Amanda Crawford: If you use a computer or the internet, you have a role to play in keeping our state safe. If you're a developer, it means that security needs to be injected throughout the development process. If you're a network manager, the tools need to be tuned to be able to respond to those threats. So, role by role, each of us really need to consider how we are part of the team.
Speaker 2: Hello and welcome to Security Visionaries. Most people learn about the importance of security in their college years. However, industry leaders like Amanda Crawford believe that it should start as early as elementary school, since younger generations are more digital native than ever. Amanda is the Chief Information Officer at the Texas Department of Information Resources, where her team partners with the PTA to provide best practices and tips on cybersecurity. Her team also provides technology leadership, solutions and innovation to all levels of Texas government.
Speaker 3: The Security Visionaries podcast is powered by the team at Netskope. At Netskope, we are redefining cloud, data, and network security with a platform that provides optimized access and zero-trust security for people, devices, and data anywhere they go. To learn more about how Netskope helps customers be ready for anything on their sassy journey, visit netskope.com.
Speaker 2: Please enjoy this interview between Amanda Crawford and your host, Mike Anderson. Mike Anderson: Welcome to today's episode of Security Visionaries. I'm your host, Mike Anderson. I'm our Chief Digital and Information Officer here at Netskope. Today, I'm excited to have Amanda Crawford. She is our CIO for the State of Texas joining me today. Welcome this morning to our podcast. So, tell the audience a little bit about yourself, your role with the state of Texas.
Amanda Crawford: Hi, Mike. Thanks. I'm glad to be here. I have the privilege of serving as the Executive Director of the Texas Department of Information Resources, as well as the State of Texas Chief Information Officer. I have been in this role, gosh, I'm losing a little bit of track and especially with the years from the pandemic that all seemed to be kind of a weird time stop. It'll be four years, I believe, in February. And with the CIO role for a little bit less time, I originally came and joined the agency as Executive Director. And then when the prior CIO retired, the board asked me to assume this role as well. And so, it's been certainly an exciting time to be in this role and it's one that I really enjoy.
Texas is a highly federated model. We joke in the state technology community that if you've seen one state, you've seen one state. Every state is set up a little bit differently. So, here with the role for my agency for DIR, as we call it for short, is we're really here to set the state's technology strategy, provide security, and then offers solutions for all levels of Texas government. So, we support customers at the state level, at the local level, and we actually can provide solutions for other states as well. We're very busy, as you can imagine.
Mike Anderson: I am very thankful for all the work you do because as you know, I'm a fellow Texan as well, so I benefit from all the great work you're doing and I really appreciate you securing all of our information for all of our people in the state of Texas. So, that's also extremely important. It's interesting because when you and I met, we were recording a webinar for the National Association of State CIOs, NASCIO, and we got on the security topic and you said, you used the phrase, "Security is a team sport." So, the theme for this season of our podcast is security is a team sport. I would love to hear your perspective on just as a CIO, your approach, your feelings around why is security so important, and where does that rank in your prioritization and where you focus?
Amanda Crawford: Well, I think it's priority on everything. It has to be number one, maybe second only, and I don't even know, I think they'd share the number one spot with connectivity. One of the things that we are charged with doing here is providing these solutions for Texans and for the government that serves them. And we can come up with the latest innovative tools with the new service delivery models, but if Texans can't connect to those services and if they aren't secure, then none of it really matters. So that phrase that cybersecurity is a team sport, I use it a lot because it does seem to resonate with folks and it's something that people seem to be able to latch onto and understand.
As you know in your role, Mike, and what Netskope does is that it really takes all of us working together on this in order to be able to accomplish true security. And so if you use a computer or the internet, you have a role to play in keeping our state safe. If you're a developer, it means that security needs to be injected throughout the development process. If you're a network manager, the tools need to be tuned to be able to respond to those threats. So role by role, each of us really need to consider how we are part of the team.
Mike Anderson: That's great. You mentioned before a federated model around for the state of Texas. How do you align from a security prioritization standpoint across all the federated groups? How does that kind of play into that whole team sport concept?
Amanda Crawford: I would say as far as the team sport concept goes with security, particularly around policy, our charge from state leadership and by statute is to set the security policies for state agencies and higher ed. And so we set those policies and standards, so I guess it's the playbook, the coach that would put out there as far as taking that team support analogy as far as it goes. And then when it comes to the local governments, what we do there is put out best practices and we do a lot of conferences and education and provide other resources. So while we may not have the statutory charge to set those security standards for the local governments still putting out playbooks, best practices and focusing on that whole of state approach to help bring everybody in together and make that ecosystem healthier from a security standpoint. That's what we do.
