Ep.161 The CISO's 3-Step Guide to Building an Unstoppable Cyber Community with Candace Wynn is the Cyber Community Ops Manager and Warren Sponholtz is the Deputy State CISO at Florida Digital Service

Transcript

[00:00:34] Welcome to the public sector show by TechTables at the Florida Digital.

[00:00:39] Colab Annex slash expansion slash, we don't know what we're calling this. Colab Annex, I think is what they call it. Yeah. Everyone everyone's got a different, everyone's got a different name. Warren, why don't you introduce yourself and then we'll introduce Candice. Awesome. I'm Warren Sponholtz.

[00:00:52] I am the Deputy State CISO over Strategy. So when you think strategy, think pretty much everything except for the operation side of cyber [00:01:00] security. So it's training. It's the community development. It's governance, risk and compliance. It's policy and rule development. And of course, I don't do any of that.

[00:01:09] I've got a great team that works with me, including Candace here. And I've been here since December, beginning of December. I was a CIO over at the Department of Environmental Protection beforehand. Had a great time doing that. And there were some really exciting things happening over here at Florida Digital Service.

[00:01:25] And I wanted to be part of it. So I joined the team. Who who was recruiting you? So Jeremy and Jamie both recruited me and they kept working on me until I finally said yes. So they're very persistent. They did a good job. Good to be over. Yeah, I love it. Candace, for those who don't know you a little bit about yourself.

[00:01:42] So I'm Candace Wynn. I am the community operations manager here at FLDS. I am not new to state government. I have been with the state for. Almost 12 years. So quite a while. I started with F. L. D. S. In January. So only been here for about [00:02:00] six months. On Warren's team. I think I have one of the most fun jobs here.

[00:02:04] I get to bring the cyber community together. So think locals, agencies, we get to do all the fun stuff, socials and just, letting the I. S. M. S. Connect and all the security folks from all over connect together. I yeah, so that's what I do. I love it. Bringing the cyber community together. I bring the public sector community together.

[00:02:30] It's, we have the same job. Except I just sit behind a microphone. It's the only difference. Okay, we're gonna have Candice for a little bit longer than Warren. I've got a very nice, I love this is my notebook, but Warren really helped me out, cause I didn't even, it's like I didn't even have to have an intro call with Warren, so we're going to have Candace for a little bit longer, so we're going to come back to you. But Warren, a couple things. Tell us a little bit about the grant program. Yeah, so the Florida Legislature Appropriated 30 million this year for a cyber assistance program to be able to help local [00:03:00] communities become more resilient to be able to improve their cyber posture that grant program was given to the DMS and the DMS of the Department of Management Services and from Department of Management Services over to the Florida Digital Service.

[00:03:13] So we set out to enable these entities with, ways to build to improve their posture. And again, it's 30 million. It's for one year. There was some other grant programs and play. There was a federal grant program that was less money and had some other conditions around it. But the Florida Legislature just realized that it was a need and a need for the entire state.

[00:03:34] So they provided that funding. And I think You know, if you watch the news and you see a lot of these places that get hit with cyber attacks, it's usually not your larger state agencies. It's usually your smaller communities and those who just don't have big teams or any team at all. Being able to reach out to especially the smaller communities and help them along was a large part of the intent there and something I think was just a great move by the legislature.

[00:03:59] [00:04:00] I love that. Okay when I look at what you wrote down, I've got grant program, I've got about. So I just covered about, right? You just covered about, okay, I just made sure. You can do a follow up if you need to. Response. Response, meaning we have two things with response, right?

[00:04:16] So here at the Florida Digital Service by statute, we have a security operations center. So whenever there are cyber events that happen with state agencies or even with. With locals, we want to be able to help them through that situation so that they can stabilize and shut down any kind of cyber situation as quickly as possible and get them on the road to recovery as quickly as possible.

[00:04:37] With this grant program definitely positioning ourselves and our relationships with the locals so that we can be better partners in incident response and The other part of response to that is the response we've had to the grant program. So we got over 300 respondents across the state.

