Simply Solving Cyber

Simply Solving Cyber - Chetrice Romero

Aaron Pritz

We’re back with another episode of Simply Solving Cyber! This week, @Aaron Pritz and @Cody Rivers sat down with Cybersecurity Program Director at State of Indiana, Chetrice Romero.

Aaron Pritz:

Welcome back to Simply Solving Cyber. My name is Aaron Pritz. And I'm Cody Rivers. And today we are here with Chetrice Romero. She's the Cyber program director for the state of Indiana, and also heads the Indiana Executive Council on Cybersecurity Security. Thanks.

Chetrice Romero:

Yep. So I'm just tired all the time.

Aaron Pritz:

I bet. Well, so we're excited to hear about, both of those things. But before we get started into that, give us your intro into cyber. How did you get into the field? And I think, uh, from chatting a little bit before, non-conventional, not, you're not an IT techie, so give us your story.

Chetrice Romero:

I'm not, and actually I love that I'm not, because I think that's consistent, like theme to a lot of workforce development talks with students is that. Cybersecurity people come from a variety of walks of life. So my original two degrees are in, journalism, and public relations and communications and liberal arts. So I definitely use my degrees every day. That's definitely wasn't like I did a total 180, but yeah, I always been with the state of Indiana. It's really, honestly, I just got bit by the service bug and working for private just kind of seems, good for other people, but for me, I don't think I'd be as happy with the. Ability to kind of affect change and help people, through government service. So yeah, I did public relations with, the Department of Revenue, did crisis communications with Department of Labor and IOSHA, then since I got labor and taxes, um, where like literally my day-to-day job was death and taxes, which was the weirdest thing. I got moved over into the Utility regulatory Commission where I actually got more of my. Start in the cyber realm, from the energy sector and kind of being spooked by, actually Ukraine attack back in 2016 on their energy grid. So that kind of just really went from zero to a hundred and just had a huge interest in cybersecurity. Worked with our emergency operations center, assisted them with. Building out our emergency support function over energy. So what that means is when the lights go out and everybody's lights go out, and it starts really making people upset, but also starts putting our safety and health at risk, then Emergency Operations Center for the state of Indiana kind of kicks in and starts to try to coordinate and make sure that, People, get what they need, especially if it's a long outage. So I did a lot of work on that end. And then, came into, when Holcomb took, office, he continued the executive order that established the Indiana Executive Council on Cybersecurity. And of course, I'm one of those people, I always tell students that I lecture to, if you're gonna. Say maybe something didn't work as well or how something can work. You always bring solutions. And so that's what I did. Yeah. Not realizing that that was an interview. So they came back and they're like, why don't you just take it? And so I was like, you know what? This seems fun and it seems exciting and seems like an area I could really make a difference in which, with 250 other people, we really have. So yeah. That's excellent.

Aaron Pritz:

So comms and. Public relations has a prominent role in cyber now, especially, with ransomware. So, I know on the corporate side, having a plan, having rehearsals, having practice was, the night and day difference and readiness for how a company reacts to it. Yeah, you've seen it on the government side, but, what have you learned on readiness and preparedness with teams? Getting, helping people understand their role and yeah, people are

Chetrice Romero:

active in that. Oh, no, that's a great question. So I think the thing I've learned the most with the readiness component is that, People when you're talking about like energy for example, or healthcare, they are doing pretty good. They're already pretty regulated banking. There are already a lot of requirements of them testing these processes out. It's just part of the risk management of just being a utility or a critical infrastructure. But the kind of aspect of risk management that trickles through all industries, I still believe is. Quite lacking. And I think it's not for the sake that people don't care about it or they don't think of it. I really do think that it's just not in front of them. And cybersecurity is very different from the other things we hear about prepping for. Right. Like we, we know there's gonna be a snowstorm, so we can always prep for that, right? Yeah. We live in fantastic Indiana, right? So there's gonna be a tornado. Or two or 25. So we know these things are gonna happen. Insurances typically require us to make sure that, we are following building codes and we're following fire, codes and so on, so that we're prepared for those things. So when it comes to cyber, it's just a lot more, out of sight, out of mind. Yeah. But I would say that of all those threats, when we do risk assessment, cybersecurity is still. The top threat to businesses with the most to gain or most businesses to lose. Yeah. And yet it's still not a priority with preparing for it. So a lot of what the council does is how can we make that simpler for people of all sizes, from all size of businesses, organizations, and not just in critical infrastructures, but on a constant basis. From the beginning, I'm like, Is that gonna be helpful for the mom and pop shop selling cupcakes? Because if it's too complicated for them, it's gonna be too complicated for other, even if it's a critical infrastructure. So we really need to always think of let's try to simplify this. Cuz if we truly understand it, we should be able to simplify it. Yeah. Get the basics

