a lot going on between the cloud migration and these

Speaker:

elections and, projects that we're trying to keep in moving forward.

Speaker:

There was a lot.

Speaker:

And so that, that was long-winded, but it was definitely a rough.

Speaker:

A rough experience.

Speaker:

How much, and I don't know if you experienced this at your time, that

Speaker:

is there if it did some of the elected officials, if there was changeover, I'll

Speaker:

say either from one party or ideology or priority even if it was, would play

Speaker:

into either your decision-making or something that you had active going on,

Speaker:

you mentioned the the executive order.

Speaker:

But I would imagine that, let's say there was a switchover at a board of

Speaker:

supervisors in a county or, the state legislature swaps houses or something

Speaker:

like that, that reshuffles things around.

Speaker:

Did you experience any of that at your, in your time?

Speaker:

Other than having to do special elections as a result, like at one person leaves

Speaker:

and then they have no, but no policies or no, no internal priority changes

Speaker:

within the elections department.

Speaker:

Not really experienced.

Speaker:

I'm sure it's probably different today as we have a new governor.

Speaker:

I left right at the beginning of January before the change of power

Speaker:

and never really saw much policy change in that regard because I

Speaker:

was the entire time I was there.

Speaker:

Governor Northam, was a governor.

Speaker:

And even though seats were changing, the one thing that I did, the one

Speaker:

thing that did occur, but I would not have it, it seemed normal for me

Speaker:

because at the time I think when both, I think both chambers went blue when I

Speaker:

first the, it was like the first year.

Speaker:

Yeah.

Speaker:

That was like the first year in a long time.

Speaker:

That's happened the first time in 60 years or something crazy or whatever that

Speaker:

may have been right when I got there or.

Speaker:

Shortly thereafter.

Speaker:

And the amount of laws, election laws were Cree.

Speaker:

I think we had 57 or 58 legislative changes ahead of 2020

Speaker:

that needed to be implemented.

Speaker:

And a lot of those were like required.

Speaker:

It changes and it really crushed my development team and Mike and the QA

Speaker:

folks and our infrastructure folks who were putting the deploy doing

Speaker:

these deployments or DevOps folks.

Speaker:

It was just, it was like there was change after change.

Speaker:

And I remember we, didn't a good example of our immaturity.

Speaker:

We didn't have change control when I got there.

Speaker:

There was people doing deployments.

Speaker:

Without me even knowing about it as a CIO and then come in the

Speaker:

next morning and verus is down.

Speaker:

And it's what happened?

Speaker:

I called my director of this area software development, and he didn't

Speaker:

know exactly what was going on.

Speaker:

And then I called this other guy and he said, oh yeah, we did that last night.

Speaker:

And I'm like, okay, nobody told me about that.

Speaker:

And that was systems that we broke something and there's no record it.

Speaker:

Like it was that type of crazy when I got, when I first got there, it

Speaker:

didn't stay that way for very long.

Speaker:

I think three months I had changed control was we were having weekly

Speaker:

meetings and we made it, all the directors basically were voting

Speaker:

members of the change advisory board.

Speaker:

And, like I would be the either overrule or a tiebreaker person and know.

Speaker:

It governance 1 0 1.

Speaker:

But the whole point of saying that was that there were, because there

Speaker:

were so many changes happening as a result of the legislative changes.

Speaker:

Some of these bills had been, they tried to get through for years.

Speaker:

And, if I guess in the case of the majority alleged the legislative

Speaker:

branch being blue, now that there was a lot of people on the Republican

Speaker:

side that were blocking those bills.

Speaker:

So as soon as they had majority, always things started flowing like a faucet and.

Speaker:

It was wild.

Speaker:

How many things that were coming through at any given point in time with that,

Speaker:

because there was a system change here, early voting was one of them,

Speaker:

early voting, which we do and absentee, early, early slash absentee vote.

Speaker:

I do early voting person.

Speaker:

And that's it's really awesome to have that ability, but the amount of changes

Speaker:

I thought about you last year, yeah, thanks for my life is way easier now.

Speaker:

But my team really like they, they work countless hours to,

Speaker:

to implement these by the cause.

Speaker:

It's not just that these laws get passed.

Speaker:

Implementation deadlines, July 1st is when most laws go into effect in Virginia.

Speaker:

But in some, and most of these changes had to go in by July.

Speaker:

First of every year, every time they would do this, some of them could be

Speaker:

staggered cause it would be like the next presidential election or whatever, or

Speaker:

the next federal election I should say.

Speaker:

And so that some of those gave us some leeway, but for the most part,

Speaker:

they had to be implemented right away.

