How States Can Approach K12 Cybersecurity

Unsecurity Podcast

In this episode, we discuss with our guest Kevin Ford CISO of North Dakota how they are taking a state-based approach to K12 cybersecurity, cybersecurity education, and workforce development.

Protect Your School from Cybersecurity Threats

SecurityStudio helps schools ensure they’re protected against cybersecurity threats with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:33] Ryan Cloutier: Hey everyone, welcome back to another episode of the K 12 cybersecurity podcast. I’m your host Ryan Cloutier. Today we have a very special guest that has agreed to join us and our next guest is the former Chief information Security Officer of cyber Grx, one of the top cybersecurity startups in the nation where he was responsible for expanding cybersecurity privacy and risk management capabilities. He was responsible for protecting the information security of over 50,000 organizations including Fortune 100 clients. He has advised the US Congress, the us Indian health service, local governments and multiple private sector customers on cyber risk management initiatives and digital privacy. He has also served as a member of the National Institute of Standards and Technology cybersecurity framework development team and served as a cyber risk manager for Nasa. He received the 2016 Nasa achievement Award and is the recipient of a Deloitte cybersecurity Graduate award. He is currently the Chief information Security officer of North Dakota. Please join me in welcoming our guest kevin ford, Good morning kevin, thanks so much for joining us.

[00:01:46] Kevin Ford: Morning Ryan, thanks for having me,

[00:01:48] Ryan Cloutier: you know um I don’t personally know you but I have had a chance to get to know Sean and that’s how I kind of came to know of you. And so first and foremost congratulations on the new job.

[00:02:01] Kevin Ford: Oh thank you. I appreciate it. It’s been a it’s been a challenge and adventure and it’s been um really interesting and fun. So they’re pretty great here in North Dakota, so I’m really excited to be here.

[00:02:12] Ryan Cloutier: They really are. And that’s actually kind of what led me to want to talk to you is you know, I’ve been keeping an eye on what you guys have been doing in North Dakota and I’m frankly I’m a little smitten and somewhat in love with this idea of a unified cybersecurity strategy. Can you tell me a little bit more about that?

[00:02:30] Kevin Ford: Sure. Yeah. So uh maybe I need to give a little more background before I get to the strategy piece. Um One of the interesting things about North Dakota in comparison to a lot of other states is that we have a unified network in place already um on which all political subdivisions as well as state government um are required to connect. Right? So that means on our network we not just have uh State agencies, um the legislature and judicial branches but we also have K. 12. Um we have cities and counties all sort of co mingling on this this larger unified structure um as part of that uh the the North Dakota I. T. Department and V. I. P. Um has has perceived a mandate from the state to to sort of centralize our I. T. Services for state agencies um as well as a mandate to advise and oversee on cybersecurity, Um strategy for the state. And so that’s sort of where my office comes in um when I’m working with organizations uh further out from us than the state agencies meaning pay 12 or the cities and the counties or higher, education. my role becomes that of of an advisor and someone who’s had strategy rather than someone who um is sort of a C. So so um there you know multi multiple hats there on this is so for um and and have operational authority um in the realm of state government but for the locals, the K. 12, the higher education, I’m a strategist um and uh leader um uh and kind of community organizer as well.

[00:04:24] Ryan Cloutier: That’s awesome. You know it’s that whole government kind of approach that I really like and it’s very cool that you know your K. 12 schools are able to access the wealth of experience and expertise and knowledge um that you’re able to bring to bear for them and that consultant capacity it’s it’s something they desperately needed and So I you know, as one cyber professional to another. I thank you for that K12 is such an underserved market and a lot of times you know they have the same risks, they have the same technology the same complexity but they’re lacking a lot of the necessary kind of enterprise support structure, um Talent Experience systems if you will. So That’s just really great to hear that you’re doing that, you know, in doing that work. What is the biggest challenge that you’re currently seeing to getting appropriate levels of cybersecurity into the K-12 environment?

