May 10, 2023 • 24 mins
We’re back with another episode of Simply Solving Cyber! This week, @Aaron Pritz and @Cody Rivers sat down with Cybersecurity Program Director at State of Indiana, Chetrice Romero.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Aaron Pritz (00:01):
Welcome back to Simply Solving Cyber.
My name is Aaron Pritz.
And I'm Cody Rivers.
And today we are here withChetrice Romero.
She's the Cyber program directorfor the state of Indiana, and
also heads the Indiana ExecutiveCouncil on Cybersecurity
Security.
Thanks.
Chetrice Romero (00:18):
Yep.
So I'm just tired all the time.
Aaron Pritz (00:20):
I bet.
Well, so we're excited to hearabout, both of those things.
But before we get started intothat, give us your intro into
cyber.
How did you get into the field?
And I think, uh, from chatting alittle bit before,
non-conventional, not, you'renot an IT techie, so give us
your story.
Chetrice Romero (00:35):
I'm not, and actually I love that I'm not,
because I think that'sconsistent, like theme to a lot
of workforce development talkswith students is that.
Cybersecurity people come from avariety of walks of life.
So my original two degrees arein, journalism, and public
relations and communications andliberal arts.
So I definitely use my degreesevery day.
That's definitely wasn't like Idid a total 180, but yeah, I
(00:57):
always been with the state ofIndiana.
It's really, honestly, I justgot bit by the service bug and
working for private just kind ofseems, good for other people,
but for me, I don't think I'd beas happy with the.
Ability to kind of affect changeand help people, through
government service.
So yeah, I did public relationswith, the Department of Revenue,
did crisis communications withDepartment of Labor and IOSHA,
(01:19):
then since I got labor andtaxes, um, where like literally
my day-to-day job was death andtaxes, which was the weirdest
thing.
I got moved over into theUtility regulatory Commission
where I actually got more of my.
Start in the cyber realm, fromthe energy sector and kind of
being spooked by, actuallyUkraine attack back in 2016 on
(01:40):
their energy grid.
So that kind of just really wentfrom zero to a hundred and just
had a huge interest incybersecurity.
Worked with our emergencyoperations center, assisted them
with.
Building out our emergencysupport function over energy.
So what that means is when thelights go out and everybody's
lights go out, and it startsreally making people upset, but
also starts putting our safetyand health at risk, then
(02:01):
Emergency Operations Center forthe state of Indiana kind of
kicks in and starts to try tocoordinate and make sure that,
People, get what they need,especially if it's a long
outage.
So I did a lot of work on thatend.
And then, came into, whenHolcomb took, office, he
continued the executive orderthat established the Indiana
Executive Council onCybersecurity.
And of course, I'm one of thosepeople, I always tell students
(02:23):
that I lecture to, if you'regonna.
Say maybe something didn't workas well or how something can
work.
You always bring solutions.
And so that's what I did.
Yeah.
Not realizing that that was aninterview.
So they came back and they'relike, why don't you just take
it?
And so I was like, you knowwhat?
This seems fun and it seemsexciting and seems like an area
I could really make a differencein which, with 250 other people,
(02:43):
we really have.
So yeah.
That's excellent.
Aaron Pritz (02:46):
So comms and.
Public relations has a prominentrole in cyber now, especially,
with ransomware.
So, I know on the corporateside, having a plan, having
rehearsals, having practice was,the night and day difference and
readiness for how a companyreacts to it.
Yeah, you've seen it on thegovernment side, but, what have
you learned on readiness andpreparedness with teams?
(03:07):
Getting, helping peopleunderstand their role and yeah,
people are
Chetrice Romero (03:10):
active in that.
Oh, no, that's a great question.
So I think the thing I'velearned the most with the
readiness component is that,People when you're talking about
like energy for example, orhealthcare, they are doing
pretty good.
They're already pretty regulatedbanking.
There are already a lot ofrequirements of them testing
these processes out.
It's just part of the riskmanagement of just being a
(03:31):
utility or a criticalinfrastructure.
But the kind of aspect of riskmanagement that trickles through
all industries, I still believeis.
Quite lacking.
And I think it's not for thesake that people don't care
about it or they don't think ofit.
I really do think that it's justnot in front of them.
And cybersecurity is verydifferent from the other things
we hear about prepping for.
(03:51):
Right.
Like we, we know there's gonnabe a snowstorm, so we can always
prep for that, right?
Yeah.
We live in fantastic Indiana,right?
So there's gonna be a tornado.
Or two or 25.
So we know these things aregonna happen.
Insurances typically require usto make sure that, we are
following building codes andwe're following fire, codes and
so on, so that we're preparedfor those things.
(04:13):
So when it comes to cyber, it'sjust a lot more, out of sight,
out of mind.
Yeah.
But I would say that of allthose threats, when we do risk
assessment, cybersecurity isstill.
The top threat to businesseswith the most to gain or most
businesses to lose.
Yeah.
And yet it's still not apriority with preparing for it.
So a lot of what the councildoes is how can we make that
(04:34):
simpler for people of all sizes,from all size of businesses,
organizations, and not just incritical infrastructures, but on
a constant basis.
From the beginning, I'm like, Isthat gonna be helpful for the
mom and pop shop sellingcupcakes?
Because if it's too complicatedfor them, it's gonna be too
complicated for other, even ifit's a critical infrastructure.
So we really need to alwaysthink of let's try to simplify
(04:55):
this.
Cuz if we truly understand it,we should be able to simplify
it.
Yeah.
Get the basics
Aaron Pritz (04:59):
right.
Absolutely.
The 1 0 1 class, not skip intothe 5 0 1 class, where exactly.
PhD
Chetrice Romero (05:04):
track to figure it out, right?
Yeah, absolutely.
And a lot of people think theyhear cyber and they're like it's
technical.
Yeah.
Yeah.
Okay.
And, but I would totallydisagree with that.
And, I'm a living example in thesense that we do so much stuff
that's not technical.
You're looking at 90% of up to90% of all cyber tax for all
types of businesses.
Whether it's an energy grid or acupcake shop.
(05:25):
It comes from human error.
So because they didn't updatesomething or they're using
password 1 23 or they're usingthe same password, and they're
not changing it regularly oryeah, they're getting phished,
they're clicking that link,right?
Yeah, absolutely.
So it really is that class, 1 01, that takes care of about 70%
of all cyber problems.
So that's kind of our mission onthe council is to help people
(05:46):
understand that, prepare for theworst, but also just.
Changed a little bit ofbehavior, doing simple things
that are not technical.
And it will make a difference.
So for
Aaron Pritz (05:56):
that cupcake shop, how is the word out?
How do they know?
How do they find the resourcesthat the I eec, I e c, Indiana
Council?
Chetrice Romero (06:05):
Oh yeah.
We're government.
We love, I think you gotta havean acronym there.
I, yeah.
Yep.
Absolutely.
So we have a great website,something that the state didn't
have many years ago, when westarted.
It's, in.gov/cybersecurity.