I'll say a lot of the things that because of that federated model, we work a lot through collaboration, influence, relationship building because we don't have that stick approach to folks who don't comply. It's really a matter of explaining to people why security is important, why having these standards and practices are important and doing that education piece in order to bring people along and increase that security posture for the state.
Mike Anderson: That's great. If you want to get people to comply, I just started just reading the book, This Is How They Say The World Ends. And so if you want anyone to comply, just have them read that book and then they'll have no problem getting them to comply into security. I have not slept well in the last couple weeks as I started reading that book.
Amanda Crawford: I was going to say it is on my list, but for the reasons you've listed, I've been a little bit hesitant to dive in.
Mike Anderson: Yeah, it's definitely eye opening. So if we talk about our journey to CIO or journey and technology, I started out as a software developer, so I've always geeked out on writing code and writing applications. When you look at your career and you look at technology, what's that one area in technology that's the part that I really love? All the other stuff's really cool and it's important, but what's that technology thing that you really kind of latch onto?
Amanda Crawford: Well for me, and maybe it comes from my prior experience before this role, but it's the people behind the technology. I mean, because to me one of the things I like to say is that we maybe a technology agency but we're powered by humans. And we can't do what we do without the people behind it, so to me it's fascinating in this world of technology and here in public sector the different personalities, the different folks who come together who are drawn to this mission and the ways that we can collaborate and work together to accomplish it. There are always challenges in technology. I think public sector has a unique set of challenges. And so to me, we cannot do that without the people behind it because they're the ones that drive the initiatives, do the outreach, increase adoption. And I think that there's fantastic teams here in Texas that are working on those efforts.
Mike Anderson: That's great. Yeah, I've always been a big advocate of we're all people first. I always tell my leaders, your role as a leader is to light a fire in people not under them. So how do you inspire people to accomplish great things? So yeah, the people side is definitely great. If you look at the state of Texas today, every everyone is adopting cloud. And for many people cloud can mean software as a service, it can mean public cloud environments. Tell me more about the state of Texas. What's the adoption of cloud look like within the state of Texas and what does that look like going forward the next two or three years?
Amanda Crawford: I'd like to say that maybe in public sector we are a little bit ahead of the curve as far as adopting policies and laws that help get us on that cloud journey, get us started along. And staying with that for just a little bit, going back to the differences throughout the states, one of the things that I feel very fortunate that we have here in Texas is that we have very strong support from state leadership and we have the statutory framework to enable us to be able to do the things that we need to do and drive those IT priorities.
One of those was Texas had a consider cloud first policy in place for a while and certainly well before the beginning of the pandemic. As we all know and it's probably been talked into the ground, the concept of the cloud adoption and digital transformation and modernization being accelerated by the pandemic, and so we really saw the adoption of cloud move forward even more during those times when we had to be able to scale quickly and adapt quickly to be able to serve Texans in a new manner. The other thing, certainly as far as cloud, we're seeing increased adoption. We're seeing the numbers rise as far as different applications moving into the cloud. We still have a long way to go with the roadmap to make sure that these are applications that are appropriate for the cloud and adaptable, but it's a solid progression.
Mike Anderson: That's great. It's interesting, when we were in Washington recording the webinar last time and we were talking with some of the other state CIOs, we talked about the data you have to exchange in environments. Each federated group kind of has their data island that they want to connect into other islands within the organization. And then when you do that, security becomes a big player and how do I secure the transmission of that data between organizations? So talk to me a little bit about how do you build security into that interaction between all those different federated groups within the state?
Amanda Crawford: So, that is a challenge. I would say that part of it is being able to ... That also assumes that those different data silos do talk to each other and are able to share as opposed to just being silos of excellence, but we're working towards that. And again, going back to the pandemic and the response that we had to do with the health agencies in particular and how quickly they had to change their model to be able to really pull all that data together, to have clean data that could really help drive the decision making for state leadership, that was so important.