Speaker:

And when it's hard for a legislator to know the implications of all these

Speaker:

changes coming through all at once and how fragile our systems are sometimes,

Speaker:

specifically I spoke about verus and how these changes were a hard to make be.

Speaker:

We don't want to like have them.

Speaker:

Making multiple changes at the same time, break something completely anomalous

Speaker:

with, and having those conversations, the charted out was just, it was crazy.

Speaker:

And then the deadline doesn't make it easy either because now you're rushing things.

Speaker:

And we because we were also immature in certain areas.

Speaker:

I think I like to QA people from, having the QA, all, three major systems,

Speaker:

three major platforms, any changes that happen to two people that can QA it.

Speaker:

And I'm pulling other people in some of our BAS and whatnot to help with that.

Speaker:

And that's hurting them too.

Speaker:

But like I wish at points in time, I wish that the legislators knew the

Speaker:

consequences of what they were doing.

Speaker:

To us and how it was very hard because we're still a small team.

Speaker:

I think at the end, between contractors and employees, I might've been like

Speaker:

40 plus just a little over 40 people at the max and, with all the customers

Speaker:

internal, external, and then in the field with all the systems that we had,

Speaker:

it was a lot, it was quite a bit I know that they're in a better place now.

Speaker:

When any whether we're talking about public sector, private sector,

Speaker:

whenever there's a requirements are downward driven I believe that

Speaker:

it's very important for those folks making those decisions to really.

Speaker:

Truly understand the ramifications of what they're asking or directing.

Speaker:

And it would have been, although we were very successful in making all the

Speaker:

changes that we were required to make, obviously, because we don't want to be

Speaker:

in violation of the law and get sued.

Speaker:

The fact of the matter is that it takes a toll on people.

Speaker:

People have to do the work and, if the budget doesn't allow me to hire

Speaker:

more people and train them up, that's going to make it even more difficult.

Speaker:

I am very grateful for my team to this day and all the work that they

Speaker:

did to make all these things happen.

Speaker:

I can say with, without a doubt, that Virginia did a great job in

Speaker:

all the elections, since I was been there making them, accessible

Speaker:

to everyone and free and fair.

Speaker:

And no, that's no, that's awesome.

Speaker:

And I think.

Speaker:

I want to echo that sentiment because I've actually had that conversation

Speaker:

recently that it seems like large.

Speaker:

Some of those fortune 100, 500 companies take that same approach.

Speaker:

And as someone that driven lots of projects, you've got to have all

Speaker:

those stakeholders at the table.

Speaker:

It's not that you're against the changes that are coming, but don't make an

Speaker:

arbitrary decision without understanding exactly the, kind of the scope and

Speaker:

level of effort that goes into that.

Speaker:

And matter of fact, you'll be a champion of that instead of having

Speaker:

arbitrary timeframes, which is for better or worse in your case,

Speaker:

probably what happens when you get.

Speaker:

An elected official with no experience in this and making promises that they

Speaker:

don't exactly understand in some cases.

Speaker:

And I think it's worked for us, like people like me and my peers and my leader.

Speaker:

It's, I think it's also important that, we try to educate them.

Speaker:

And if I talk to you about localities and I don't know how much time we

Speaker:

have, but if I talked about localities and get more on the security topic

Speaker:

one of the things that I would do with so I assisted them all multiple,

Speaker:

cyber attacks at localities across Virginia dive into that for a minute.

Speaker:

Oh without you, so you know what, at one point there was a rural

Speaker:

locality who did not really.

Speaker:

Any more than a guy that showed up once a week for a few hours

Speaker:

to up printers and whatnot.

Speaker:

This lookout, it got completely taken down by a ransomware attack and was out

Speaker:

of commission for a month and a half basic services like life safety type things like

Speaker:

nine 11 and things were back up pretty quick or either were up pretty quick

Speaker:

or were not effective in the same way.

Speaker:

So the worry, the concern that wasn't bad, but that's still a huge concern

Speaker:

and validating that they're okay.

Speaker:

Was really important.

Speaker:

But when all of your constituent services, whether it's getting a

Speaker:

building permit, election, whatever, pay the water bill, like personal

Speaker:

property taxes, things like that, when you can do those things like that.

Speaker:

Puts you in a grounding hall.

Speaker:

And it's not just about the county collecting revenue, but if I'm if

Speaker:

I'm building a house or want to put stairs off my deck and I need

Speaker:

a building permit and I can't do it because you're sure your phones are

Speaker:

down, can't get in touch with you.

Speaker:

I walk in theaters are down and can't do nothing for you.

Speaker:

That's pretty bad.

Speaker:

And that happened numerous times in my tenure and.

Speaker:

'cause there was a law that was passed back in, I think the 20, 20, 19 general

Speaker:

assembly session that basically gave the department of elections, the authority

Speaker:

to ensure that locality security met his specific set of standards that eventually

Speaker:

myself and a work group created.