Awesome.
Pretty easy.
Even if you just throw inGoogle, Indiana.
Cybersecurity that'll come up.
And it's not like mostgovernment websites, so to
everybody You're welcome cuz Ireally fought for it not to be
(06:27):
like the other ones.
It has buttons.
Yeah.
Are you an individual?
Are you a business, are you agovernment?
Do you wanna assess yourself?
They wouldn't let me do theassess yourself before you wreck
yourself.
Um, something about copyrightsor whatever, but
Aaron Pritz (06:39):
I'm sure there's an Easter egg.
If we look
Chetrice Romero (06:40):
close enough to slip down.
I'm not gonna say yay or nay,but there may be Easter eggs
throughout the website.
Definitely in our strategy.
So we try to make it as simpleas possible.
The way I look at it is if I'mtrying to get.
Like you said, a cupcake shop, afriend of mine to do something
simple with cyber, how would Iwant them to do it?
I'm not gonna send them tosomething that's super
difficult.
And as much as I love andappreciate the work that Federal
(07:01):
does in like nist, which is thestandards for cybersecurity, and
you can find that with thatNational Institute standards of
technology.
When you go there, it is supertechnical.
Yeah.
There are literally hundreds ofcontrols.
Yeah.
And it just hundred and 900.
Yes.
Yes.
And it's just, it's impossiblefor any normal.
Organization to put the time andeffort into learning all that,
(07:21):
right?
Yeah.
Yeah.
Like it's just not helpful.
So we have things as easy as ascorecard, which just gets you
like literally like red, yellow,green.
Where are you from a very highlevel perspective of cyber.
Yeah.
To get you understanding, maybeI should be looking into this.
Maybe I should take this to theceo.
We did the scorecard that.
The state of Indiana and Purdueworked on very hard to simplify
(07:42):
it to like an eighth gradereading level that's operation
focused.
So it's things like, do you havea cyber incident response plan?
We don't need 10 things to talkabout it.
We just wanna know.
Do you have one?
Yes.
No.
Yeah.
Start there.
It's, yeah, exactly.
Simple, right?
It's like operations, like whatam I asking the manager?
And not just the it manager,like the general manager of a
store.
Yeah.
If they don't know, then it's aproblem cuz they're the ones
(08:03):
running the show, right?
So that's a lot of what we aimto do is just simplify the
really good work that's outthere by super ridiculously
smart people.
But it just, it misses the markon getting to the people who
really need it most.
Aaron Pritz (08:15):
Yeah.
We're getting ready in May,which is small business month.
To kind of as a give back forour staff to bring a group of
three to five small businessestogether, to almost be like a
cohort to work through over sixmonths.
How, teach them to fish, howthey do it themselves.
But we should definitely startwith the resources that are
already available Absolutely.
(08:36):
To them as a base and say, hey.
Have you taken advantage of thisyet?
Let's not spend your timeredoing what has already been
created,
Chetrice Romero (08:44):
you know?
Absolutely.
This resource.
Yeah.
There's a lot of free resourceson there in your healthcare.
There's a cyber in a box thatbasically brought a whole bunch
of really cool resources thatare all over the place into one
area.
We have the scorecard that Ijust talked about.
We have a template for aninstant response plan to start
with.
We have a business kit that, theI E D C, the Economic
Development Corporation puttogether four small businesses
(09:06):
that kind of go through, hassimple to understand videos.
I'm agreement with you.
I having a cohort and teachingthem to fish is such a key thing
because, I always tell peoplelike, well, they should have a
cybersecurity person.
Well, they're just never gonnahave it.
Yeah.
At the end of the day, at theend of the day, the cupcake
owner is like, I want somebodyelse to bake more cakes.
Like they're too small tojustify that.
And understandably, I thinkit's, unreasonable to expect
(09:29):
small and medium sized companiesthat it doesn't quite fit the
line mm-hmm.
Of that.
Mm-hmm.
But there's a lot of servicesand a lot of things out there
that can help them get over thatwithout having a full-time
person.
Right.
That an office manager can takeon.
Or a lot of places like HR doesit too, or COO.
So I think that that's what wetry to do is just simplify it
and make it easy to understandchunks.
(09:51):
And I also believe that it isn'ta black and white all or nothing
kind of thing when it came tocybersecurity, I would say back
in the day it made it seem likeif you don't do it, you're
sucking.
And if you do, you're awesome,but you have to do all of it.
Yeah.
There's a lot of fear mongeringat this.
It is so much.
And I'm like, you know what?
if an owner of a business says,Hey, if you're not sure about
the email, I want you to justnot click it, just come talk to
(10:13):
me first that is significantlymore powerful than any fear
mongering.
Right.
Okay.
Totally.
So I think that there's justdifferent ways that we can
approach this and I think, justempowering small businesses
instead of telling them whatthey're missing and what they
need.
Yeah.
Or if they want cyber insurance,we have a cyber insurance
toolkit.
That's awesome.
To help them understand likethat process and the questions
they're gonna get asked so theycan just see is it worth even.
(10:35):
Going through the process andthen getting denied at the end.
Like, who wants that?
Cody Rivers (10:38):
Well, what I love is you keep saying the words
process and people, which aretwo things that we lean heavily
on here and we just had anattorney on here, but, she is in
healthcare and she said a lot ofthings she deals with on the
incident response in the breachside is that this overconfidence
or abundance sometimes of toolsand that, well, I've got a lot
of tools, I'm safe, I'm great.
And then you look can see okay,well I had the lock on the door,
I had the chain, I had the dogready to go, but someone knocked
(11:00):
and I opened up everything andlet'em right in.
Mm-hmm.
So tying it to a fish, it'slike, it's great the tools, but
if people don't know whatthey're doing exactly or they're
training education, they're the,a much better defense to have
first and the process it so,Again, I like this.
It's not rehearsed now, this isjust organic, but everything
you're saying is what we believein heavily and try to push a
lot.
Chetrice Romero (11:15):
Yeah, and I use the door lock all the time maybe
they're a medium sized business.
They do have an IT division.
Right?
Sure.
Maybe not to the scope of asecurity person, but mm-hmm They
have somebody who's that's theirjob.
And I always say, it's like whenyou go into business and into a
division and the maintenanceperson gives him the key to the
door of the business.
Yeah.
Whose job is it to keep thatdoor open and closed?
(11:36):
It's not the maintenance guy.
He's enabling that, right?
Yep.
He's providing the resources forit, which is what it does.
Mm-hmm but at the end of theday, the management has to make
sure that they know and thattheir employees know.
To keep the door locked.
Right?
Right.
Yep.
So cybersecurity is just likethat.
You know it people, they enableand they're supporters of
divisions, but they are mostcertainly in no way in charge of
(11:59):
doing all cyber for anorganization.
It's absolutely something thateverybody's in charge of.
Yeah.
And I think the more that welike shift that culture in
organizations, the more thatpeople will take it on as a,
Hey, let me think about this fortwo seconds, and.