One thing though when going to the security piece that our legislature recognized was as we see so many agencies and we see that cloud adoption going forward, what are we going to do to make sure that those transitions and movements into the cloud are secure? So the last legislative session, our legislature passed a bill that created the Texas Risk Authorization and Management Program, or TX-RAMP, that requires state agencies and institutions of higher education, all their cloud products and services have to be certified, whether it's through FedRAMP, StateRAMP or TX-RAMP. Those cloud computing products and services have to be certified to meet the same standards that our state agencies are required to meet to ensure that Texan's data is protected when they're utilizing these services. So again, that's driving that security first posture, talking about let's talk about cloud adoption but let's make sure we're doing it in a smart manner and a secure manner.
Mike Anderson: Well, definitely sounds like you're embedding security by design into your processes. As we've gone through that acceleration the last couple of years, how has that changed your team? How do you get that security mindset embedded in all of the people on the team? What have you done in the state to help build that security mindset within the state and really accelerate security by design?
Amanda Crawford: So I think that in coming back to the team sport analogy, it really has to come from the top as well. It has to be something that is prioritized by leadership and folks outside of technology and not just by the people who are dealing with this day after day. So it's something that is a priority for our state through the legislature, spoken through the initiatives that they've passed. For our governor, cybersecurity has been a priority of his for a long time. And it is always in both the governor's budget and his initiatives. We've had cybersecurity as something that he wants to have prioritized to make sure that we're keeping that data for Texans secure.
The other thing I think that's really important is having a statewide security program. I think that in public sector the value of having a statewide position and a statewide program for, we have the statewide Chief Information Security Officer, Nancy Rainosek, who works here at DIR. And we have a state data program with the state's chief data officer, Ed Kelly, who also works here at DIR.
And what we've seen with those statewide initiatives that are driving on policy and education and outreach and relationship, we've seen those efforts really bear fruit because part of it is not just the technical aspect but it's the education piece and talking about the importance of that. We've really made a concerted effort to pull in the business leaders and not just the technologists at the agency to make sure they understand why security is important. We all can talk about it, but the financial risks, there's political risks, there's reputational risks, and then there's just the risks to Texans for that disruption in services, the loss of data, that are huge and security is a message that really resonates with appropriators and with business leaders. I think they're getting it and they understand why this is something that needs to be prioritized.
Mike Anderson: Well again, just once you get a chance to read this, This Is How They Say The World Ends, just send them all a copy of that book. Anytime you are trying to get budget for cybersecurity initiatives, just send them that book and I promise you it'll work.
Amanda Crawford: Okay, got it.
Mike Anderson: I'm curious, so you mentioned CISO, a lot of organizations like at Netskope, our CISO is a peer of mine, we work very closely together. Some organizations, the CISO is a direct report to the CIO. How's set up within the state of Texas?
Amanda Crawford: So here in our agency, the state CISO reports directly to me. Because we have responsibility not only for the policy strategy incident response aspect to statewide incidents and that's through the state CISO office, but we also have operational responsibility for security through our operations side of things. So we have a cyber operations team that is in charge of protecting the state network. We're the internet service provider for state agencies and we block and defend and do all the things that you might think that we would and should do on those state networks. So those positions report up through me.
But each agency, again in the federated model, some of it's a little bit different. In some agencies you have the CISO who reports directly to the CIO. And others you have the CISO who reports maybe on an administrative side or they're reporting up through a risk role. Different agencies do things a little bit differently. I tend to get myself in hot water when I opine on what the best structure is. I think at the end of the day that the imperative is that the CISO and CIO have to work together. They have to understand the importance of both of their roles and they have to have access to ultimately the business leaders of the agency in order to be effective.
Mike Anderson: Yeah, absolutely. That team sport concept, that's a key one. Someone told me, another one of our peers said, when my CISO sneezes I get sick. And so that's how connected they are.
Amanda Crawford: I love that, yeah.
Mike Anderson: It's interesting too, you mentioned network and that's one of the ones we see is there tends to be disconnects. If you look at in sometimes the infrastructure teams, the network teams are the ones that are responsible a lot of times for putting fingers on keyboards and implementing a lot of the security tools that are bought by organizations, states and so forth. How have you driven that alignment to make sure that the teams that support and run the network and the security team are working tightly together and have the same prioritization?
Amanda Crawford: Yeah, it definitely is something that can be a challenge. Our teams do a lot together and rely on each other very much. So one of the things, for example, if there is an incident with a government agency at any level, whether it's a city or county, even if it's something that say our network security team doesn't have operational responsibility for, we'll loop them into the discussion. One, so that they see how the other side of the agency is responding to the event. But two, we know that they have information that they can share. They have ideas on how to respond to the threat, how to handle it, what is it exactly, and then vice versa.