[00:04:55] Every, almost every county except for one responded to this grant opportunity. [00:05:00] That's all the way from Pensacola down to Key West. Advancing with over around 200 will be awarded to the program. Wrapping that up right now. And Building those relationships, setting it up so that we can help them with their cyber security problems, be able to push this funding towards them to be able to bolster their cybersecurity programs and just start building relationships because you mentioned community and we'll talk about it more, but cyber really works As a team sport.

[00:05:28] So we work better together when we can talk about vulnerabilities, we can try to respond faster whenever things happen in our florida landscape. So that only works whenever we work together and we stop hiding information and be willing to be open with each other and share what works and what doesn't work.

[00:05:44] If somebody gets compromised, having Yeah, Having candid conversations about that is, is important because cyber criminals don't care, they don't care who you are and they don't care what you do but we care about each other. So we need to build those bridges and build that community so we can [00:06:00] defend ourselves the right way.

[00:06:01] Yeah. Okay. So cyber is a team sport. That sounds like not really technical. So that's good, right? Because I mentioned, this is the non operational side of cybersecurity. So really, our group is challenged to build those relationships to be able to figure out where we have gaps. There's a whole team dedicated to engineering the right solutions for cybersecurity, for responding to incidents, to being able to monitor the network. Not the area that Candace and I focus on both sides. I'm giving you a hard time. I'm giving you a hard time. So yeah, no, this is the reason why you guys are perfect for this is the podcast is all about sharing human-centric stories. Gotcha. Yeah. I'm just, I'm chopped giving you a hard time.

[00:06:48] Yeah. I love it. And, yeah, I think everyone has a technical team, right? But yeah, I always love this concept. I've heard it several times. Tim Romer, who is the former state system in Arizona Echoes something very [00:07:00] similar that cyber is a team sport and and that the weakest line of defense is us, is me.

[00:07:07] And the stuff's getting really sophisticated too, crazy sophisticated. I'm constantly now having even on a personal level working with family members. Don't open that email. Don't click that. They're just spoofing don't like it's crazy. It's pretty nuts right now. So okay we got five lucky golden minutes.

[00:07:26] All right. What else are we covering? What makes this program different? So I'd say the biggest difference between this grant program and traditional grant programs is we are providing capabilities instead of funding. That's important here with this particular local program because if we were to provide a bunch of funding for communities around the state, there are certain communities that would be able to excel with that and be able to purchase capabilities or assessments or just anything germane to cybersecurity.

[00:07:56] And that's great. But again, when you look in the [00:08:00] news and see who's getting compromised and who's just not equipped to be able to respond to these kind of threats and these risks, it's the smaller communities around the state. So our approach to provide capabilities instead of funding. Really scratches 2 inches 1, it's we can enable these entities.

[00:08:17] They don't have to do a procurement activity. They don't have a bunch of audit requirements around the consumption of these capabilities. So that kind of just rockets into the front as far as being able to utilize or use these capabilities and then. I mentioned before about incident responses because we're able to have these capabilities and they have integration with the see sock.

[00:08:38] We're able to have visibility and what's going on and the threats landscape around the state. So we're able to see if. A particular county has a, has an incident and we were able to identify. The the vulnerabilities that resulted in that incident, and if we see those same kind of vulnerabilities in the rest of the ecosystem, that's something we can be proactive about instead of that incident spreading across the state.[00:09:00] 

[00:09:00] That was fantastic. I know you're leaving right now. Favorite, Candace, you've been here six months? Six months. Six months. Favorite thing about Candace, and favorite thing you would like to highlight about the work she's done in the last six months? So I hope she talks about this. My favorite thing about Candice, I can say three things, right?

[00:09:22] I can say three things. Okay. So I'm going to say her organization skills, her ability to push through an immense amount of work and product. And then lastly, just her ability to, bring people over to to the community, right? She's very personable, very charming. Just somebody you want to be able to spend time with.