[00:05:19] Kevin Ford: Yeah, that’s a that’s a great question and a really complex one, because there are so many challenges, particularly right now when we’re in this sort of work from home and educate from home and study from home um paradigm, um you know, and there’s there’s so many different pieces of the architecture right now um that were, you know, nice and unified that are now spread across the state, right? We have the educators on their home networks, you have the students on their home networks, we have the uh my key personnel in between and trying to make sense of it all. And unfortunately, some of the externalities, some of the knock on effects of that are um our educators and our students and the parents of our students are often being called upon to do tech support. Right? And so there’s there’s um there’s a lot of concern about, you know, uh and this is a knock on on our teachers or are the parents of our students are our students, but there is kind of a concern around people who are maybe not completely educated in um the way uh I p works or who aren’t qualified um you know working on systems Um that belonged to K. 12 and maybe miss configuring them or um or you know plugging them into modems directly rather than behind the firewall or rather. Um so those are kind of you know, the gremlins that are in the system right now. Um We never expected to you know, have it could be relying on parents to be tech support. I think we

[00:07:03] Ryan Cloutier: uh and you know, it’s interesting that you bring that up because I’ve kind of heard that as an overarching theme. Um I serve school districts across the nation. I sit on a handful of advisory boards, Khazen being one of them the consortium of school networking and the theme I’ve really heard is Covid is brought to light this digital literacy gap and that some of the fundamental foundation als of updating a system, right? Um Pre Covid will say just even a few months ago updating a system wasn’t even necessarily something the average home user was aware was a thing to be done. And then now where to your point we’re asking them to kind of be our remote hands at home, right, we’re trying to do this. I. T. Support. It’s like, hey mom and dad, I can’t be in your house but I need you to click this and do that. And and so I think you know we’re seeing that as a national trend. Is that that gap in digital literacy, if you will. Um so it’s it’s I guess on the one hand, it’s reassuring to know that even you guys are struggling with that as well. But on the other hand, you know, it’s going to be interesting to see how we collectively as those who who serve K 12 and cyber um how we kind of overcome that challenge. I know, internally we’re looking at developing some free training for parents on things like secured configuration of a home router. Like how do we make that consumer level conversation? So that would be fascinating. Which segues me to my next question. What are your thoughts around how automation um can increase security and reduce risks knowing that that a lot of this work is complex work? Uh and some of that work can be automated. What are kind of your thoughts on the value of automation to to help our K-12 get better at this.

[00:08:59] Kevin Ford: Yeah. But you know, we’ve had a lot of experience with this firsthand, our network is so large. We’re talking about 250,000 and 300 points at any, you know, at any given our um, so, uh, you know, my team is large, but not large enough and I don’t, I’ve never met a security professional who says, hey, you know what my team is the perfect size or or I have maybe a few too many people write that. I’ve never met one. And um if you’ve met one, I’d like to meet them, I’m

[00:09:33] Ryan Cloutier: still looking for him too, right,

[00:09:36] Kevin Ford: they don’t exist. Um And that’s and that’s unfortunate, you know um the reality that’s imposed on us by both the supply side and the demand side here, right? Um uh you know, these problems go hand in hand with both the funding associated with cyber security as well as um you know, and I’m sure you’ve probably covered this a lot um are kind of national um dearth of cybersecurity skills right? There just aren’t enough qualified cybersecurity analysts uh to fill all the demand that’s out there. Um So we’ve really been relying heavily on automation. Um We we brought in a security orchestration and automation tool which we like a whole lot um and that kind of sits uh and harmonizes very well with our current security Operations center tech stack. Um and uh we’ve been able to automate using that a lot of sort of the day to day in and out analyst work. Um That includes, you know, an analysis of um I don’t know, a couple 1000 phishing emails a day, so on and so forth. The things that you would have may be sent to the intern or had your your pier one or you’re very junior analysts doing before. Um Now we’ve automated that, which means that there are more human eyes on the the higher level incidents, the ones that are sort of spit out from that automated analysis of saying hey these are the important ones or the ones that we haven’t quite been able to automate yet just because they’re so dynamic and there’s so many variables associated with those incidents and where where that particular solution, the security orchestration and automation solution um doesn’t cover. We’ve also brought in um uh consultants and uh processes for robotic process automation. Looking at the things are humans are doing day to day and see kind of what we can automate with computers and that aligns to the greater North Dakota I. T. Strategy. We’re looking at a situation where as much as 20-30% of our workforce could retire Um in the tech fields without adequate um without adequate replacement. Um so we’re kind of in a jam here and so we need to be able to figure out how we can automate probably around 30-40% of all the tasks that we’re doing. Uh an information technology organization for the state. Um So those are sort of the big drivers behind that and we achieved um quite a bit of success in that. We have a lot. It seems like every week a new thing in our in our sock is automated which is really neat. Um So you know I’m excited for what the future brings in that regard. Um I think in the cybersecurity field, you know there should be no concern around that from a human aspect or unemployment aspect because it’s really allowing the analysts to do the interesting things um and and not have to be stuck doing all the boring things all the time. Yeah,