So even though depending on the nature of the incident and who's involved, somebody else may have the lead on it. We pull all those teams in because again, we feel like everybody is better together and grows stronger to make sure that we're aligned with those priorities. And I think part of that comes from having clear plans, policies and procedures, a good racy chart, and also doing tabletop exercises so that everybody knows what to do when events happen, who's in charge, what everybody's roles are. Doesn't mean it's always going to be perfect, but we all know that there's just no substitute for actually practicing on an incident.
And the other thing is the state CISO's team partners with our network team and our cyber operations team when they start talking about what tools are we going to use. As we increase our tool set capacity to accommodate the growth, particularly during the pandemic, we wanted to make sure that we had input from everybody to make sure we were pulling in the right tool sets to be able to respond to that increased growth in our network capacity.
Mike Anderson: No, that's great. That alignment is so important. I always tell people if it's priority one for one team and it's priority three for the other, there's always going to be friction. So you have to get those priorities aligned. That's the key there.
Amanda Crawford: Right. And again, there may be disagreements, but that's okay. I think we grow is from having those conversations and being open to hear from all sides on how we should best tackle these issues.
Mike Anderson: No, absolutely. Another one of our fellow peers here in the state of Texas, Kim Mackenroth, she told me about a campaign she ran inside. She's the CIO for Textron, if you haven't had chance to meet her, she's an amazing, amazing human. She ran a campaign with her CISO called Human Firewall where for people that displayed the right behaviors that did their security awareness, they didn't fall preyed all the simulated phishing attacks, they got t-shirts and hats and they got a personal letter from the CISO. It was so exciting that I saw our CISO here at Netskope did the same thing. Are there any kind of campaigns or things like that that you do to try to build that security mindset, like make your team or people in the state human firewalls?
Amanda Crawford: Right, okay. First off, I love that phrase and it was first time I had heard it is when you and I were speaking on that panel together and I adopted it as well. I think I've said it a couple times at various legislative hearings in the interim since then talking about security. And it is great because it resonates and people understand that. So thank you for sharing that because I think it's fantastic.
So we obviously internally have different security campaigns. Of course in Texas, we have all public employees by statute at all levels of government are required to do a mandatory security training every year and that training has to be certified by our agency. So that's an important thing I think obviously in having that training. But then going beyond and doing phishing exercises and things like that to encourage those.
One thing we have in Texas that's also a statutory creation is a Cyberstar Program. And with the Cyberstar Program, that enables both the public sector and the private sector entities to apply to be a Cyberstar when they've met certain security standards to show that security is a priority for them and that this is something that is important for them. And so I think having that recognition that you are a Cyberstar can certainly help to promote that strengthening the whole ecosystem. It's always easier to trick a human than a computer and that's one reason why we always try to emphasize that with our legislature. Is that please, we know that we need funding for tools and I'm never going to say it's enough. I'm never going to say, "No please, no more money, there's nothing more we can do." Because we know that there's always something that we need to be doing. But we've got to be able to do the education and the outreach piece as well.
Mike Anderson: Yeah, it's important especially as we think about cybersecurity awareness month and we think about how do we get that training into the school systems and the kids. I mean I actually segment my network at home and I have my kids' devices connected to the guest network because they're always bringing a device in and just connecting it to the wifi and it's like, no, I don't want to compromise. I don't know where that device came from.
It would be interesting, I'd love to see you talk about private and public partnership. It would be great to see how we could activate CIOs, state of Texas and beyond honestly, but how do we go work together in security awareness to educate the current generations, the future generations and just get that just built into our mindset from an early age.
Amanda Crawford: I couldn't agree more. And I think certainly cybersecurity awareness month is a great time for all of us in the community, private and in public, to come together and promote that. Would love to visit with you all in different ways that we could do that and with others in the industry, because I think that that's a great opportunity. The other thing is it's fantastic to see so many junior colleges and colleges now focusing on security, providing those avenues to train up that future workforce that we so desperately need in this area. I know it's probably going to be controversial to say that I saw it on TikTok, but there's a video on TikTok of a young man who just graduated from Western Governor's University, talks about the low cost of his education and cybersecurity. And before he even graduated, he was offered a six figure job and he was promoting up the value of that education and putting it out there. So hopefully other kids who are on TikTok will go and do that and then maybe delete their accounts.