Aaron Pritz:

right. Absolutely. The 1 0 1 class, not skip into the 5 0 1 class, where exactly. PhD

Chetrice Romero:

track to figure it out, right? Yeah, absolutely. And a lot of people think they hear cyber and they're like it's technical. Yeah. Yeah. Okay. And, but I would totally disagree with that. And, I'm a living example in the sense that we do so much stuff that's not technical. You're looking at 90% of up to 90% of all cyber tax for all types of businesses. Whether it's an energy grid or a cupcake shop. It comes from human error. So because they didn't update something or they're using password 1 23 or they're using the same password, and they're not changing it regularly or yeah, they're getting phished, they're clicking that link, right? Yeah, absolutely. So it really is that class, 1 0 1, that takes care of about 70% of all cyber problems. So that's kind of our mission on the council is to help people understand that, prepare for the worst, but also just. Changed a little bit of behavior, doing simple things that are not technical. And it will make a difference. So for

Aaron Pritz:

that cupcake shop, how is the word out? How do they know? How do they find the resources that the I eec, I e c, Indiana Council?

Chetrice Romero:

Oh yeah. We're government. We love, I think you gotta have an acronym there. I, yeah. Yep. Absolutely. So we have a great website, something that the state didn't have many years ago, when we started. It's, in.gov/cybersecurity. Awesome. Pretty easy. Even if you just throw in Google, Indiana. Cybersecurity that'll come up. And it's not like most government websites, so to everybody You're welcome cuz I really fought for it not to be like the other ones. It has buttons. Yeah. Are you an individual? Are you a business, are you a government? Do you wanna assess yourself? They wouldn't let me do the assess yourself before you wreck yourself. Um, something about copyrights or whatever, but

Aaron Pritz:

I'm sure there's an Easter egg. If we look

Chetrice Romero:

close enough to slip down. I'm not gonna say yay or nay, but there may be Easter eggs throughout the website. Definitely in our strategy. So we try to make it as simple as possible. The way I look at it is if I'm trying to get. Like you said, a cupcake shop, a friend of mine to do something simple with cyber, how would I want them to do it? I'm not gonna send them to something that's super difficult. And as much as I love and appreciate the work that Federal does in like nist, which is the standards for cybersecurity, and you can find that with that National Institute standards of technology. When you go there, it is super technical. Yeah. There are literally hundreds of controls. Yeah. And it just hundred and 900. Yes. Yes. And it's just, it's impossible for any normal. Organization to put the time and effort into learning all that, right? Yeah. Yeah. Like it's just not helpful. So we have things as easy as a scorecard, which just gets you like literally like red, yellow, green. Where are you from a very high level perspective of cyber. Yeah. To get you understanding, maybe I should be looking into this. Maybe I should take this to the ceo. We did the scorecard that. The state of Indiana and Purdue worked on very hard to simplify it to like an eighth grade reading level that's operation focused. So it's things like, do you have a cyber incident response plan? We don't need 10 things to talk about it. We just wanna know. Do you have one? Yes. No. Yeah. Start there. It's, yeah, exactly. Simple, right? It's like operations, like what am I asking the manager? And not just the it manager, like the general manager of a store. Yeah. If they don't know, then it's a problem cuz they're the ones running the show, right? So that's a lot of what we aim to do is just simplify the really good work that's out there by super ridiculously smart people. But it just, it misses the mark on getting to the people who really need it most.