Speaker:

And then the state board promulgated out to all the counties.

Speaker:

So like when, and when you say security, not just Alexa security,

Speaker:

but you're talking about a whole infrastructure, whole everything security.

Speaker:

So here's the thought process here.

Speaker:

And I'm going to bounce around a little bit.

Speaker:

So a few years ago there was a locality out there and I said, this

Speaker:

is some public speeches that I made.

Speaker:

You can probably Google it pretty easily too.

Speaker:

Now this isn't, this one be public, but bottom line they bought.

Speaker:

Was it Kaspersky?

Speaker:

Yeah, I think.

Speaker:

Oh yeah.

Speaker:

Yep.

Speaker:

And then you might've heard this story off.

Speaker:

We talked about this maybe off on a side or something, and one

Speaker:

time they got Kaspersky that, that individual, that was the sole

Speaker:

information security officer analyst.

Speaker:

When I got to the agency had said, can't use that.

Speaker:

It's like Russian is a Russian, product.

Speaker:

And that was a nighttime news thing.

Speaker:

And it's on the DHS.

Speaker:

You're not useless basic.

Speaker:

She taught, told the, whoever was running it in this locality, they said

Speaker:

don't care money spent or keeping it.

Speaker:

My boss ended up calling, I think it was my boss.

Speaker:

That ended up calling the locality.

Speaker:

County administrators, city manager type.

Speaker:

And they sided with the it thing.

Speaker:

Eventually it caused a lot of ways.

Speaker:

Eventually they removed that.

Speaker:

We negotiated for them to remove it from the election computers,

Speaker:

but this got brought up.

Speaker:

And so the law basically says that because the registrars in each locality are

Speaker:

supported by the by locality, they're not.

Speaker:

Their paychecks come from locality, but some of that money comes from the state.

Speaker:

There's some reimbursement for the registrar, but they're not

Speaker:

really full state employees.

Speaker:

The, I think they're considered constitutional officers, so

Speaker:

they are in a way independent.

Speaker:

They don't report up through the county administrator city manager.

Speaker:

I want to say, I want to say something only because you triggered

Speaker:

a thought and I want to tell you a story after you get done.

Speaker:

I was told board of supervisors were constitutional authorities and they

Speaker:

didn't have to abide by any of the it regulations of anybody anywhere.

Speaker:

And I looked in their face and I said, you want, I don't believe you.

Speaker:

But to anyway, I digress.

Speaker:

I don't know.

Speaker:

I don't know about that one.

Speaker:

I have the board of supervisor They're supposed to follow the same rules

Speaker:

that are driven by the policies and procedures from the it department, if

Speaker:

there is an IC department, but that's all, then we'll talk about that.

Speaker:

It's interesting.

Speaker:

It's interesting.

Speaker:

So these folks are getting the registrars are getting their

Speaker:

computers from the locality.

Speaker:

And if we use the Cali, I was just starting to talk

Speaker:

about the ransomware attack.

Speaker:

They got one it contractor that shows up once a week.

Speaker:

Sure.

Speaker:

And for a few hours and, might just be a computer savvy person, but may

Speaker:

not have an, a plus certification, let alone something more.

Speaker:

You can imagine that there's no group policies, you'd be lucky if

Speaker:

there's these endpoint protection.

Speaker:

So access control.

Speaker:

So we, yeah, so these computers though, are connecting back to our

Speaker:

central voter registration database.

Speaker:

And that was the linchpin.

Speaker:

If you are connecting to our system with your systems, they

Speaker:

have to meet these requirements.

Speaker:

And so the scope of it is just elections computers, but Hey, you

Speaker:

still need to have a firewall.

Speaker:

And if those election computer systems are on a domain and that domain controller

Speaker:

now becomes part of that scope, are you in the same network or the same submit,

Speaker:

even if you V LAN it, it doesn't matter.

Speaker:

You gotta think about everything that, that touches were

Speaker:

at something had happened.

Speaker:

So this caused a lot of issues and it still is causing issues, this law

Speaker:

and it but it's the first time that a law basically put any sort of.

Speaker:

Cybersecurity requirements over localities in any way, shape or form.

Speaker:

Now the scope was again, just elections activities, connecting back.

Speaker:

Okay.

Speaker:

But that scope can be expanded at some local.

Speaker:

It's very easy to do that.

Speaker:

I've made the comment.

Speaker:

I said, I can take a cyber security hole.

Speaker:

How far deep do you want to go?

Speaker:

Th the problem was, some of this stuff costs a lot of money and sure.

Speaker:

If you have a rural or Cali that doesn't have the, the revenue, if you will,

Speaker:

to hire it folks or the right ID folks for the right products, then you're.