I would love to see, I think to your point as you were talking about as well, we need to start earlier than that. I mean, we have to start at an early age because all these kids are digital natives and they need to know from an early age. So let's talk about elementary school, middle school. I was very proud to have our agency partner with the Texas PTA and we put out a video on cybersecurity where it was best practices and tips for parents and for kids and partnered with PTA. And it's my understanding that that's shown that at PTAs throughout the state. So I think that's just one way, again, that we can start early and get that security mindset in place.
Mike Anderson: And maybe we just need to break it up and assign schools to every IT security leader to go speak at a school. And we do some kind of social media campaign with a hashtag and video yourself at the school and talk about the human firewall and maybe you can register to get a human firewall or something. Make it fun. Human psychology.
Amanda Crawford: I love it.
Mike Anderson: Yeah.
Amanda Crawford: Yeah, I love it. Yeah, that's a great idea.
Mike Anderson: Let's do it. Internally here at Netskope, I talk about creating digital citizenship. Cybersecurity is a key component to that, but it's also we want people to not buy things they shouldn't buy. We want people to use the tools we already have and not bring new things in. Ideally we just want people to always do the right thing when they're dealing with technology. What are some techniques or practices or things you've done to create digital citizenship within your organization and even across the federated model? Amanda Crawford: So of course as I mentioned earlier, there's the Cyberstar Certificate for private and public. Going back to that security training that's mandatory for all public employees, is we make sure that that has to stay fresh and has to stay current. So one of the things that we do because we certify the programs here at DIR, the training programs, and so we're assessing what those threats are and adjusting the mandatory training products or topics. So for example, in 2021, spear phishing was added as a new training topic because we were seeing an increase of that in the threats that were coming in there. And we also developed a training video that was free of charge so that it didn't have to be a paid training. So if you had a school district that just didn't have the budget to be able to do it, they could use that video and it's available in both English and Spanish. So that's really, again, looking back at that whole estate approach on how to increase that digital citizenship.
But you're right, as far as it's not just about security, it's about all of the things that can happen. And so we do partner with other agencies here in the state, the attorney general's office working a lot on the consumer protection issues and identity fraud and things like that that come around. I think this is something where all the agencies, we might have a little bit of a piece of that puzzle on how to make everybody just smarter in that space and more aware of what can happen. I will tell you, I think that that's some way that as a state we could probably work together a little bit more on, a more cohesive and coordinated message around those to make sure that we're getting that message out to Texans.
Mike Anderson: No, that's great. All right, I'm going to pivot a little bit now. We're going to use our crystal balls that we've got and predict the future. So two parts to the question. If you look forward to say 2025, just a few years out, what are the things that you feel like as IT and security leaders, the CIOs, that we wish we would've invested in? And then if you then fast forward that another five years to the end of this decade to 2030, what do you think that answer would be? What are the things we wish we would've spent more time on? And it can be security, it can be anything. What's the crystal ball tell you?
Amanda Crawford: Sure. So for me, the crystal ball is going to go back to people and I think investing more in teams, investing more in not just recruitment but retention, in team development and training in all of those things, I think that that has to be prioritized. I guess related to that, I think that from a security standpoint, I think CIOs are going to wish that they invested better in their security related communications within their organizations. When the right folks are having the right conversations and leveraging tools about security risk as a normal practice, as we're normalizing it and it's starting at the beginning in the ideation phase of a project all the way to the end, everything, it just becomes easier. And it's actually including then the individuals that actually own the different pieces of that risk, of that security risk in the conversation. It's hard to predict what that evolving threat landscape and what the threat actor capabilities are going to be, but obviously investing in those tools to detect and prevent attacks seems like it has to be a priority no matter what. Staying on top of it, staying connected with that evolution in the community.
And it all can just pay off, because we know costs certainly do increase as we are investing more in this. But when you look at the total cost of responding to an incident that are directly correlated with the length of time between intrusion and detection and response, investing in those preemptive security functions, including training and education and including that human firewall and formalizing building security into something at all levels, including in the procurement process, I think that pays dividends. So, that's my crystal ball there.