[00:09:47] And and it's genuine, right? Those three things really just make her crush. Can we cut to the camera? I want

[00:09:53] to the work she's doing. She's doing a fantastic job especially with she'll probably talk about the Cyber Advisory Council, but the work she's done with [00:10:00] the Cyber Advisory Council has just really made it so the members are excited about engaging with us. And these are a bunch of people who are experts in their field and being able to have a a program that they want to be involved with and they know they're being taken care of and they can provide their input in a way that they know it's being taken seriously and something done with it Purposefully is something Candace's is organized here and that's made really accelerated our ability to get the right advice from them which kind of shapes the future of our cyber program.

[00:10:35] Candace, you've been here six months. One thing about Warren. I can't talk, but he just, he did a great job. He is a very great leader. He empowers. People like myself to go forth and do good things. He's very level headed. There's so much I like about Warren and about working for him and working on his team.

[00:10:58] I can't even begin to [00:11:00] describe the number of things that that are great about him. So sounds like she could really couldn't come up with anything. That's fine. It's good. There's just too much. No, I love it. I like, I appreciate it. I always, I think it's, it doesn't typically happen where like other folks are saying like, Hey, I noticed this, or I appreciate you about this.

[00:11:20] And so I'm forcing you a little bit on, on the podcast. Warren, super pleasure. At some point we probably got to do. A way deeper dive. The audience is he hopped on for 10 minutes. I'm like, I know, he's a busy guy.

[00:11:33] All right, Candace, we're going to move on and talk about community building, cyber community building. I love that there's just like a boom. But before we get to this, I'm super curious Okay. What were you doing before community building there has to be a story before, before you get to cyber community building what got you into relationships were you an event planner before, was there some background?

[00:11:58] No, actually, [00:12:00] I do not have a background in any kind of community organized anything. I worked as a Cyber Navigator for Department of State before I came here. I worked remote and I had been remote for about six years before I took on this job here. I went from being in a, in an office by myself at home by myself all day to, having to put clothes back on and be in front of people and talk to people and smile and, but I've always been, even working from home, I've always been customer oriented, just really big on customer service.

[00:12:36] So I think that's, been one of the big things. How did they sell you to come into the office? So it's funny. I actually previously worked with two people that worked here. And they called me and they're like, Hey, we really want you to come to work at FLDS. And I was like, no, I work remote y'all work in the office.

[00:12:58] I'm not doing that. And they're like, just come [00:13:00] on. You'll love this team. This team's going to love you. And it's funny. They're like, there's some jobs out there. Just apply for all of them. So I said, okay, so I just went on applied for all the jobs that were posted and they they called and offered me the job and I declined it.

[00:13:15] I was like, yeah, thanks, but I'm not going to take it because I want to work from home. I don't want to come in the office. And they were like, look, Warren said. I know that you like working from home, but you will absolutely love that like after meeting in person because I did not know him before this job.

[00:13:30] And he's you're going to love this. This is going to be a great fit. And so I took it. I was like, okay, I'm going to, I'm going to take your advice and I'm going to, I'm going to go for it and see where it takes me. Yeah, I, okay. So I love, cause normally everyone's trying to jump to remote and then you might be the only person I know that jumped back.

[00:13:51] I'm not like truly remote. Like I have an office where I record virtual content, but I'm on the road so much, it's like my office is.[00:14:00] FLDS for the next two days, right? So Cyber Advisory Council, tell me a little bit more about that. The Cyber Advisory Council was originally the Cyber Security Task Force. It was established in 2019 by Governor DeSantis.

[00:14:18] It's, it was made up of public and private sector profess, security professionals and It, they originally provided a list of recommendations to the state of Florida to become secure. And then the, from that, the task force turned into the Cybersecurity Advisory Council. I actually facilitate that entire process.

[00:14:43] It's made up of the, Lieutenant Governor is the chair. She's done a phenomenal job. And then the state CISO, state CIO, and several other just, security, there's I think two CISOs on there from private companies. And it's just. [00:15:00] These people are phenomenal. So what they do is they essentially take everything that the state of Florida is doing.

[00:15:08] They look at it, they say, okay, this is what you're doing. This is how to get better. This is where, you can improve or this is, they'll take best practices and they'll make recommendations to the legislature for us. So If they say, you're doing a great job here, but you really could do better if you could do this, then they would make a recommendation and it actually goes to the legislature.