Speaker:

In between a rock and a hard place.

Speaker:

I think and I think that some localities chose to completely kick or to create

Speaker:

completely independent networks and computer systems, because they said it

Speaker:

was too much work, too much effort to do it across their whole enterprise.

Speaker:

And I begged and pleaded on the side saying, this is not the right move.

Speaker:

This is the opportunity that you guys should be taking to do X, Y, Z across

Speaker:

your entire platform as much as possible.

Speaker:

Because if you just say you're prone to your okay.

Speaker:

Election elections activity in locality might be okay,

Speaker:

but what about your nine 11?

Speaker:

That's a life safety thing.

Speaker:

When, if they're on the same network, wouldn't you want to like, just kill

Speaker:

two birds with one stone, if you could.

Speaker:

And some people show is different and it's not my, it was not my place as the POC or

Speaker:

head of that whole program and instituting this on behalf of the state board, it

Speaker:

wasn't my place to tell them how to do it.

Speaker:

I just said, here's the requirements.

Speaker:

It is.

Speaker:

We got to do to meet them.

Speaker:

You choose whatever way you want to meet them.

Speaker:

My main concern is the protection of the voter registration database and

Speaker:

safe and secure elections in Virginia.

Speaker:

But if I take my CIO hat off and put my, the Persico hat on just

Speaker:

me, I don't do that to yourself.

Speaker:

And here's why the ransomware attack that we had, that I was

Speaker:

starting to talking about, a month and a half a month and a half of.

Speaker:

I would say Mo I would say two weeks of completely, nothing after

Speaker:

about two weeks, some main things started coming back, which were

Speaker:

available to recover some main things.

Speaker:

And then, after a month they started getting more of the outliers back

Speaker:

online, but it was, for two to three weeks, almost completely

Speaker:

crippled, you know what I'm saying?

Speaker:

And look how it can't do it.

Speaker:

What it's meant to do because it didn't take the proactive steps.

Speaker:

So one of the things that I did through this process and through some others is I

Speaker:

met with the state Medisafe, or I'm sorry.

Speaker:

I met with the board of supervisors.

Speaker:

In some cases I met with the electoral board at the localities who oversee

Speaker:

the registrar and hire the registrar.

Speaker:

I met with these folks and I said, you got to invest in this because this

Speaker:

is what happens when you don't it.

Speaker:

And you don't want.

Speaker:

Tap.

Speaker:

And again, we're having emergency meetings until midnight and blah, blah, blah.

Speaker:

Everyone is freaking out right now.

Speaker:

This could have been prevented if there was more proactivity and you can't

Speaker:

always protect against all threats.

Speaker:

But one thing that they really screwed the pooch on this one case

Speaker:

they didn't have offsite backups.

Speaker:

They had an attached NAS storage on a server that had a password that

Speaker:

was basically basketball password.

Speaker:

That's like as the security we're talking about and the lack of contingency

Speaker:

planning or incident response.

Speaker:

There's not like nobody, nobody knew what to do when this happened.

Speaker:

Either it took a week just to get everybody involved.

Speaker:

And I when it got to me is I'm the one that started making the

Speaker:

phone calls I had within about 12 hours of finding out I had.

Speaker:

Everyone on the phone from FBI, it says a state police, national guard, and

Speaker:

everyone showed up and they, everyone came together and did the right thing.

Speaker:

But Boyle boy it was a mess.

Speaker:

And here's the other thing in that case, the locality county administrator

Speaker:

did not want to hear her advice from all these people, including

Speaker:

me, shut me out, shut me down.

Speaker:

She was worried about her reputation more than recovering.

Speaker:

And so we're to all leaders out there, put your, puts your own emotions and your job

Speaker:

security aside, your job security minded, self aside for a second and do the right

Speaker:

thing because that, that individual made a lot of missteps, a lot of missteps and.

Speaker:

Yeah.

Speaker:

When I asked about yeah, I wanna, I want to ask a short question and

Speaker:

then I want to tell you experience.

Speaker:

I had to see if this is what in the localities.

Speaker:

You talked about getting cyber Sanders and there was a law there.

Speaker:

Were you using like a miss standard or did you make up your own set of rules?

Speaker:

We actually did start from the nest, but we knew that there was no way that all

Speaker:

the localities, all 133 localities were ever going to meet, which one, which

Speaker:

special population were you trying to align to the cybersecurity framework?

Speaker:

Just to CSF one.

Speaker:

Okay.

Speaker:

Starting from there.

Speaker:

And we did do, top 20 top eight, we combined the two of those.

Speaker:

And we w so the work group, it was a work group that was formed.

Speaker:

And the work group was led by me.