Mike Anderson: That's a good crystal ball. I go to number of CIO events and the big topics are all around how's artificial intelligence and machine learning going to play? I mean so much potential there because we've all learned now that I like to talk to a bot. But I like to self-serve versus get on the phone, so that presents lots of opportunities there for us, but it's also the security of that. Because I think about as we get into machine learning and AI, one of the things that I've thought about is today we're training the machine, but what happens if people start feeding bad data into the machine and how does that impact decisions that are made? To me, that's like what does that threat landscape get into? So that'll be an interesting one to watch as well.
Amanda Crawford: Yeah, we have to make sure that as the machines are getting smarter we are too. Right?
Mike Anderson: Absolutely. We don't want to end up, was it Wally where they had all of humans that were just kind of being march around by robots? Yeah, we don't want that.
Amanda Crawford: Yes. Wally.
Mike Anderson: So you brought up people and one of the things we have such a talent gap, especially in cyber, I think the last number I heard was when I was at RSA was we have a million job openings in cybersecurity just in the U.S. alone. And diversity I feel like is such an important part of that. What do you think some of the things that we can do as leaders to get more diversity? And diversity, it can be gender diversity, it can be ethnic diversity, it can be neurodiversity. What are some things you think we can do to really help get that cemented in and also create the pathways for people to get to realize they can become a CIO or leader in the future as well?
Amanda Crawford: Right. I think it is so important, the diversity question and challenge. And I think particularly in security, when we're going back again to the concept of human firewall and the things that we have to, when we see that the attacks that are coming in, depending perhaps on your socioeconomic level, level of education, where you're raised, your culture, you may fall prey to different tactics that others may not. And so depending on that, age is a factor in that as well. Having a diverse workforce that understands the triggers for the different groups, that helps to again strengthen the tools, the education, the outreach, the things that we can do to prevent. So it is so critical. It really strengthens the work environment and we get that diversity of thought, which again I think makes us so much stronger. So I think we got to start early, like we talked about. We have to develop interest and talent.
CyberStart America is a great program. It's a free security training program for high school students. It's a great way to get kids involved in cyber. Like you and I were talking earlier, let's start at elementary schools. We do a lot of outreach for internships here at the state. We visit with HBCUs and community colleges as well, so we're not just looking at traditional four year universities.
I think though getting college students involved in IT and security early is key. So one of our initiatives that we have, the legislature and the governor signed into law last session, was to do a pilot program, a pilot regional security operations center in partnership with one of the public universities here in Texas. And this initiative will provide monitoring, response, education, outreach to local governments in Texas and it'll utilize students. And so we're getting students to assist in providing those network securities to those local entities. So our pilot program is with Angelo State University where 46% of the students are Hispanic. And so we're excited because not only is it an outstanding educational institution, there's a lot of opportunity there to help bring more practice and the skill set to a group where we don't probably see the same representation as we do from others. So we're excited about that opportunity.
And I think also considering out of the box candidates that have the skill set but not the resume. Are we looking aptitude and attitude more than just experience? So for example, my background is in law. I mean I'm a recovering attorney and I came to this agency after more than 17 years at the Office of the Attorney General. So I learn every day about the technical aspects of my role, but obviously having that aptitude for the role and the opportunity I bring also a fresh perspective and a different perspective into this role than somebody who's maybe grown up in technology. So I think all of those things, if we are a little more open-minded on some of our job selection can really help.
Mike Anderson: I totally agree. I mean, that's amazing. I love what you're doing with Angelo State. I always remember at San Angelo because I used to play them in football. I went to school here in Texas and played them in college, so I got to get that out of my head there. And I have three kids in schools in the state of Texas in college right now, so that's great.
Amanda Crawford: Me too. I'm excited to expand the program. That's one of our legislative initiatives is actually we have two other universities on deck and we're hoping for funding for those. So we should have hopefully two other of these regional [inaudible 00:32:44] coming up. So we're excited.
Mike Anderson: So it's always interesting. We have such a talent gap. But then sometimes I mentor college students and what I find is they're reaching out looking for jobs because everyone's looking for ... So you said skills, people are looking for someone that already has the experience, but yet we've got a talent gap. And I feel like what you're doing with the state schools and universities to basically get them the training they need so that they have that experience, I think it's going to just pay off quite well.
Amanda Crawford: Well, I'm optimistic. And yeah, because agree and that's actually one of my rants. I'll get on a soapbox when we talk about the challenges we have with recruitment in state government for It. And I say, well we need to stop expecting that we're going to have somebody with 15 years of network engineering experience who wants to come work for the state for the salaries you're paying. Again, stop putting experience as the number one job criteria. We can train. We can give people experience. We just need folks in here that are smart and have that mission mindset and are ready to roll up their sleeves and work for Texas.