How significantly effective thatcan be is powerful.
Yeah.
Aaron Pritz (12:15):
You mentioned to me earlier that the Indiana
Executive Council on cyber isnot made up of all technical and
IT people, so Right.
How have you used your comms andPR background to help educate to
the point you just made on.
It doesn't have to be alltechnical, like how are you
opening up minds?
And obviously some of it's withthe toolkits that you're
providing, right.
But even in that forum of, 250people that are part of
Chetrice Romero (12:36):
it.
Yeah, I know.
It's a crazy amount of people.
People are like, I think it'sthe largest government council
from my understanding in likethe.
Date, and I wasn't trying tolike beat anybody's records, so
I'm sorry about the second, andthat has the largest, I wasn't
trying to beat you, but, I feltlike if we were going to truly
approach the people andorganizational issue, we needed
to have representation from the.
Experts in those fields, forexample, we're talking about
(12:59):
cyber insurance.
I have a legal and insurancecommittee.
Well, I don't have it people,now, people that I have legal
people who work with it, peoplein the cyber insurance world who
litigate on, on issues on cyber,but so they have awareness of
it, but really they're like,their day-to-day is the
insurance, or to your point, theresponse.
Right?
Yeah.
Having an IT person, like Ialways say, you don't go to your
(13:21):
CIO and write the press release,right?
You have a communications persondo that because talk to the IT
person and then they are theones that know how to
communicate something to vastamount of people.
Mm-hmm.
Because sometimes, It people arenot the best communicators.
And that's okay.
Cuz that is not, I've neverheard that before.
That is not the I know, I know.
It's a surprise to me too.
So I, I felt like the way Iestablished the council was that
(13:44):
we needed the, not just thebreadth of expertise.
Mm-hmm.
But we needed the depth.
Within those areas, whether itwas response, recovery, risk
management, and so those areas.
And then within the industries,I as a state person should not
be at all dictating what financeshould be doing or energy should
be doing.
Yeah.
It should be that sector and theleaders in that sector that are
(14:06):
taught saying these are thethings we need.
Mm-hmm.
Um, these are resources would beuseful cuz they are the experts
in their field.
So I really rely.
On empowering all the councilmembers and they're all also not
just central Indiana.
They are all from all over thestates, some national to
represent it because, I wantedthe diversity of our regions.
(14:26):
Yeah.
Our regions work differentlysometimes, but they bring so
much, to, to the table.
And then we also have of didiversity of sizes, so I didn't
want, a large energy companyleading.
The energy thing.
Well that's great, but how aboutthe small energy company that
really is struggling with thisor the medium size?
So throwing a lot of diversityand everybody's welcome to the
(14:47):
party, Makes it a really funthing to manage because it's
just me, doing the whole thing,with a communications manager
who takes care of the websiteand, and probably helps keep me
sane along with my husband.
But, I think it's really thepassion of everybody on the
council.
That's my my favorite thing onthere.
Does
Aaron Pritz (15:01):
everyone, that's a big group, does everyone ever
get together physically or.
Yeah.
Chetrice Romero (15:05):
Once Covid, yeah.
Yeah.
We actually, we were veryexcited.
When we got back from Covid,because you heard the stories of
these councils and commissionsthat, they came back and people
just reprioritized.
Right.
So, yeah.
They reprioritized.
So I'm like, oh my gosh, noone's gonna come.
They're all gonna be like, okay,we're still dealing with Covid.
I don't have time for this.
And we had, almost every day,like it was a huge full house.
It was.
(15:25):
Standing room.
It was awesome.
So it just shows to theimportance of this for people
even I think even more so afterCovid.
Yeah.
Because I think, we just reallyrealized how much connected.
More connected, right?
Everybody started working fromhome.
Yeah.
Everybody was using teams.
Right?
I don't think I ever used teamsbefore Covid.
Um, so I think that also made,the cybersecurity a bit more of
(15:45):
a priority for the state.
And we have a lot of agenciesdoing really great work.
We have our office technologywho's doing a lot of good work
in local government.
Our Homeland Security isproviding a lot of great,
resources to emergency managersthroughout the state.
We have some great agenciesinvolved.
And then of course thegovernor's office and Lieutenant
Governor's office has been verysupportive, from that
perspective.
But we have Secretary of State'soffice involved and the Attorney
(16:06):
General's office involved, and Ilove that Treasurer's office.
I love that.
It's, Mixed, and it's not justone politician, it's really the
leadership of the state comingtogether saying, all right,
despite everything else might begoing on in the news, yeah,
we're gonna come together onthis one thing cuz we can all
agree we need to do better inthis area, which I get to have
the pleasure of leading.
So yeah, that's really
Aaron Pritz (16:25):
cool.
What is, on the forefront of thecommittee's priorities?
What are you guys working onnow?
What's coming out
Chetrice Romero (16:30):
next?
Yeah, I mean, I think we'rereally to the point of we built
a foundation Yep.
Of having the website.
in.gov/cybersecuritycybersecurity.
But really I think it's justgetting the word out about the
tools is kind of the biggestthing right now.
Yeah.
It was the number one thing whenwe talked to our council.
We do pull them all togetherquarterly.
number one thing that wasbrought up was we need to better
about the awareness of thesetools and what we're doing at
(16:52):
the state.
Yep.
From like the local governmentside with office technology,
which they're doing a great jobof getting the word out.
But I think for me personally,it's really about getting to
those mom and pop shops.
Yeah.
Because we have so much now togive, you know, a few years ago
I've been like, no, don't lookover here.
We're not ready.
But, I think now we're at apoint where like, how can we
make sure this is getting out tothe right people?
(17:14):
Because it's scary.
I mean, businesses go out ofbusiness because of ransomware
attacks.
Yeah.
Right.
I mean, it's an un it'sunnecessary stress when there's
things we can do to prevent it.
Yeah.
And so I just wanna help thateveryday person that like, isn't
there.
And then there's alsoinformation in there for
individuals.
So I think, people just we're inan age, a very different age of
technology and privacy, and sohow do we respond to that as
(17:36):
just individuals and humans,right?
Yeah.
So I like to kind of focus onthat as the leader of this,
instead of just saying, well,everybody should just be doing
this and this is how we shoulddo it all.
And I'm like, well, But humansare different and they come from
different backgrounds.
So how can we communicate it tothem?
Yeah.
So that they're successful withit.
So,
Cody Rivers (17:53):
And the how is often the big question, right?
I know I need this, right?
I think that with the fear ofmony, people know there's a need
for it.
It's like, but how do I go aboutit?
How's the most efficient way?
Cause it costs money and yeah,it costs money to go down the
wrong hallway.
And so the finding those areastoo.
But I like how you said too,the.
The small business mom and pawshops, because as you know, the,
the larger companies, finance,healthcare, they're regulated.
They know they're good aboutthese things here.
They're, but what you're findingout is the bad actors know that
(18:15):
too.
So, oh, right.
What happens is third partyrisk, supplier chain, you know,
a risk, another sale.