Aaron Pritz:

Yeah. We're getting ready in May, which is small business month. To kind of as a give back for our staff to bring a group of three to five small businesses together, to almost be like a cohort to work through over six months. How, teach them to fish, how they do it themselves. But we should definitely start with the resources that are already available Absolutely. To them as a base and say, hey. Have you taken advantage of this yet? Let's not spend your time redoing what has already been created,

Chetrice Romero:

you know? Absolutely. This resource. Yeah. There's a lot of free resources on there in your healthcare. There's a cyber in a box that basically brought a whole bunch of really cool resources that are all over the place into one area. We have the scorecard that I just talked about. We have a template for an instant response plan to start with. We have a business kit that, the I E D C, the Economic Development Corporation put together four small businesses that kind of go through, has simple to understand videos. I'm agreement with you. I having a cohort and teaching them to fish is such a key thing because, I always tell people like, well, they should have a cybersecurity person. Well, they're just never gonna have it. Yeah. At the end of the day, at the end of the day, the cupcake owner is like, I want somebody else to bake more cakes. Like they're too small to justify that. And understandably, I think it's, unreasonable to expect small and medium sized companies that it doesn't quite fit the line mm-hmm. Of that. Mm-hmm. But there's a lot of services and a lot of things out there that can help them get over that without having a full-time person. Right. That an office manager can take on. Or a lot of places like HR does it too, or COO. So I think that that's what we try to do is just simplify it and make it easy to understand chunks. And I also believe that it isn't a black and white all or nothing kind of thing when it came to cybersecurity, I would say back in the day it made it seem like if you don't do it, you're sucking. And if you do, you're awesome, but you have to do all of it. Yeah. There's a lot of fear mongering at this. It is so much. And I'm like, you know what? if an owner of a business says, Hey, if you're not sure about the email, I want you to just not click it, just come talk to me first that is significantly more powerful than any fear mongering. Right. Okay. Totally. So I think that there's just different ways that we can approach this and I think, just empowering small businesses instead of telling them what they're missing and what they need. Yeah. Or if they want cyber insurance, we have a cyber insurance toolkit. That's awesome. To help them understand like that process and the questions they're gonna get asked so they can just see is it worth even. Going through the process and then getting denied at the end. Like, who wants that?

Cody Rivers:

Well, what I love is you keep saying the words process and people, which are two things that we lean heavily on here and we just had an attorney on here, but, she is in healthcare and she said a lot of things she deals with on the incident response in the breach side is that this overconfidence or abundance sometimes of tools and that, well, I've got a lot of tools, I'm safe, I'm great. And then you look can see okay, well I had the lock on the door, I had the chain, I had the dog ready to go, but someone knocked and I opened up everything and let'em right in. Mm-hmm. So tying it to a fish, it's like, it's great the tools, but if people don't know what they're doing exactly or they're training education, they're the, a much better defense to have first and the process it so, Again, I like this. It's not rehearsed now, this is just organic, but everything you're saying is what we believe in heavily and try to push a lot.

Chetrice Romero:

Yeah, and I use the door lock all the time maybe they're a medium sized business. They do have an IT division. Right? Sure. Maybe not to the scope of a security person, but mm-hmm They have somebody who's that's their job. And I always say, it's like when you go into business and into a division and the maintenance person gives him the key to the door of the business. Yeah. Whose job is it to keep that door open and closed? It's not the maintenance guy. He's enabling that, right? Yep. He's providing the resources for it, which is what it does. Mm-hmm but at the end of the day, the management has to make sure that they know and that their employees know. To keep the door locked. Right? Right. Yep. So cybersecurity is just like that. You know it people, they enable and they're supporters of divisions, but they are most certainly in no way in charge of doing all cyber for an organization. It's absolutely something that everybody's in charge of. Yeah. And I think the more that we like shift that culture in organizations, the more that people will take it on as a, Hey, let me think about this for two seconds, and. How significantly effective that can be is powerful. Yeah.