Mike Anderson: Yeah, I cannot agree more. You can hire for the soft skills and train the hard skills.
Amanda Crawford: Yes, absolutely.
Mike Anderson: Yeah, I've been there. It's like ERP, I want someone that's got 10 years of SAP experience in a market where there's no one with SAP experience. Okay, we'll hire someone and you can teach.
Amanda Crawford: Right, right.
Mike Anderson: So yeah, we could definitely have another whole conversation on that one. So zero trust has become the topic of the day, it's labeled on everything. From a government perspective, is zero trust something that you're adopting from a state of Texas standpoint? Where does that play into how you think about security moving forward?
Amanda Crawford: It's a key part of our strategy. With the key to zero trust, of course as you know, is that users only get access to exactly what they need, nothing more, less. And it really flips the coin on how we approach that access to data and systems and networks. So candidly, I think it takes an organization a long time to completely flip that architecture from the current model to a full zero trust environment. But we're seeing government organizations diving into the topic, determining if there are areas where they can utilize zero trust principles to better secure those data and networks and systems. So it is part of the strategy. The devil's in the details of course in how to do that, but I think it's key to being able to secure the data we have.
Mike Anderson: Hopefully we can do more education on that too around what it is and what it isn't. It's like digital transformation or cloud, everyone labeled it. But it's like, oh, people buy things like that so if we call our product that maybe someone will give us some attention. So we have to-
Amanda Crawford: Innovation.
Mike Anderson: Yeah.
Amanda Crawford: Yeah. I'm like, what's innovation. Yeah, anyway.
Mike Anderson: We're going to pivot now to one of my fun parts here is some quick questions for you. So I'm going to give you a few of these and just give us your first response and thoughts. So first question is, and I'm going to give you two parts. One is, what's the best leadership advice you've ever been given? And the second part is, what's the worst leadership advice you've ever been given?
Amanda Crawford: Oh, okay. Wow. So best would be, gosh, listen more than you talk. I think it would probably be, really it's not just leadership advice, but life advice. The worst advice probably that command and control, that you're the boss to therefore the right answers. Which we all know anyone in leadership I think worth their salt knows that you don't have all the right answers, which is why you hire strong teams and you surround yourself with people that are smarter than you are so that you can make the right decisions.
Mike Anderson: Yes. I always hope people like in that command and control, you never can go on vacation because things stop when you leave. I love the leadership advice because I had a boss early on [inaudible 00:36:20] tell me, you have two ears, two eyes, and one mouth. Use them in that proportion.
Amanda Crawford: That's great. That's really great. Yeah, I'm a big believer that leadership is a mindset and not a position. It's really one of my number one duties is to empower my team at all levels to understand that they lead and they own in their position and that's how we make the organization stronger.
Mike Anderson: All right. Another one here, Last meal. What is it?
Amanda Crawford: Oh gosh. Well, I think you'll understand, Mike, being from Texas. It's probably going to have to be Texas barbecue. I think it's a good Texas brisket, which of course eating too much of it may lead you to get to your last meal sooner rather than later. But yeah, I would probably say something like that. I really love good Italian food. I lived in Italy twice and when I was growing up, and so I'm a little bit of an Italian food snob. So I would have to say if I had a really good pasta from southern Italy with fresh seafood in it, a real pasta with frutti di mare, something like that would be top of my list too.
Mike Anderson: Oh wow. Yeah, my wife and I spent two weeks in Italy on vacation this summer and as we were like, all right, how do we figure out a plan where we can just live in Italy for a month a year? That would just be amazing.
Amanda Crawford: I know. I think the world, everybody would just be happier if they could just live in Italy for a month a year. I truly, I think so many of our problems would be solved. We'd just be happier.
Mike Anderson: Well, I think they were trying to offer people money to move to southern Italy because I think I read it report a couple years ago and maybe [inaudible 00:37:49].
Amanda Crawford: Oh, I'm in.
Mike Anderson: Absolutely. What is your song that you sing when you go to karaoke?
Amanda Crawford: Oh, karaoke songs. I have a bunch. Well, kind of. Love Will Keep Us Together by Captain & Tennille. Always a good one. If I'm feeling a little saucy, maybe Rehab by Amy Winehouse. But as far as music to dance to, I think if September by Earth Wind and Fire comes on, you can't not move when that song comes on.