I can go to a smaller onebecause I know they're a pivot
point into a larger one.
So you're seeing now from avendor management program,
they're saying, Hey, look, we'regoing to require you to have
these things be compliantbecause you are a back door into
our system.
And so I like that.
Yes.
These small companies, and wehave kind of a budding practice
now with some of these smallerfirms.
(18:36):
And we have a local, healthcareSaaS firm that came to us from a
standpoint of.
Their larger firms will come tothem saying, we need you to be
this compliant with these,different pieces here.
And so we've helped themidentify the most efficient path
to get that mm-hmm.
Taken care of.
Cause they're like, we don'tknow where to start.
Yeah.
Chetrice Romero (18:51):
And the bad actors are they, there's a
business in this.
I mean, they have call centers,they ransomware organizations
and they're like, Hey, here'sthree references so that you can
check to make sure that they didpay and they got it back.
Yes.
It is a true business model.
So like any other business,they're doing exactly what we
all do, right?
Yeah.
Like they go by best practices,which to your point is like, why
would I go spend all my time andeffort into a fortress like
(19:14):
Chase Bank, where I could justgo into these small banks?
Bam.
That's that I, we know for afact that they're not putting
money into cyber training, orthey're not putting money into
making sure and emphasizing withall their employees to lock
those doors and stuff.
Right.
You're absolutely right.
And they get those small oneswith just a click.
You know, the effort to get themis so much smaller from that
perspective.
(19:34):
I would say a good way to startfor anybody out there though, is
go to the website.
I would even say if you're like,I don't even know where to start
on the website, go and subscribeto the blog.
We have a very easy.
Going blog.
But yeah, I mean, we do thingson there.
That makes it relative to cyber,right?
So like it's national chocolateday.
Well, how do you relate cyber tothat?
Well, in true story, like I gota call at seven 30 in the
(19:56):
morning from American Expresssaying, Hey, are you trying to
buy like hundreds of dollars ofchocolate at this place we've
never seen you at?
And I'm like, Nope.
But, so like the blogs aboutHey, it can happen to me, it can
happen to you, but make sure youhave these things in place.
Place to protect yourself.
Yeah.
Right.
In your family and your financesor take a picture.
Well, we just had national petday right?
So we've done things on thatwhere it's hey, take a picture
(20:19):
of your pet.
Yeah.
We're not saying not to do it,but don't do it on top of a
bunch of documents.
It has passwords on it.
So again, people don't likemaliciously do it.
Yeah.
They just don't connect thosedots and you're like, oh.
And you just doing that.
You just removing the paper thathas confidential information on
it.
Yeah.
And take the commissioner, thepet has made you more secure.
Yes.
So that's kind of the pointwhere it's like small moves, big
impact.
(20:39):
Yeah.
Is what we're kind of going for.
Cody Rivers (20:40):
I like too how like you correlate some of the
training to like the real world.
And one thing we see with someclients, and we do a lot of
awareness program building, butwe've seen, With the evolution
of training, it's out there now.
It's more than it used to be.
Mm-hmm.
But it's trying to tie thosethemes together and put them in
order and correlate it to realworld action.
So, and the programs we'rebuilding with, to your point,
it's like, why'd I get thistraining makes sense and I read
it, but how does it affect me inthe business, in my department
(21:03):
Exactly.
At home with grandma, with thekids.
And so trying to get that sametraining.
And then apply it and correlateit to real life action, I think
is helps to stick
Chetrice Romero (21:11):
a little more.
It does.
I agree.
I mean, people paying attentionto having a baby and getting a
baby monitor, you're like, so wehave a blog on that.
We're like, Hey, that's great.
And look, I loved watching mybaby.
Like it felt weird after awhile, right?
Like I would just sit there andwatch him breathe.
But like at the same time, I'mlike, make sure you change your
password.
Don't use the default password.
Oh yeah, I didn't realize, yeah,I should need to change that.
(21:33):
But then you're at work andyou're putting in a smart
thermometer.
Make sure you change yourdefault password.
Boom.
You know the big target hackthat happened so many years ago
that they got crucified for,right?
Yeah.
It didn't happen because of atarget employee.
It happened through hvac.
Yeah.
So people don't realize, likethe worst ones that we've seen
was something simple likemm-hmm.
Making sure things weren'tconnected right.
And so that's what we're lookingfor is just that huge impact on
(21:54):
those situations.
Yeah.
Cody Rivers (21:55):
We do a lot of threat intel things for some
healthcare clients.
Yeah.
And.
We do a brief on each, meetingand we show, Hey, this is the
recent ones in the area relativeto you and size.
Exactly.
And the point of entry is formost part it's associate left
email wasn't generated.
Exactly.
We found a phish, old webserver.
So the points of entry areoftentimes ones that like
process procedures mm-hmm.
And training can cover.
So you're seeing a massivereduction in your thing earlier
(22:16):
that the tools are great.
But the people in the processare gonna empower the tool and
determine
Chetrice Romero (22:21):
exactly the success of that tool.
Yeah.
I always tell people, you canhave the best tech in the world.
If you don't train your people,you're still gonna get hacked.
Yeah.
It's just, that's what's gonnahappen.
They're counting on that, thatyou're not focusing on the
people.
And that's what bad actors arecounting on.
So if I own
Aaron Pritz (22:33):
a cupcake shop and I'm going on to I
in.gov/cybersecurity.
Mm-hmm.
Aaron's cupcakes.
Um, and is anybody else getting
Chetrice Romero (22:39):
hungry?
I don't.
Now I want cupcakes.
I always say that, and then atthe end of it I'm like, I need a
cupcake now.
Aaron Pritz (22:44):
Yeah.
So would the scorecard be a goodplace to start?
To evaluate, okay, what do Ihave, what do I not have?
What is my.
It outsource provider telling meis good enough versus what
Absolutely for a business mysize I should
Chetrice Romero (22:57):
be thinking about.
Yeah, I think the scorecard is aperfect step for that.
Again, super simple, very basic.
I've been giving that to smallorganizations.
Small departments.
A local government, not evenjust the IT person and it fits,
it talks through the keybasically top.
20 controls of, what's bestpractices are.
So I think that's always a goodstart.
And it gives you a colorreading, right?
(23:17):
Add up your points and see whereyou're at.
And if you're in red, you shouldprobably talk to somebody about
it.
Right.
I love that.
Do a deeper assessment.
Is it like the icing
Aaron Pritz (23:24):
on the cake?
Chetrice Romero (23:24):
Jesus Sprinkles.
Cody Rivers (23:28):
I love assess yourself before
Chetrice Romero (23:30):
you reconcile.
I know, right?
I really wish I could be that onthe website.
Slow.
I've missed opportunity.
I know.
That is great.
But at least everybody who goesthere will think that when
they're looking for the assessorstuff.
By, there you go.
Yeah, right on the top page.
Awesome.
Good.
Aaron Pritz (23:42):
Well, thanks for joining the show.