Aaron Pritz:

You mentioned to me earlier that the Indiana Executive Council on cyber is not made up of all technical and IT people, so Right. How have you used your comms and PR background to help educate to the point you just made on. It doesn't have to be all technical, like how are you opening up minds? And obviously some of it's with the toolkits that you're providing, right. But even in that forum of, 250 people that are part of

Chetrice Romero:

it. Yeah, I know. It's a crazy amount of people. People are like, I think it's the largest government council from my understanding in like the. Date, and I wasn't trying to like beat anybody's records, so I'm sorry about the second, and that has the largest, I wasn't trying to beat you, but, I felt like if we were going to truly approach the people and organizational issue, we needed to have representation from the. Experts in those fields, for example, we're talking about cyber insurance. I have a legal and insurance committee. Well, I don't have it people, now, people that I have legal people who work with it, people in the cyber insurance world who litigate on, on issues on cyber, but so they have awareness of it, but really they're like, their day-to-day is the insurance, or to your point, the response. Right? Yeah. Having an IT person, like I always say, you don't go to your CIO and write the press release, right? You have a communications person do that because talk to the IT person and then they are the ones that know how to communicate something to vast amount of people. Mm-hmm. Because sometimes, It people are not the best communicators. And that's okay. Cuz that is not, I've never heard that before. That is not the I know, I know. It's a surprise to me too. So I, I felt like the way I established the council was that we needed the, not just the breadth of expertise. Mm-hmm. But we needed the depth. Within those areas, whether it was response, recovery, risk management, and so those areas. And then within the industries, I as a state person should not be at all dictating what finance should be doing or energy should be doing. Yeah. It should be that sector and the leaders in that sector that are taught saying these are the things we need. Mm-hmm. Um, these are resources would be useful cuz they are the experts in their field. So I really rely. On empowering all the council members and they're all also not just central Indiana. They are all from all over the states, some national to represent it because, I wanted the diversity of our regions. Yeah. Our regions work differently sometimes, but they bring so much, to, to the table. And then we also have of di diversity of sizes, so I didn't want, a large energy company leading. The energy thing. Well that's great, but how about the small energy company that really is struggling with this or the medium size? So throwing a lot of diversity and everybody's welcome to the party, Makes it a really fun thing to manage because it's just me, doing the whole thing, with a communications manager who takes care of the website and, and probably helps keep me sane along with my husband. But, I think it's really the passion of everybody on the council. That's my my favorite thing on there. Does

Aaron Pritz:

everyone, that's a big group, does everyone ever get together physically or. Yeah.

Chetrice Romero:

Once Covid, yeah. Yeah. We actually, we were very excited. When we got back from Covid, because you heard the stories of these councils and commissions that, they came back and people just reprioritized. Right. So, yeah. They reprioritized. So I'm like, oh my gosh, no one's gonna come. They're all gonna be like, okay, we're still dealing with Covid. I don't have time for this. And we had, almost every day, like it was a huge full house. It was. Standing room. It was awesome. So it just shows to the importance of this for people even I think even more so after Covid. Yeah. Because I think, we just really realized how much connected. More connected, right? Everybody started working from home. Yeah. Everybody was using teams. Right? I don't think I ever used teams before Covid. Um, so I think that also made, the cybersecurity a bit more of a priority for the state. And we have a lot of agencies doing really great work. We have our office technology who's doing a lot of good work in local government. Our Homeland Security is providing a lot of great, resources to emergency managers throughout the state. We have some great agencies involved. And then of course the governor's office and Lieutenant Governor's office has been very supportive, from that perspective. But we have Secretary of State's office involved and the Attorney General's office involved, and I love that Treasurer's office. I love that. It's, Mixed, and it's not just one politician, it's really the leadership of the state coming together saying, all right, despite everything else might be going on in the news, yeah, we're gonna come together on this one thing cuz we can all agree we need to do better in this area, which I get to have the pleasure of leading. So yeah, that's really

Aaron Pritz:

cool. What is, on the forefront of the committee's priorities? What are you guys working on now? What's coming out