Mike Anderson: Absolutely. Personally, I tend to gravitate towards to singalongs because then everyone else is singing. They don't hear me. And it's better for everyone in attendance when I do that.
Amanda Crawford: That's exactly right.
Mike Anderson: All right, so what's the last book that you read and what did you love about it?
Amanda Crawford: I read a book my daughter recommended, just finished. It was light reading. It was called Writers and Lovers by Lily King. It was fantastic. Nothing to do with technology, a little bit about being a college kid in the late eighties, early nineties, so I could relate and it was great. It was a great book. I really enjoyed it.
Mike Anderson: Yeah, that sounds great. My wife is part of that Jen Hatmaker Book Club, and she gets books every month from Jen Hatmaker.
Amanda Crawford: Oh yeah, Jen's great. She has great recommendations. Well, tell your wife. I highly recommend. I think this might have been one of, I think Jenna Bush as a book club maybe, but my daughter is a voracious reader and I've just started taking stuff off of her shelf because she has great taste in books and I'll just read what she does.
Mike Anderson: Oh, that's great. All right, last quick hit is, well, who do you admire the most and why?
Amanda Crawford: Oh gosh. I think I'm going to stick with the theme that I've talked about. There's so many folks that I admire for different reasons, but I think just collectively as a community right now, the folks that are top of mind are the people in government and certainly in state government that I work with and really government at all levels for state and local that have come together so much as we're thankfully coming out of the pandemic, but all the things that they've done to work hard. I work with such a group of dedicated public servants. They don't get enough credit. There's not glory in it at all and they're in it for the mission. And so to me, people that are mission driven and that are doing the right thing for the right reasons, even when no one's looking, those are people that I admire and I am lucky to live in a state and work in a state where we have our government folks who are at all levels of government that have just that mindset. So they're pretty admirable.
Mike Anderson: Yeah, we have amazing, amazing people. Well, this has been amazing. I really learned so much from this conversation. I love the things you're doing, the human firewall and federating security across the group, the adoption of cloud. This has just been such an amazing conversation because I'm a fellow resident. I benefit from all the great work that you and your team are doing for a state of Texas. So thank you so much. Is there anything else, any parting words of wisdom you would give to the people listening to this podcast?
Amanda Crawford: Eat more Texas barbecue and Enable MFA. Right? Is that it?
Mike Anderson: All right. Awesome. Thank you.
Amanda Crawford: All right. Thank you, Mike. This was great. Really appreciate it. I had a lot of fun. Thank you.
Mike Anderson: Me too. Have a great day. Thank you.
Thank you for tuning in to today's episode of Security Visionaries podcast with my special guest, Amanda Crawford, the CIO for the State of Texas. It was an exciting conversation and always I like to summarize some of the key takeaways I got from our conversation. And the three things are first and foremost, in Amanda's job where she's trying to drive security across all the state agencies, we have to make sure we have a federated policy that security and how we enforce security across cloud and all of the transformation we're doing has to be federated. We have to bring everyone along in that journey.
Second is we have to start embedding security into our people at a very young age. We have to get into elementary schools, into high schools, middle schools, junior colleges, colleges. We have to make sure security is built into the fiber of the people in our communities. Because again, people are always our weakest link when it comes to security. And last but not least, is diversity. And we think about diversity, it's people from different socioeconomic backgrounds. It's pulling people from maybe historically black colleges or maybe in underserved areas. It's bringing that diversity is going to help us think differently because that diversity is what's going to help us stay ahead of the bad actors that are wishing harm on us. And honestly, that diversity of thought's important in anything we do. So I hope you enjoyed today's episode of the Security Visionaries podcast. I know why I did. And I hope you tune into our next episode and to get more insights from these great security and IT leaders.
Speaker 2: The Security Visionaries podcast is powered by the team at Netskope. Fast and easy to use, the Netskope platform provides optimized access and zero trust security for people, devices, and data anywhere they go. Helping customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, or private application activity. To learn more about how Scope helps customers be ready for anything on their sassy journey, visit N-E-T-S-K-O-P-E.com.
Speaker 3: Thank you for listening to Security Visionaries. Please take a moment to rate and review the show and share it with someone you know who might enjoy it. Stay tuned for episodes releasing every other week, and we'll see you in the next one.