It's great to have you on andlearn more about what you're
doing for the state and howyou've leveraged your.
Background in comms and PR toreally, use those core skill
sets to advocate to others.
And super excited to go out andcheck.
I think I've seen some of theitems, but I know I learned even
on in this talk several thingsthat I didn't even know that you
(24:03):
guys had done.
So I'm excited to go check itout and potentially use it for
our, Cohort of, smallbusinesses.
Chetrice Romero (24:09):
Yeah.
I'm more than happy to comevisit them too.
I would
Aaron Pritz (24:11):
love to.
Speaker will sign you up.
Chetrice Romero (24:13):
Awesome.
Yeah, I know I say yes toeverything.
Good to
Aaron Pritz (24:16):
know.
All right, well thanks so muchfor your time and, have a great
rest of the day.
Awesome.
Thank you guys.
Thanks Chetrice.
Bye.-
Welcome back to Simply Solving Cyber.
My name is Aaron Pritz.
And I'm Cody Rivers.
And today we are here withChetrice Romero.
She's the Cyber program directorfor the state of Indiana, and
also heads the Indiana ExecutiveCouncil on Cybersecurity
Security.
Thanks.
Chetrice Romero (00:18):
Yep.
So I'm just tired all the time.
Aaron Pritz (00:20):
I bet.
Well, so we're excited to hearabout, both of those things.
But before we get started intothat, give us your intro into
cyber.
How did you get into the field?
And I think, uh, from chatting alittle bit before,
non-conventional, not, you'renot an IT techie, so give us
your story.
Chetrice Romero (00:35):
I'm not, and actually I love that I'm not,
because I think that'sconsistent, like theme to a lot
of workforce development talkswith students is that.
Cybersecurity people come from avariety of walks of life.
So my original two degrees arein, journalism, and public
relations and communications andliberal arts.
So I definitely use my degreesevery day.
That's definitely wasn't like Idid a total 180, but yeah, I
(00:57):
always been with the state ofIndiana.
It's really, honestly, I justgot bit by the service bug and
working for private just kind ofseems, good for other people,
but for me, I don't think I'd beas happy with the.
Ability to kind of affect changeand help people, through
government service.
So yeah, I did public relationswith, the Department of Revenue,
did crisis communications withDepartment of Labor and IOSHA,
(01:19):
then since I got labor andtaxes, um, where like literally
my day-to-day job was death andtaxes, which was the weirdest
thing.
I got moved over into theUtility regulatory Commission
where I actually got more of my.
Start in the cyber realm, fromthe energy sector and kind of
being spooked by, actuallyUkraine attack back in 2016 on
(01:40):
their energy grid.
So that kind of just really wentfrom zero to a hundred and just
had a huge interest incybersecurity.
Worked with our emergencyoperations center, assisted them
with.
Building out our emergencysupport function over energy.
So what that means is when thelights go out and everybody's
lights go out, and it startsreally making people upset, but
also starts putting our safetyand health at risk, then
(02:01):
Emergency Operations Center forthe state of Indiana kind of
kicks in and starts to try tocoordinate and make sure that,
People, get what they need,especially if it's a long
outage.
So I did a lot of work on thatend.
And then, came into, whenHolcomb took, office, he
continued the executive orderthat established the Indiana
Executive Council onCybersecurity.
And of course, I'm one of thosepeople, I always tell students
(02:23):
that I lecture to, if you'regonna.
Say maybe something didn't workas well or how something can
work.
You always bring solutions.
And so that's what I did.
Yeah.
Not realizing that that was aninterview.
So they came back and they'relike, why don't you just take
it?
And so I was like, you knowwhat?
This seems fun and it seemsexciting and seems like an area
I could really make a differencein which, with 250 other people,
(02:43):
we really have.
So yeah.
That's excellent.
Aaron Pritz (02:46):
So comms and.
Public relations has a prominentrole in cyber now, especially,
with ransomware.
So, I know on the corporateside, having a plan, having
rehearsals, having practice was,the night and day difference and
readiness for how a companyreacts to it.
Yeah, you've seen it on thegovernment side, but, what have
you learned on readiness andpreparedness with teams?
(03:07):
Getting, helping peopleunderstand their role and yeah,
people are
Chetrice Romero (03:10):
active in that.
Oh, no, that's a great question.
So I think the thing I'velearned the most with the
readiness component is that,People when you're talking about
like energy for example, orhealthcare, they are doing
pretty good.
They're already pretty regulatedbanking.
There are already a lot ofrequirements of them testing
these processes out.
It's just part of the riskmanagement of just being a
(03:31):
utility or a criticalinfrastructure.
But the kind of aspect of riskmanagement that trickles through
all industries, I still believeis.
Quite lacking.
And I think it's not for thesake that people don't care
about it or they don't think ofit.
I really do think that it's justnot in front of them.
And cybersecurity is verydifferent from the other things
we hear about prepping for.
(03:51):
Right.
Like we, we know there's gonnabe a snowstorm, so we can always
prep for that, right?
Yeah.
We live in fantastic Indiana,right?
So there's gonna be a tornado.
Or two or 25.
So we know these things aregonna happen.
Insurances typically require usto make sure that, we are
following building codes andwe're following fire, codes and
so on, so that we're preparedfor those things.
(04:13):
So when it comes to cyber, it'sjust a lot more, out of sight,
out of mind.
Yeah.
But I would say that of allthose threats, when we do risk
assessment, cybersecurity isstill.
The top threat to businesseswith the most to gain or most
businesses to lose.
Yeah.
And yet it's still not apriority with preparing for it.
So a lot of what the councildoes is how can we make that
(04:34):
simpler for people of all sizes,from all size of businesses,
organizations, and not just incritical infrastructures, but on
a constant basis.
From the beginning, I'm like, Isthat gonna be helpful for the
mom and pop shop sellingcupcakes?
Because if it's too complicatedfor them, it's gonna be too
complicated for other, even ifit's a critical infrastructure.
So we really need to alwaysthink of let's try to simplify
(04:55):
this.
Cuz if we truly understand it,we should be able to simplify
it.
Yeah.
Get the basics
Aaron Pritz (04:59):
right.
Absolutely.
The 1 0 1 class, not skip intothe 5 0 1 class, where exactly.
PhD
Chetrice Romero (05:04):
track to figure it out, right?
Yeah, absolutely.
And a lot of people think theyhear cyber and they're like it's
technical.
Yeah.
Yeah.
Okay.
And, but I would totallydisagree with that.
And, I'm a living example in thesense that we do so much stuff
that's not technical.
You're looking at 90% of up to90% of all cyber tax for all
types of businesses.
Whether it's an energy grid or acupcake shop.
(05:25):
It comes from human error.
So because they didn't updatesomething or they're using
password 1 23 or they're usingthe same password, and they're
not changing it regularly oryeah, they're getting phished,
they're clicking that link,right?
Yeah, absolutely.
So it really is that class, 1 01, that takes care of about 70%
of all cyber problems.