Speaker:

I was the chairman for it, but I had locality it directors, CIO slash

Speaker:

CISOs slash you know, you name it.

Speaker:

As far as Alside JLR the the legislative audit, I forget what the acronym stands

Speaker:

for from the state that were there.

Speaker:

I had representatives from the VML and baker of the Virginia municipality league

Speaker:

and the Virginia association of counties.

Speaker:

We had a huge work group.

Speaker:

We met every three weeks from like may of 2019 to October, every three weeks we

Speaker:

met in person and for four hours we had four hour sessions in the Richmond area.

Speaker:

And we, it started off bad.

Speaker:

I make the joke, like people were throwing chairs at each other, but

Speaker:

people were raising their voices.

Speaker:

It was not because we.

Speaker:

Like we had everything from who are you, big state to tell us what to do.

Speaker:

And we had people like, that's not, that's just bullshit.

Speaker:

We shouldn't have to do that.

Speaker:

And it was you name it.

Speaker:

We had some, it was a lot of infighting, but eventually I say within the first

Speaker:

month or two of doing this, like people got on track and started to see the

Speaker:

light and what we're trying to do here.

Speaker:

And it became the, it ended up being the standards were ended up being

Speaker:

a reasonable set of expectations that we can push on localities.

Speaker:

And the idea was to, to now, as of my last meeting with the group,

Speaker:

cause we have a work, we saw, we have an advisory group now that is

Speaker:

all the time that meets to decide if the standards need to be adjusted.

Speaker:

So the idea is that the standards will be adjusted based off of the threat landscape

Speaker:

and and but we started starting small.

Speaker:

And then figure out where we're at.

Speaker:

There's a lot of folks that are still struggling there and

Speaker:

we are doing different things.

Speaker:

So we had, we got to with, through UVA and a consortium with a bunch of

Speaker:

colleges, including Virginia tech, UVA Norfolk state George Mason, I'm

Speaker:

trying to think VCU is a big one.

Speaker:

We create, we're creating a cyber navigator program to get,

Speaker:

have students come and help.

Speaker:

Localities.

Speaker:

So they learn and then look how I can get some help.

Speaker:

So that program is taking off.

Speaker:

We did a pilot with a locality in Southwest Virginia that I

Speaker:

led last summer in the fall.

Speaker:

And it did produce some good outcomes there, but there's a lot of different

Speaker:

things in the works there to try to increase the overall cybersecurity

Speaker:

posture of the Commonwealth, because localities are a part of this.

Speaker:

It's funny.

Speaker:

You mentioned the university's cousin in the latest study that came

Speaker:

out of the biggest industries that are hit universities and research

Speaker:

institutions are number one.

Speaker:

And it's not even close if you go look at the chart.

Speaker:

Yeah.

Speaker:

So I'll tell you the experience that I had a few years ago with another county.

Speaker:

As far as I wasn't looking for anything, I was doing some volunteer

Speaker:

work for the front of the local chamber of commerce, and I came across

Speaker:

something that just wasn't right.

Speaker:

And so I knew everybody in play except for the local it staff.

Speaker:

And ended up, setting up a meeting.

Speaker:

And I said, because I wasn't necessarily getting responses.

Speaker:

And then I knew the county administrator, so I knew how to make it happen.

Speaker:

So I reached out and had the, the meeting to understand, the lack of budget, the

Speaker:

lack of resources, and no kidding, almost proud and bragging about the ability

Speaker:

to do things that are horrible as far as, taking, equipment past end of life.

Speaker:

And I'm not talking obviously election equipment, but, I know these guys had

Speaker:

purview over essentially everything, sheriff first responders, all of that

Speaker:

type of stuff and a very minuscule staff for even just the amount of people

Speaker:

to support much less, who knows what systems are and stuff are in play.

Speaker:

Is that.

Speaker:

Do you see with now all of the exposure in the local government, I use elections

Speaker:

obviously as being a news dominating piece of technology for state governments, that

Speaker:

there's going to be a ramp up and funding to better implement technology across

Speaker:

the board and cybersecurity standards.

Speaker:

I certainly hope so.

Speaker:

I know that there's, there was a lot of talk about this this

Speaker:

infrastructure bill at the national level and what that would be used for.

Speaker:

I know that, scissors up in their game with, hiring a lot

Speaker:

more people making the pay.

Speaker:

And you still got to have the boots on the ground in the

Speaker:

localities to execute day to day.

Speaker:

That's all true, but it starts at the top.

Speaker:

And.

Speaker:

You know it again, if you technology is not cheap paying good

Speaker:

technologists is also not cheap.

Speaker:

If you want somebody good, not somebody that can just connect the

Speaker:

printer or reboot a computer for you.