[00:15:31] So today we had a special meeting for the members to vote on those recommendations. They get turned into the legislature on June 30th. So generally what happens is those recommendations will come in and then I will work with. members from FLDS to make sure that they are getting implemented and worked on.

[00:15:50] And then I also float those recommendations into the agencies like our, we have working groups with the agencies. So we [00:16:00] talk about some of the recommendations from the council. And then if we have questions or we have roadblocks, hey, we don't really understand. what would be the best move here and they can, help guide us.

[00:16:11] We have gotten, I've gotten to meet some really great people through the council we meet, they meet quarterly. The last one was in may and we met at university of Florida. Mr. Elias elderly. He is the CIO at UF. So he gave us a phenomenal tour of the UF hopper Gator. It was the most. Awesome experience.

[00:16:35] I think I have, you think about a data center and you're like that's boring, but it was phenomenal. It was so cool to see just the technology and everything that has been put into that. So you're like, I'm a community builder. I don't want to go to this data center. This thing is awesome.

[00:16:52] No, I'm like, Oh, I like field trips. Now that's a term I haven't heard in a while. Okay. So let's talk about the cyber working [00:17:00] groups. So we've got the advisory council touched a little bit upon it, but I think the working groups bleed into the kind of community piece bridge those.

[00:17:13] Yeah. So the cyber advisory council has working groups and then the agencies have working groups and with the agency working groups we, So, I facilitate those working groups. I have agencies that are the chairs over the working groups and they just, it's not just isms, it's other security professionals and we have some that have the inspector generals in the working groups for like GRC and.

[00:17:43] Things of that nature. We have a community working group, a training working group, a solutions evaluation in which we review the agencies come together. They review current solutions that are implemented through the enterprise, but it's also a place for them to connect on [00:18:00] where some of their hardships are, where some of their gaps are, why they can't implement certain tools and, because a lot of times what happens is just as in When we look, think about incident response, how, if we can get ahead of it and we know that there is something out there that could affect the enterprise, then if you know about it, you could potentially stop it.

[00:18:18] So during these working groups, it allows the agencies to talk and bring some of their problems, some of their hardships. to the table. And a lot of times when they do that, other agencies are facing the same issues. So just getting roundtable, having an opportunity to sit and talk through, and a lot of times they're able to find resolution together on how to move forward.

[00:18:44] Do you know if anyone's you just said agencies are all facing the same problem is anyone documenting like, Hey, here's every single agency here, all the same problems that are getting listed up and the kind of a shared collaborative resource. Yeah. So [00:19:00] we actually, there's a few things that are done.

[00:19:02] So we do take notes and all these meetings clearly because what's the purpose of a meeting if you can't. If you're not having anything productive come out of it. I take notes, but the other thing is we have a shared space through Slack where they can communicate some of their issues there.

[00:19:18] And then we have a shared SharePoint site where they can upload documents and collaborate that way on things that they have. But what I generally do is take the things that they're facing and. Take it to the cyber advisory council to say, look, this is where, or take it to FLDS first.

[00:19:37] Can we help if we can't help, why not? And then take it to the council. So that's how the council and the state all work together. Okay. no, that's great. So there's a Slack SharePoint and then it funnels up to FLDS and then I guess whatever's either prioritized or most, most urgent thing kind of funnels up to the.

[00:19:58] Yeah, and even if [00:20:00] it's not prioritized, we let the council members tell us, Hey, you know what, even if you don't have a project prioritized, this does need to be front and center. So something I'm curious about, and I think it, it blends in with with what Warren has here, but the kind of a larger scale of how do you think about cyber community mixed with training?

[00:20:22] The intersection of those two. So my job, I actually have two parts. So I'm training coordinator, but I'm also the community, person. With training, I think that it works as far as, some of the things that we're doing is trying to streamline requirements.