So that's kind of our mission onthe council is to help people
(05:46):
understand that, prepare for theworst, but also just.
Changed a little bit ofbehavior, doing simple things
that are not technical.
And it will make a difference.
So for
Aaron Pritz (05:56):
that cupcake shop, how is the word out?
How do they know?
How do they find the resourcesthat the I eec, I e c, Indiana
Council?
Chetrice Romero (06:05):
Oh yeah.
We're government.
We love, I think you gotta havean acronym there.
I, yeah.
Yep.
Absolutely.
So we have a great website,something that the state didn't
have many years ago, when westarted.
It's, in.gov/cybersecurity.
Awesome.
Pretty easy.
Even if you just throw inGoogle, Indiana.
Cybersecurity that'll come up.
And it's not like mostgovernment websites, so to
everybody You're welcome cuz Ireally fought for it not to be
(06:27):
like the other ones.
It has buttons.
Yeah.
Are you an individual?
Are you a business, are you agovernment?
Do you wanna assess yourself?
They wouldn't let me do theassess yourself before you wreck
yourself.
Um, something about copyrightsor whatever, but
Aaron Pritz (06:39):
I'm sure there's an Easter egg.
If we look
Chetrice Romero (06:40):
close enough to slip down.
I'm not gonna say yay or nay,but there may be Easter eggs
throughout the website.
Definitely in our strategy.
So we try to make it as simpleas possible.
The way I look at it is if I'mtrying to get.
Like you said, a cupcake shop, afriend of mine to do something
simple with cyber, how would Iwant them to do it?
I'm not gonna send them tosomething that's super
difficult.
And as much as I love andappreciate the work that Federal
(07:01):
does in like nist, which is thestandards for cybersecurity, and
you can find that with thatNational Institute standards of
technology.
When you go there, it is supertechnical.
Yeah.
There are literally hundreds ofcontrols.
Yeah.
And it just hundred and 900.
Yes.
Yes.
And it's just, it's impossiblefor any normal.
Organization to put the time andeffort into learning all that,
(07:21):
right?
Yeah.
Yeah.
Like it's just not helpful.
So we have things as easy as ascorecard, which just gets you
like literally like red, yellow,green.
Where are you from a very highlevel perspective of cyber.
Yeah.
To get you understanding, maybeI should be looking into this.
Maybe I should take this to theceo.
We did the scorecard that.
The state of Indiana and Purdueworked on very hard to simplify
(07:42):
it to like an eighth gradereading level that's operation
focused.
So it's things like, do you havea cyber incident response plan?
We don't need 10 things to talkabout it.
We just wanna know.
Do you have one?
Yes.
No.
Yeah.
Start there.
It's, yeah, exactly.
Simple, right?
It's like operations, like whatam I asking the manager?
And not just the it manager,like the general manager of a
store.
Yeah.
If they don't know, then it's aproblem cuz they're the ones
(08:03):
running the show, right?
So that's a lot of what we aimto do is just simplify the
really good work that's outthere by super ridiculously
smart people.
But it just, it misses the markon getting to the people who
really need it most.
Aaron Pritz (08:15):
Yeah.
We're getting ready in May,which is small business month.
To kind of as a give back forour staff to bring a group of
three to five small businessestogether, to almost be like a
cohort to work through over sixmonths.
How, teach them to fish, howthey do it themselves.
But we should definitely startwith the resources that are
already available Absolutely.
(08:36):
To them as a base and say, hey.
Have you taken advantage of thisyet?
Let's not spend your timeredoing what has already been
created,
Chetrice Romero (08:44):
you know?
Absolutely.
This resource.
Yeah.
There's a lot of free resourceson there in your healthcare.
There's a cyber in a box thatbasically brought a whole bunch
of really cool resources thatare all over the place into one
area.
We have the scorecard that Ijust talked about.
We have a template for aninstant response plan to start
with.
We have a business kit that, theI E D C, the Economic
Development Corporation puttogether four small businesses
(09:06):
that kind of go through, hassimple to understand videos.
I'm agreement with you.
I having a cohort and teachingthem to fish is such a key thing
because, I always tell peoplelike, well, they should have a
cybersecurity person.
Well, they're just never gonnahave it.
Yeah.
At the end of the day, at theend of the day, the cupcake
owner is like, I want somebodyelse to bake more cakes.
Like they're too small tojustify that.
And understandably, I thinkit's, unreasonable to expect
(09:29):
small and medium sized companiesthat it doesn't quite fit the
line mm-hmm.
Of that.
Mm-hmm.
But there's a lot of servicesand a lot of things out there
that can help them get over thatwithout having a full-time
person.
Right.
That an office manager can takeon.
Or a lot of places like HR doesit too, or COO.
So I think that that's what wetry to do is just simplify it
and make it easy to understandchunks.
(09:51):
And I also believe that it isn'ta black and white all or nothing
kind of thing when it came tocybersecurity, I would say back
in the day it made it seem likeif you don't do it, you're
sucking.
And if you do, you're awesome,but you have to do all of it.
Yeah.
There's a lot of fear mongeringat this.
It is so much.
And I'm like, you know what?
if an owner of a business says,Hey, if you're not sure about
the email, I want you to justnot click it, just come talk to
(10:13):
me first that is significantlymore powerful than any fear
mongering.
Right.
Okay.
Totally.
So I think that there's justdifferent ways that we can
approach this and I think, justempowering small businesses
instead of telling them whatthey're missing and what they
need.
Yeah.
Or if they want cyber insurance,we have a cyber insurance
toolkit.
That's awesome.
To help them understand likethat process and the questions
they're gonna get asked so theycan just see is it worth even.
(10:35):
Going through the process andthen getting denied at the end.
Like, who wants that?
Cody Rivers (10:38):
Well, what I love is you keep saying the words
process and people, which aretwo things that we lean heavily
on here and we just had anattorney on here, but, she is in
healthcare and she said a lot ofthings she deals with on the
incident response in the breachside is that this overconfidence
or abundance sometimes of toolsand that, well, I've got a lot
of tools, I'm safe, I'm great.
And then you look can see okay,well I had the lock on the door,
I had the chain, I had the dogready to go, but someone knocked
(11:00):
and I opened up everything andlet'em right in.
Mm-hmm.
So tying it to a fish, it'slike, it's great the tools, but
if people don't know whatthey're doing exactly or they're
training education, they're the,a much better defense to have
first and the process it so,Again, I like this.
It's not rehearsed now, this isjust organic, but everything
you're saying is what we believein heavily and try to push a
lot.
Chetrice Romero (11:15):
Yeah, and I use the door lock all the time maybe
they're a medium sized business.
They do have an IT division.
Right?
Sure.
Maybe not to the scope of asecurity person, but mm-hmm They
have somebody who's that's theirjob.
And I always say, it's like whenyou go into business and into a
division and the maintenanceperson gives him the key to the
door of the business.
Yeah.
Whose job is it to keep thatdoor open and closed?
(11:36):
It's not the maintenance guy.