Speaker:

These people, either go to school for it or they spend a lot of money

Speaker:

getting certified and et cetera, et cetera, you cannot look, you can't.

Speaker:

Expect a locality.

Speaker:

That's got a very small population to generate the amount of revenue

Speaker:

themselves, somebody 150,000 a year, to run their it and security stuff.

Speaker:

You just, that's just not going to happen.

Speaker:

So without grants or some external funding, you're going to continue

Speaker:

to see that, that being a problem.

Speaker:

Now, there are ways around it.

Speaker:

And, you could do, different things with contractors and whatnot, so you're not

Speaker:

paying maybe for somebody on full time, but a lot of the time it's just, there's

Speaker:

the other component here that I've noticed is that you'll have leaders in

Speaker:

roles like boards of supervisors, county, administrators, and things like that.

Speaker:

And not to be disrespectful to any of them, but a lot

Speaker:

of those folks are not this.

Speaker:

I know where you're going because I've seen regulatory, but if you have somebody

Speaker:

who's 80 years old, who's retired and Ben in got appointed to this position

Speaker:

or got elected to this position.

Speaker:

They know what they know what their advisors tell them.

Speaker:

And who knows what kind of their knowledge background is and what they

Speaker:

see threats to be and where they want to, approve budgets to, that for that

Speaker:

money to go here, there anywhere.

Speaker:

That is a huge problem.

Speaker:

More so in the rural localities than not that I see.

Speaker:

I think I mentioned earlier, educating leaders is a huge

Speaker:

component to a successful cyber security program or operation.

Speaker:

And I will say I am very thankful.

Speaker:

I wasn't keen about the 57 legislative changes or 58 legislative, but I am

Speaker:

very thankful to them because they gave me three bodies, three brand new

Speaker:

full-time positions just to stand up.

Speaker:

I stood up a cyber security team in elections back in 2020.

Speaker:

And the team is going strong now heard it just hired a citizen

Speaker:

and I'm really happy about that.

Speaker:

I was able to get that, but, I think for, if I was one of those members of

Speaker:

the general assembly and I see this.

Speaker:

For cybersecurity around elections.

Speaker:

I couldn't could not vote for it.

Speaker:

That would just be really bad, look bad.

Speaker:

But and I'm thankful that we got those spots, but what happens at these

Speaker:

localities or other states or other, even nonprofits and private sector,

Speaker:

like with the leaders, don't understand the risk of not doing something because

Speaker:

nobody's advised them or if they've been advised and they're just like I

Speaker:

got to do this, a friend of mine who represented look out east in Virginia

Speaker:

through one of the lobbying groups when I was having a conversation with

Speaker:

them about this kind of situation.

Speaker:

And they said Dan, if it's between another deputy on the street or a fire truck or

Speaker:

your security requirements for computers, what do you think is more important?

Speaker:

What do you think that the board of supervisors or whoever's

Speaker:

going to think is more important?

Speaker:

And I said, I know the answers, I know your answer to that,

Speaker:

but that is not my answer.

Speaker:

It depends on what's going on as a cop, former cop who has, was had to

Speaker:

pull extra shifts at times and do extra things because our Manning was

Speaker:

low or our cars were broke because we.

Speaker:

We use our cars into our cop cars, into the ground.

Speaker:

And I worked entire shift without heat in the middle of winter in

Speaker:

a vehicle because they couldn't afford to fix it, having been there.

Speaker:

I get it, I get some of the sentiment that individual is telling me,

Speaker:

but I'm like, okay, so it's great.

Speaker:

If you have more deputies and more fire trucks, but what happens

Speaker:

when you can't dispatch them?

Speaker:

Because the entire nine 11 dispatch system down your radios are down,

Speaker:

your phones are down because you didn't think about the technology

Speaker:

implication of this, or even worse.

Speaker:

Think about it this way.

Speaker:

As a cop.

Speaker:

If I pull somebody over and I run an NCI check on the license plate

Speaker:

or the driver's license and, or the driver's license, and the person has

Speaker:

an active warrant armed and dangerous.

Speaker:

Obviously if I pull somebody over and like the vehicle was flagged for having

Speaker:

it's going to tell me right away, and I'm not going to approach that vehicle

Speaker:

until I have backup, it becomes a high risk traffic stop at that point.

Speaker:

But if I don't know that because the computers are down and I can't get

Speaker:

that information and I walk up to the car and say, license, registration,

Speaker:

here's the reason I pulled you over.

Speaker:

And the guy just pulls a gun out and shoots me.

Speaker:

Now you have an officer dead because of a technology issue.

Speaker:

People don't realize how technology has truly become the cornerstone

Speaker:

of every aspect of our society.