[00:20:41] The biggest issue that I see is that, A lot of the agencies do not have the resources available to really run a mature stout training program. They do a great job with what they have, but the [00:21:00] resources are the issue. So being able to work together and collaborate on how they're maintaining training, how they're presenting it, that, that is one of the biggest things I think for commute.

[00:21:12] Bridging community and training for the other CIOs out there across the country that are listening. What like, what advice would you give to them? If they're looking to hire someone like you, like they want to build a community. They want to incorporate specifically on the cyber side. They want to build this out.

[00:21:31] Where do they start? What advice would you give them? How does it look like? I Think outreach is the biggest thing. Just You know, building trust, building building that community, being able to talk to people, put a, and that's why it's so important to be in person. Like you can put a face to my name.

[00:21:50] It's not just somebody saying, yeah, I'm here for you. Yeah. Let's build this community. It's actually somebody who's spending time with you. Who's listening to your problems. I [00:22:00] always say that I am the agency's friend. I am there for them to. Tell me the good, the bad, the ugly, the beautiful, the great, the best.

[00:22:09] So everything that they have, I'm here to listen and do everything I can to make sure that they feel and are supported. Do you work with Brad Oswald at all? I do work with Brad. Okay. So Brad came on this morning. Man, how many episodes was that? It's like the whole day is just blurring together. Brad was fantastic.

[00:22:28] One of the big things he talked about, this is it, listening, having, building that relationship, and empathy which I think goes really well with what you just said about trust people. You can't have that relationship virtually. It takes time to be in person and build that relationship which is super powerful.

[00:22:49] Here at the at FLDS do you work like across everything or what does it look like? It's my area does touch [00:23:00] many different areas. It's not... So if you think about what I do and what service experience does, which is where Brad is, they, it does seem like we do the same things, but my goal is mainly to connect the agencies and the locals together.

[00:23:16] In May I hosted a security social with ISMs and it was, so I did ISMs plus one, so they could bring one security professional from their agency. And, we get there and we get, we go to this place and people start coming in and they're like, okay, Candace, are you going to introduce everybody?

[00:23:38] And I'm like, what do you mean? Y'all, y'all have been coming to meetings together for a long time. And they're like. Yeah, we don't know each other. Like we've never spoke. We come and sit in meetings together. We don't know who each other, we don't know what agency we're with. So just mine is con, my job is connecting those agencies together so that they will talk, so that they will pick up the phone and have trust in [00:24:00] somebody else and say, look, I'm dealing with this.

[00:24:03] Maybe you are feeling some of the same heartaches. They should not have to go to someone to, Connect. They should be able to go straight to another agency to talk and, have that friend relationship because they're dealing with different things, but anyway meeting that, having that social, doing things like that, it has been extremely helpful, I think, for the state of Florida.

[00:24:27] I love that. Yeah. Anytime you can come together and collaborate good things are going to happen. Okay. So you're hitting the road, you're hitting the road show, connecting the agencies. 

[00:24:37] So what we've been doing is the quarters that we have cyber advisory council meetings, we also have a local town hall meeting to meet the locals. So in May, we were able to meet in Alachua County and also we invited all surrounding counties and we ended up with a packed house. We it was me, Jamie, Jeremy, and Warren.

[00:24:59] And so we [00:25:00] got to meet a lot of the locals. It was really fun really cool. So we're hoping to do that with the next meeting. So the next one we have is in August and we're going to be in Orlando. And then I think November will be in Miami.

[00:25:13] Anything else before we, we jump off the pod? Nope. That's it. That's all I got. 

[00:25:17] Hey, what's up everybody. This is Joe Toste from techtables.com and you're listening to the public sector show by TechTables. This podcast features human centric stories from public sector CIOs, CISOs, and technology leaders across federal, state, city, county, and higher education. You'll gain valuable insights into current issues and challenges faced by top leaders.

[00:25:35] Through interviews, speaking engagements, live podcast tour events, we offer you a behind the mic look at the opportunities top leaders are seeing today. And to make sure you never miss an episode, head over to Spotify, Apple Podcasts, hit that follow button and leave a quick rating. Just tap the number of stars that you think this show deserves.