He's enabling that, right?
Yep.
He's providing the resources forit, which is what it does.
Mm-hmm but at the end of theday, the management has to make
sure that they know and thattheir employees know.
To keep the door locked.
Right?
Right.
Yep.
So cybersecurity is just likethat.
You know it people, they enableand they're supporters of
divisions, but they are mostcertainly in no way in charge of
(11:59):
doing all cyber for anorganization.
It's absolutely something thateverybody's in charge of.
Yeah.
And I think the more that welike shift that culture in
organizations, the more thatpeople will take it on as a,
Hey, let me think about this fortwo seconds, and.
How significantly effective thatcan be is powerful.
Yeah.
Aaron Pritz (12:15):
You mentioned to me earlier that the Indiana
Executive Council on cyber isnot made up of all technical and
IT people, so Right.
How have you used your comms andPR background to help educate to
the point you just made on.
It doesn't have to be alltechnical, like how are you
opening up minds?
And obviously some of it's withthe toolkits that you're
providing, right.
But even in that forum of, 250people that are part of
Chetrice Romero (12:36):
it.
Yeah, I know.
It's a crazy amount of people.
People are like, I think it'sthe largest government council
from my understanding in likethe.
Date, and I wasn't trying tolike beat anybody's records, so
I'm sorry about the second, andthat has the largest, I wasn't
trying to beat you, but, I feltlike if we were going to truly
approach the people andorganizational issue, we needed
to have representation from the.
Experts in those fields, forexample, we're talking about
(12:59):
cyber insurance.
I have a legal and insurancecommittee.
Well, I don't have it people,now, people that I have legal
people who work with it, peoplein the cyber insurance world who
litigate on, on issues on cyber,but so they have awareness of
it, but really they're like,their day-to-day is the
insurance, or to your point, theresponse.
Right?
Yeah.
Having an IT person, like Ialways say, you don't go to your
(13:21):
CIO and write the press release,right?
You have a communications persondo that because talk to the IT
person and then they are theones that know how to
communicate something to vastamount of people.
Mm-hmm.
Because sometimes, It people arenot the best communicators.
And that's okay.
Cuz that is not, I've neverheard that before.
That is not the I know, I know.
It's a surprise to me too.
So I, I felt like the way Iestablished the council was that
(13:44):
we needed the, not just thebreadth of expertise.
Mm-hmm.
But we needed the depth.
Within those areas, whether itwas response, recovery, risk
management, and so those areas.
And then within the industries,I as a state person should not
be at all dictating what financeshould be doing or energy should
be doing.
Yeah.
It should be that sector and theleaders in that sector that are
(14:06):
taught saying these are thethings we need.
Mm-hmm.
Um, these are resources would beuseful cuz they are the experts
in their field.
So I really rely.
On empowering all the councilmembers and they're all also not
just central Indiana.
They are all from all over thestates, some national to
represent it because, I wantedthe diversity of our regions.
(14:26):
Yeah.
Our regions work differentlysometimes, but they bring so
much, to, to the table.
And then we also have of didiversity of sizes, so I didn't
want, a large energy companyleading.
The energy thing.
Well that's great, but how aboutthe small energy company that
really is struggling with thisor the medium size?
So throwing a lot of diversityand everybody's welcome to the
(14:47):
party, Makes it a really funthing to manage because it's
just me, doing the whole thing,with a communications manager
who takes care of the websiteand, and probably helps keep me
sane along with my husband.
But, I think it's really thepassion of everybody on the
council.
That's my my favorite thing onthere.
Does
Aaron Pritz (15:01):
everyone, that's a big group, does everyone ever
get together physically or.
Yeah.
Chetrice Romero (15:05):
Once Covid, yeah.
Yeah.
We actually, we were veryexcited.
When we got back from Covid,because you heard the stories of
these councils and commissionsthat, they came back and people
just reprioritized.
Right.
So, yeah.
They reprioritized.
So I'm like, oh my gosh, noone's gonna come.
They're all gonna be like, okay,we're still dealing with Covid.
I don't have time for this.
And we had, almost every day,like it was a huge full house.
It was.
(15:25):
Standing room.
It was awesome.
So it just shows to theimportance of this for people
even I think even more so afterCovid.
Yeah.
Because I think, we just reallyrealized how much connected.
More connected, right?
Everybody started working fromhome.
Yeah.
Everybody was using teams.
Right?
I don't think I ever used teamsbefore Covid.
Um, so I think that also made,the cybersecurity a bit more of
(15:45):
a priority for the state.
And we have a lot of agenciesdoing really great work.
We have our office technologywho's doing a lot of good work
in local government.
Our Homeland Security isproviding a lot of great,
resources to emergency managersthroughout the state.
We have some great agenciesinvolved.
And then of course thegovernor's office and Lieutenant
Governor's office has been verysupportive, from that
perspective.
But we have Secretary of State'soffice involved and the Attorney
(16:06):
General's office involved, and Ilove that Treasurer's office.
I love that.
It's, Mixed, and it's not justone politician, it's really the
leadership of the state comingtogether saying, all right,
despite everything else might begoing on in the news, yeah,
we're gonna come together onthis one thing cuz we can all
agree we need to do better inthis area, which I get to have
the pleasure of leading.
So yeah, that's really
Aaron Pritz (16:25):
cool.
What is, on the forefront of thecommittee's priorities?
What are you guys working onnow?
What's coming out
Chetrice Romero (16:30):
next?
Yeah, I mean, I think we'rereally to the point of we built
a foundation Yep.
Of having the website.
in.gov/cybersecuritycybersecurity.
But really I think it's justgetting the word out about the
tools is kind of the biggestthing right now.
Yeah.
It was the number one thing whenwe talked to our council.
We do pull them all togetherquarterly.
number one thing that wasbrought up was we need to better
about the awareness of thesetools and what we're doing at
(16:52):
the state.
Yep.
From like the local governmentside with office technology,
which they're doing a great jobof getting the word out.
But I think for me personally,it's really about getting to
those mom and pop shops.
Yeah.
Because we have so much now togive, you know, a few years ago
I've been like, no, don't lookover here.
We're not ready.
But, I think now we're at apoint where like, how can we
make sure this is getting out tothe right people?
(17:14):
Because it's scary.
I mean, businesses go out ofbusiness because of ransomware
attacks.
Yeah.
Right.
I mean, it's an un it'sunnecessary stress when there's
things we can do to prevent it.
Yeah.
And so I just wanna help thateveryday person that like, isn't
there.
And then there's alsoinformation in there for
individuals.
So I think, people just we're inan age, a very different age of
technology and privacy, and sohow do we respond to that as
(17:36):
just individuals and humans,right?
Yeah.
So I like to kind of focus onthat as the leader of this,
instead of just saying, well,everybody should just be doing
this and this is how we shoulddo it all.
And I'm like, well, But humansare different and they come from
different backgrounds.
So how can we communicate it tothem?
Yeah.
So that they're successful withit.
So,
Cody Rivers (17:53):
And the how is often the big question, right?