Speaker:

And if we're not protecting it, we're not investing in it

Speaker:

and we're not protecting it.

Speaker:

We're gonna, we're gonna, these threat actors are gonna always.

Speaker:

You know ahead of us, even though we're trying to say ahead of them,

Speaker:

and they will always continue to wreak havoc for whatever their motives

Speaker:

are, they will continue to do that.

Speaker:

So it is really important that leaders at all levels, all sectors realize

Speaker:

that organizational risk managers.

Speaker:

Is needs to account for our technology risk or digital risks,

Speaker:

sensitive data, things like that.

Speaker:

I know that, one of the things that I did as well at ILAC

Speaker:

is introduced data privacy.

Speaker:

We might have hired a privacy officer and made it part of this cybersecurity thing.

Speaker:

I'm going to talk about that next week in that I was telling you earlier, before we

Speaker:

went live, I'm speaking at an event next week and government innovation event.

Speaker:

And I'm going to really talk a lot about how it's important to look at

Speaker:

cyber security in a more organizational risk management perspective, but also

Speaker:

how you can include data privacy.

Speaker:

Data privacy is, got made huge out of GDPR and over in the, in the European

Speaker:

union, A few years ago, back in 2016, I think is when it went to effect.

Speaker:

California's got some silver rules.

Speaker:

We pass a consumer data, privacy law in Virginia last year.

Speaker:

Those are huge and it, and cybersecurity, data privacy and organizational compliance

Speaker:

and organizational risk should all be folded into one area really in, and it

Speaker:

needs to be, it needs to go to the CEO or the boards that that maybe oversee

Speaker:

or there, whatever the title is at the top, it needs to get to the top so that

Speaker:

people are funding the proper things and really addressing the risks before they

Speaker:

become a disaster for the organization.

Speaker:

It happens so many times if you read articles, but the other thing I hear all

Speaker:

the time, I'm going to shut up after this.

Speaker:

It's not going to happen to us until.

Speaker:

Absolutely.

Speaker:

I know you're not there anymore.

Speaker:

And I wanted to ask this as the final question to wrap up if you, on your way

Speaker:

out, could there like wave the magic wand in the public sector and in the

Speaker:

areas that you were doing to go, I, you accomplished a lot with the monitorization

Speaker:

to the cloud and getting some of the cybersecurity principles in place.

Speaker:

What does that thing that you could have, you felt that was maybe left

Speaker:

unfinished or you would have liked, you could snapped your fingers

Speaker:

would have been the next thing.

Speaker:

Honestly, I think I said it on the right trajectory.

Speaker:

It was more of follow through.

Speaker:

There were some bigger issues that I wanted to work on this.

Speaker:

Overall and bring other partners in to help fix.

Speaker:

I really wanted to unify cybersecurity across the Commonwealth

Speaker:

efforts to do so already.

Speaker:

And some of those were I was involved with but it was really important to,

Speaker:

in my opinion, looking back, and I will say this, even if it probably gets me

Speaker:

in trouble, if anybody sees us this is how I'm going to title the episode.

Speaker:

Now, here we go.

Speaker:

Cybersecurity data privacy those key, thing, those key areas to combat

Speaker:

the, or mitigate digital risk need to be more unified in Virginia.

Speaker:

You got your three branches, Vita of the Virginia information technologies.

Speaker:

AMC is bylaw.

Speaker:

Going to take care of security and infrastructure for all executive

Speaker:

branch agencies which is the majority of the state, but then you don't

Speaker:

have outlying independent agencies.

Speaker:

You've got the legislative branch who did actually suffer an attack.

Speaker:

Remember a few months ago, the, yeah.

Speaker:

And then you have your judicial branch and you've got organizations like state

Speaker:

police Virginia's Homeland security group, or I forget the department,

Speaker:

I forget what their public safety and Homeland security for Virginia.

Speaker:

And they have some roles and responsibilities over incident

Speaker:

management and emergencies such as a ransomware attack.

Speaker:

And then you've got localities and then you've got these other kind of outliers

Speaker:

out there that somehow contribute.

Speaker:

There's not a unified front.

Speaker:

I, I was aware that previously I think what was the last Republican governor?

Speaker:

It was before McCullough.

Speaker:

Yeah, I'm blanking myself now because Virginia does one for anybody listening,

Speaker:

Virginia does one term governors.

Speaker:

They can run again, but they can't be concurrent.

Speaker:

Exactly.

Speaker:

But there was the last Republican governor.

Speaker:

It, I can't remember who it is.

Speaker:

I'll stop my head.

Speaker:

I'm blanking.

Speaker:

I know.

Speaker:

It's like the word there that his name is on the tip of my tongue.

Speaker:

They, under that administration, they had a secretary of technology

Speaker:

back then that was disbanded.