Chetrice Romero:

next? Yeah, I mean, I think we're really to the point of we built a foundation Yep. Of having the website. in.gov/cybersecurity cybersecurity. But really I think it's just getting the word out about the tools is kind of the biggest thing right now. Yeah. It was the number one thing when we talked to our council. We do pull them all together quarterly. number one thing that was brought up was we need to better about the awareness of these tools and what we're doing at the state. Yep. From like the local government side with office technology, which they're doing a great job of getting the word out. But I think for me personally, it's really about getting to those mom and pop shops. Yeah. Because we have so much now to give, you know, a few years ago I've been like, no, don't look over here. We're not ready. But, I think now we're at a point where like, how can we make sure this is getting out to the right people? Because it's scary. I mean, businesses go out of business because of ransomware attacks. Yeah. Right. I mean, it's an un it's unnecessary stress when there's things we can do to prevent it. Yeah. And so I just wanna help that everyday person that like, isn't there. And then there's also information in there for individuals. So I think, people just we're in an age, a very different age of technology and privacy, and so how do we respond to that as just individuals and humans, right? Yeah. So I like to kind of focus on that as the leader of this, instead of just saying, well, everybody should just be doing this and this is how we should do it all. And I'm like, well, But humans are different and they come from different backgrounds. So how can we communicate it to them? Yeah. So that they're successful with it. So,

Cody Rivers:

And the how is often the big question, right? I know I need this, right? I think that with the fear of mony, people know there's a need for it. It's like, but how do I go about it? How's the most efficient way? Cause it costs money and yeah, it costs money to go down the wrong hallway. And so the finding those areas too. But I like how you said too, the. The small business mom and paw shops, because as you know, the, the larger companies, finance, healthcare, they're regulated. They know they're good about these things here. They're, but what you're finding out is the bad actors know that too. So, oh, right. What happens is third party risk, supplier chain, you know, a risk, another sale. I can go to a smaller one because I know they're a pivot point into a larger one. So you're seeing now from a vendor management program, they're saying, Hey, look, we're going to require you to have these things be compliant because you are a back door into our system. And so I like that. Yes. These small companies, and we have kind of a budding practice now with some of these smaller firms. And we have a local, healthcare SaaS firm that came to us from a standpoint of. Their larger firms will come to them saying, we need you to be this compliant with these, different pieces here. And so we've helped them identify the most efficient path to get that mm-hmm. Taken care of. Cause they're like, we don't know where to start. Yeah.

Chetrice Romero:

And the bad actors are they, there's a business in this. I mean, they have call centers, they ransomware organizations and they're like, Hey, here's three references so that you can check to make sure that they did pay and they got it back. Yes. It is a true business model. So like any other business, they're doing exactly what we all do, right? Yeah. Like they go by best practices, which to your point is like, why would I go spend all my time and effort into a fortress like Chase Bank, where I could just go into these small banks? Bam. That's that I, we know for a fact that they're not putting money into cyber training, or they're not putting money into making sure and emphasizing with all their employees to lock those doors and stuff. Right. You're absolutely right. And they get those small ones with just a click. You know, the effort to get them is so much smaller from that perspective. I would say a good way to start for anybody out there though, is go to the website. I would even say if you're like, I don't even know where to start on the website, go and subscribe to the blog. We have a very easy. Going blog. But yeah, I mean, we do things on there. That makes it relative to cyber, right? So like it's national chocolate day. Well, how do you relate cyber to that? Well, in true story, like I got a call at seven 30 in the morning from American Express saying, Hey, are you trying to buy like hundreds of dollars of chocolate at this place we've never seen you at? And I'm like, Nope. But, so like the blogs about Hey, it can happen to me, it can happen to you, but make sure you have these things in place. Place to protect yourself. Yeah. Right. In your family and your finances or take a picture. Well, we just had national pet day right? So we've done things on that where it's hey, take a picture of your pet. Yeah. We're not saying not to do it, but don't do it on top of a bunch of documents. It has passwords on it. So again, people don't like maliciously do it. Yeah. They just don't connect those dots and you're like, oh. And you just doing that. You just removing the paper that has confidential information on it. Yeah. And take the commissioner, the pet has made you more secure. Yes. So that's kind of the point where it's like small moves, big impact. Yeah. Is what we're kind of going for.