[00:12:56] Ryan Cloutier: absolutely and I know um you know some of the automation is really good, some of the ai stuff still in its infancy. Uh you know, one of the organizations I participate in is nice. Um So that’s a subgroup of of Nist, it’s uh it’s the cybersecurity Education initiative and one of the areas that we were talking about in addition to just cybersecurity education is also um expanding kind of machine learning and ai education. Uh Somebody’s going to have to write those routines right, we still have that human component so many times people here automation and they think complete elimination of human and it’s it’s not that it’s elimination of someone like you said those those more basic tasks, things that I would have differed down to, you know, an intern or something like that, where I don’t need necessarily that that experience and that kind of judgment feel if you will that that we have in cyber where it’s like, okay, what is this? Does it feel like it might be suspicious, does it feel like it’s worth digging into? Um It’ll be interesting to see how we, how we kind of automate some of that stuff as we move forward. Uh 11 other question I have for you here is that I get asked a lot about how folks can get more involved and specifically recently I’ve had several people reach out to me and say, hey, we know that you’ve been, you know, kind of talking with Sean and stuff and keeping an eye on North Dakota, how do we get involved? Can we get involved? So my question is, is, you know, what can K 12 leaders outside of North Dakota due to get involved in a similar program to what you guys are doing?

[00:14:42] Kevin Ford: Yeah, that’s a that’s a great question. Um so we’ve spent a lot of effort and a lot of money on building a very sort of dynamic um and and technology forward approach to security here at North Dakota. And one of the things we’re really looking to do is kind of expand the footprint of that outward. Um so so that other organizations, other public organizations can can participate with us um in in security operations. And we’ve looked at a number of different ways we could achieve that um and come up with kind of a multi tiered approach. Uh so what we’re, what we’re calling, this is the multi state or multi sled um security operation centre, um where, you know, state government, state agencies as well as political subdivisions, K 12 higher education can participate with the state of North Dakota to really try to make to make inroads on the security posture for everyone. The technology we use the background we use is able to do a lot of very, very great and quick sharing so that if we see for instance an attack over here on in this area, well, um, the entire organization, the entire partnership would be covered in a matter of seconds against an attack, um, which is very, very important because we do see similar attacks across, you know, across the nation. Um, and we, and we see organizations falling like dominoes, right? Because our current means of sharing information, um, is too slow. So what this would be able to do is is set up at its lowest, most fundamental level, automated data sharing around attacks between all of the organizations associated with the multi state or multi sled sock. Um, and then at higher levels we’re looking at provisions to actually do operations. Right? So for instance, if I’m a, uh, I’m an organization that’s under attack and, and you know, I don’t have enough manpower to respond to the attack. Well now, um, in the current situation, what I have to do is kind of put out an all hands call and ask for other states to come and fly people in so on and so forth. But if we can sort of melt those barriers, maybe just get a, you know, a memorandum of understanding in place, um, and have a common tool set. Um, you know, I’d be happy to lend North Dakota analyst to help out a school system that’s in need. Um, and I’d be happy to welcome analysts from, you know, a school system or some other state to help North Dakota out if it’s indeed, um, and we can do that in a very, very short time with this sort of technology for putting in place. Um, so, so that’s, that’s kind of how you can get involved if, if you’d like to know more. Um, I don’t know, Ryan, maybe you can, um, you know, put my email address out there and, and people can, um, absolutely yeah,

[00:18:00] Ryan Cloutier: for sure. I’ll make sure to put that into the, um, description on the podcast here. Um, so that, that’s fantastic. I, I think, you know, it’s, it’s okay North Dakota sometimes, you know, gets the butt of a lot of jokes because you guys are, you know, in the middle of nowhere and you know, we call it flyover country, right? Um, and, and being a midwestern midwesterner myself, I’m just over here in Minnesota. So I’ve, I’ve, I’ve taken the drive up to bismarck once or twice, right? Um, and, but it’s, it’s awesome to see how you guys are, are really thinking about this in a, in a very future forward way in, in, in, it seems like you’ve already got this understanding that the world is forever different because of digital. We will not get ahead of this until we come at it collaboratively will always be playing whack a mole As long as we’re all trying to do our own thing, our own way with our own tool kits and our own um, descriptions the founder and Ceo of security studio Evan francine as a saying. Uh, and that’s that complexity is the enemy of cybersecurity and he’s not wrong, right? And, and the other thing is that we don’t have common language. So I just, I love, I love to see that you guys are doing that and being leaders in that space because it’s what we need. We we have to handle. It’s the whole country problem. We have to handle it as a country, you know, it’s just like, you know, unfortunately dealing with this covid, right? It’s each state’s kind of doing something a little different and, and some are more or less doing things, but at the end of the day it’s it’s a whole country problem. Right? So I just love that you guys are doing that one of the other. If I