Speaker:

I think.

Speaker:

Around the time Terry McCall.

Speaker:

Nope, no McAuliffe, I believe had the last one because that was a shoot.

Speaker:

I've actually talked to her.

Speaker:

Karen.

Speaker:

Hey, gotcha.

Speaker:

Yeah, I'm online because I wasn't really, this was before my time, but

Speaker:

they had a sec and they actually, it was Northam that rolled it up underneath

Speaker:

the econ E the economic development.

Speaker:

The secretary administrator, no secretary illustration, it fell under after that.

Speaker:

And so that, but that was just like, I think it's really important to

Speaker:

have that at the governor's cabinet level to have somebody technology,

Speaker:

not just the operational side but the cybersecurity side and then other things

Speaker:

principles within there to when you were talking about organizational risk.

Speaker:

And sorry.

Speaker:

Apologies.

Speaker:

Being able to remember, but I just know it was Karen Jackson and Jackson was the

Speaker:

last one because I remember talking to her and I don't know what a Yuncken, if he's

Speaker:

reinstated it or have left the structure of the same, he is not, the structure

Speaker:

is currently the same as of right now.

Speaker:

And it's funny because the current secretary of administration, as I've

Speaker:

been told is a former CIO of the fed reserve, a specific location or whatever.

Speaker:

So that was cool to hear that.

Speaker:

Okay at least they have a technologist in that role.

Speaker:

I don't know much about the individual, but I'm happy that they're that, that.

Speaker:

There, because that is helping put technology, but that still

Speaker:

doesn't, that's an executive branch.

Speaker:

Again we need to a little bit bigger and we need to have some

Speaker:

form of whether it's a work group advisory group or board or something

Speaker:

that brings all of this together.

Speaker:

And it does include qualities because even though the state can't

Speaker:

force localities to do anything, theoretically, I think it's, I think we

Speaker:

all have a we all have a common need.

Speaker:

To stay ahead of this.

Speaker:

No matter what part of the Virginia government you are, and we can even

Speaker:

include some of the, the public sector, universities, state run schools

Speaker:

they, there's a lot of smart people that that I'm, I know I'm tech UVA.

Speaker:

I deal with some of these computer science folks, some of the research

Speaker:

programs and research labs that they have, like they're bleeding edge.

Speaker:

And we can really, honestly, if we unify better, we can really make the

Speaker:

Commonwealth of Virginia stronger.

Speaker:

And then if we do that, maybe other states will follow suit.

Speaker:

If they're not, if there's nobody else out there doing that already, cause

Speaker:

I'm not familiar with every state and how they structure it, but sure.

Speaker:

But I will say it's a little disjointed and that disjointedness

Speaker:

is I always equate this back to the nine 11 commission report.

Speaker:

What happened.

Speaker:

W what are some of the biggest failures of nine 11 and why it happened?

Speaker:

It was a failure to communicate.

Speaker:

It was a failure to unify.

Speaker:

And if we can't take lessons of something like that catastrophic and

Speaker:

then apply those to to any sort of, forward risk management principles

Speaker:

in cybersecurity or otherwise, right then we're bound to have problems.

Speaker:

And I don't want to see that not just for myself, but my family, friends,

Speaker:

my child, I want to, I want us to be, I want us to be 10 steps ahead

Speaker:

of them, bad guys all the time.

Speaker:

That's my.

Speaker:

And I hope that that we can get to that place by changing our

Speaker:

mindset, be more proactive and not saying well, that's never going to

Speaker:

happen to us and make an excuses for why we can't fund these things.

Speaker:

It's really important.

Speaker:

No.

Speaker:

And I'll wrap this up with a saying, I always hear from

Speaker:

the Marine Corps to rub it in.

Speaker:

You don't want to show up, we don't want to show up to a fair fight actually.

Speaker:

That's a, we gotta keep this light unfair.

Speaker:

Got stay ahead.

Speaker:

Yeah.

Speaker:

I really appreciate the time.

Speaker:

If anybody wants to reach out, connect with you.

Speaker:

What's the best place I could hit me up on LinkedIn or, and

Speaker:

send me a message on there.

Speaker:

Sounds good.

Speaker:

Awesome.

Speaker:

Awesome.

Speaker:

Thank you, John.

About the Podcast

Show artwork for The Business Samurai
The Business Samurai
Skills and Stories to be a Well-Rounded Leader in Business & Technology

About your host

Profile picture for John Barker

John Barker

20+ years of technology, cybersecurity, and project management experience. Improving business operations to create a culture of better cybersecurity and technology practices. John is the Founder of Barker Management Consulting and the creator of the Business Samurai Program.

MBA, PMP, CISSP