Cody Rivers:

I like too how like you correlate some of the training to like the real world. And one thing we see with some clients, and we do a lot of awareness program building, but we've seen, With the evolution of training, it's out there now. It's more than it used to be. Mm-hmm. But it's trying to tie those themes together and put them in order and correlate it to real world action. So, and the programs we're building with, to your point, it's like, why'd I get this training makes sense and I read it, but how does it affect me in the business, in my department Exactly. At home with grandma, with the kids. And so trying to get that same training. And then apply it and correlate it to real life action, I think is helps to stick

Chetrice Romero:

a little more. It does. I agree. I mean, people paying attention to having a baby and getting a baby monitor, you're like, so we have a blog on that. We're like, Hey, that's great. And look, I loved watching my baby. Like it felt weird after a while, right? Like I would just sit there and watch him breathe. But like at the same time, I'm like, make sure you change your password. Don't use the default password. Oh yeah, I didn't realize, yeah, I should need to change that. But then you're at work and you're putting in a smart thermometer. Make sure you change your default password. Boom. You know the big target hack that happened so many years ago that they got crucified for, right? Yeah. It didn't happen because of a target employee. It happened through hvac. Yeah. So people don't realize, like the worst ones that we've seen was something simple like mm-hmm. Making sure things weren't connected right. And so that's what we're looking for is just that huge impact on those situations. Yeah.

Cody Rivers:

We do a lot of threat intel things for some healthcare clients. Yeah. And. We do a brief on each, meeting and we show, Hey, this is the recent ones in the area relative to you and size. Exactly. And the point of entry is for most part it's associate left email wasn't generated. Exactly. We found a phish, old web server. So the points of entry are oftentimes ones that like process procedures mm-hmm. And training can cover. So you're seeing a massive reduction in your thing earlier that the tools are great. But the people in the process are gonna empower the tool and determine

Chetrice Romero:

exactly the success of that tool. Yeah. I always tell people, you can have the best tech in the world. If you don't train your people, you're still gonna get hacked. Yeah. It's just, that's what's gonna happen. They're counting on that, that you're not focusing on the people. And that's what bad actors are counting on. So if I own

Aaron Pritz:

a cupcake shop and I'm going on to I in.gov/cybersecurity. Mm-hmm. Aaron's cupcakes. Um, and is anybody else getting

Chetrice Romero:

hungry? I don't. Now I want cupcakes. I always say that, and then at the end of it I'm like, I need a cupcake now.

Aaron Pritz:

Yeah. So would the scorecard be a good place to start? To evaluate, okay, what do I have, what do I not have? What is my. It outsource provider telling me is good enough versus what Absolutely for a business my size I should

Chetrice Romero:

be thinking about. Yeah, I think the scorecard is a perfect step for that. Again, super simple, very basic. I've been giving that to small organizations. Small departments. A local government, not even just the IT person and it fits, it talks through the key basically top. 20 controls of, what's best practices are. So I think that's always a good start. And it gives you a color reading, right? Add up your points and see where you're at. And if you're in red, you should probably talk to somebody about it. Right. I love that. Do a deeper assessment. Is it like the icing

Aaron Pritz:

on the cake?

Chetrice Romero:

Jesus Sprinkles.

Cody Rivers:

I love assess yourself before

Chetrice Romero:

you reconcile. I know, right? I really wish I could be that on the website. Slow. I've missed opportunity. I know. That is great. But at least everybody who goes there will think that when they're looking for the assessor stuff. By, there you go. Yeah, right on the top page. Awesome. Good.

Aaron Pritz:

Well, thanks for joining the show. It's great to have you on and learn more about what you're doing for the state and how you've leveraged your. Background in comms and PR to really, use those core skill sets to advocate to others. And super excited to go out and check. I think I've seen some of the items, but I know I learned even on in this talk several things that I didn't even know that you guys had done. So I'm excited to go check it out and potentially use it for our, Cohort of, small businesses.

Chetrice Romero:

Yeah. I'm more than happy to come visit them too. I would

Aaron Pritz:

love to. Speaker will sign you up.

Chetrice Romero:

Awesome. Yeah, I know I say yes to everything. Good to

Aaron Pritz:

know. All right, well thanks so much for your time and, have a great rest of the day. Awesome. Thank you guys. Thanks Chetrice. Bye.-

People on this episode