[00:19:54] Kevin Ford: if I may, I just like to pull a thread around north Dakota there, um, because I am, you know, I’m from the east coast, I’m from Washington, D. C. And then spent some time in Denver and startup community there. Um, and the interesting thing about North Dakota, um is, you know, yes, we are, we are a flyover state and we embrace that. But, but with that, you know, there’s some, some, some swagger, some braggadocio to write were small, but that that makes us agile. Um and when you look at, you know, our total security footprint of around 300,000 devices, right? That puts us on par with a lot of Unfortunate 30 organizations out there. Um and you know, our governor is a leads attack, He was a ex Microsoft executive, he had a startup that he sold in the Microsoft um and also what chairman of the board for at Lassie, and so he is, you know, he is as tech forward as it as it comes um in in in the government space and he’s always ready and willing and able to lead with tech. So, you know, this is a top down thing and so we’re really, really um You know, really in a great position, largely because of the leadership we have in the state as well as the forethought of our legislature um to, you know, to build even this, this network, the statewide network back in the 90s. Um and that leads us all the way up through today. So

[00:21:18] Ryan Cloutier: absolutely a

[00:21:20] Kevin Ford: great spot.

[00:21:21] Ryan Cloutier: And speaking of forward thinking on your legislators part, that actually is a perfect segue to my, to my last question for you. Um, so I understand that you guys are taking kind of a holistic PK 2 20 approach to cybersecurity education For, for K- 12 students that don’t have the luxury if you will of of having their state, um take that as seriously or maybe um be as ready to deliver as it sounds like you guys are getting geared up to do or maybe are already doing, How do we get more K 12 students involved in this? We know we have a workforce shortage, but we also know that they’re just digital citizens of the world who um in my opinion at least cybersecurity is a foundational life skill, It’s a basic life skills like washing your hands or bathing or brushing your teeth. Um So how, you know, in your in your opinion, how do we get them engaged? How do we get them involved?

[00:22:22] Kevin Ford: Yeah, that’s a that’s a great um that’s a great question and and North Dakota is lucky to have a K 20 w effort which means for us um every student um is cyber security and cyber skills educated from kindergarten through ph D. As well as the workforce. So we have a comprehensive K 20 W program which is led by just a fantastic group in our in our edgy tech division Um and they just do so much great work particularly around outreach to the schools um both K-12 and higher education as well as workforce training um as and reaching out to trade schools. Um and I think you know, you kind of hit the nail on the head there right with the digital citizen uh Comic, we are in a position where cybersecurity needs to become as fundamental as the things I was taught um way back in the way back in the day when I was in kindergarten, things like stop drop and roll and stranger danger and you know, don’t get in the car with strangers and and all these other things, these basic life skills, how to wash your hands, so on and so forth, cyber security needs to become part of that because while it’s true that you know, maybe not everyone is going to go into a cybersecurity field or even a computer field. Um there is no um area, there is no field right now that it’s not impacted by technology. Um if you want to become a doctor, a surgeon, um you know, you are still going to have to interact with technology and you’re going to need to know how to do that safely in order to for instance, in the doctor surgeon case protect the personal health information of your patients.

[00:24:13] Ryan Cloutier: Yeah. And in addition I think there’s the, you know, surgery robots, right? I mean it’s, I don’t foresee tech going away if anything, I see more of a deep integration and so no, I think that’s just fantastic. Well, I do want to respect your time. I know you’re a very busy man, so thank you so much for taking this time to to talk with us today and to share your thoughts. Um I’ll provide your email to folks in the description. Is there anything else you’d like the audience to know?

[00:24:45] Kevin Ford: Uh No, I just I just want to shout it again or are educated group. Um There is such a good group work, they do both kind of operational work with our K- 12 um uh as well as educational work and really head up like a 20 W so kudos to them and I’m open to any conversations anyone would like to have regarding how they could do something similar within their state or within their K 12 organization as well as um as well as, you know, the Security Operations Center after interested in that.

[00:25:19] Ryan Cloutier: Well, thank you so much for that generosity and definitely will help get the word out to folks. Uh Thanks everyone for joining us. This has been a great episode, will continue to produce these. You can follow us on twitter @StudioSecurity, you can find me on twitter @CloutierSEC. Thanks everyone have a great day