I know I need this, right?
I think that with the fear ofmony, people know there's a need
for it.
It's like, but how do I go aboutit?
How's the most efficient way?
Cause it costs money and yeah,it costs money to go down the
wrong hallway.
And so the finding those areastoo.
But I like how you said too,the.
The small business mom and pawshops, because as you know, the,
the larger companies, finance,healthcare, they're regulated.
They know they're good aboutthese things here.
They're, but what you're findingout is the bad actors know that
(18:15):
too.
So, oh, right.
What happens is third partyrisk, supplier chain, you know,
a risk, another sale.
I can go to a smaller onebecause I know they're a pivot
point into a larger one.
So you're seeing now from avendor management program,
they're saying, Hey, look, we'regoing to require you to have
these things be compliantbecause you are a back door into
our system.
And so I like that.
Yes.
These small companies, and wehave kind of a budding practice
now with some of these smallerfirms.
(18:36):
And we have a local, healthcareSaaS firm that came to us from a
standpoint of.
Their larger firms will come tothem saying, we need you to be
this compliant with these,different pieces here.
And so we've helped themidentify the most efficient path
to get that mm-hmm.
Taken care of.
Cause they're like, we don'tknow where to start.
Yeah.
Chetrice Romero (18:51):
And the bad actors are they, there's a
business in this.
I mean, they have call centers,they ransomware organizations
and they're like, Hey, here'sthree references so that you can
check to make sure that they didpay and they got it back.
Yes.
It is a true business model.
So like any other business,they're doing exactly what we
all do, right?
Yeah.
Like they go by best practices,which to your point is like, why
would I go spend all my time andeffort into a fortress like
(19:14):
Chase Bank, where I could justgo into these small banks?
Bam.
That's that I, we know for afact that they're not putting
money into cyber training, orthey're not putting money into
making sure and emphasizing withall their employees to lock
those doors and stuff.
Right.
You're absolutely right.
And they get those small oneswith just a click.
You know, the effort to get themis so much smaller from that
perspective.
(19:34):
I would say a good way to startfor anybody out there though, is
go to the website.
I would even say if you're like,I don't even know where to start
on the website, go and subscribeto the blog.
We have a very easy.
Going blog.
But yeah, I mean, we do thingson there.
That makes it relative to cyber,right?
So like it's national chocolateday.
Well, how do you relate cyber tothat?
Well, in true story, like I gota call at seven 30 in the
(19:56):
morning from American Expresssaying, Hey, are you trying to
buy like hundreds of dollars ofchocolate at this place we've
never seen you at?
And I'm like, Nope.
But, so like the blogs aboutHey, it can happen to me, it can
happen to you, but make sure youhave these things in place.
Place to protect yourself.
Yeah.
Right.
In your family and your financesor take a picture.
Well, we just had national petday right?
So we've done things on thatwhere it's hey, take a picture
(20:19):
of your pet.
Yeah.
We're not saying not to do it,but don't do it on top of a
bunch of documents.
It has passwords on it.
So again, people don't likemaliciously do it.
Yeah.
They just don't connect thosedots and you're like, oh.
And you just doing that.
You just removing the paper thathas confidential information on
it.
Yeah.
And take the commissioner, thepet has made you more secure.
Yes.
So that's kind of the pointwhere it's like small moves, big
impact.
(20:39):
Yeah.
Is what we're kind of going for.
Cody Rivers (20:40):
I like too how like you correlate some of the
training to like the real world.
And one thing we see with someclients, and we do a lot of
awareness program building, butwe've seen, With the evolution
of training, it's out there now.
It's more than it used to be.
Mm-hmm.
But it's trying to tie thosethemes together and put them in
order and correlate it to realworld action.
So, and the programs we'rebuilding with, to your point,
it's like, why'd I get thistraining makes sense and I read
it, but how does it affect me inthe business, in my department
(21:03):
Exactly.
At home with grandma, with thekids.
And so trying to get that sametraining.
And then apply it and correlateit to real life action, I think
is helps to stick
Chetrice Romero (21:11):
a little more.
It does.
I agree.
I mean, people paying attentionto having a baby and getting a
baby monitor, you're like, so wehave a blog on that.
We're like, Hey, that's great.
And look, I loved watching mybaby.
Like it felt weird after awhile, right?
Like I would just sit there andwatch him breathe.
But like at the same time, I'mlike, make sure you change your
password.
Don't use the default password.
Oh yeah, I didn't realize, yeah,I should need to change that.
(21:33):
But then you're at work andyou're putting in a smart
thermometer.
Make sure you change yourdefault password.
Boom.
You know the big target hackthat happened so many years ago
that they got crucified for,right?
Yeah.
It didn't happen because of atarget employee.
It happened through hvac.
Yeah.
So people don't realize, likethe worst ones that we've seen
was something simple likemm-hmm.
Making sure things weren'tconnected right.
And so that's what we're lookingfor is just that huge impact on
(21:54):
those situations.
Yeah.
Cody Rivers (21:55):
We do a lot of threat intel things for some
healthcare clients.
Yeah.
And.
We do a brief on each, meetingand we show, Hey, this is the
recent ones in the area relativeto you and size.
Exactly.
And the point of entry is formost part it's associate left
email wasn't generated.
Exactly.
We found a phish, old webserver.
So the points of entry areoftentimes ones that like
process procedures mm-hmm.
And training can cover.
So you're seeing a massivereduction in your thing earlier
(22:16):
that the tools are great.
But the people in the processare gonna empower the tool and
determine
Chetrice Romero (22:21):
exactly the success of that tool.
Yeah.
I always tell people, you canhave the best tech in the world.
If you don't train your people,you're still gonna get hacked.
Yeah.
It's just, that's what's gonnahappen.
They're counting on that, thatyou're not focusing on the
people.
And that's what bad actors arecounting on.
So if I own
Aaron Pritz (22:33):
a cupcake shop and I'm going on to I
in.gov/cybersecurity.
Mm-hmm.
Aaron's cupcakes.
Um, and is anybody else getting
Chetrice Romero (22:39):
hungry?
I don't.
Now I want cupcakes.
I always say that, and then atthe end of it I'm like, I need a
cupcake now.
Aaron Pritz (22:44):
Yeah.
So would the scorecard be a goodplace to start?
To evaluate, okay, what do Ihave, what do I not have?
What is my.
It outsource provider telling meis good enough versus what
Absolutely for a business mysize I should
Chetrice Romero (22:57):
be thinking about.
Yeah, I think the scorecard is aperfect step for that.
Again, super simple, very basic.
I've been giving that to smallorganizations.
Small departments.
A local government, not evenjust the IT person and it fits,
it talks through the keybasically top.
20 controls of, what's bestpractices are.
So I think that's always a goodstart.
And it gives you a colorreading, right?
(23:17):
Add up your points and see whereyou're at.
And if you're in red, you shouldprobably talk to somebody about
it.
Right.
I love that.
Do a deeper assessment.
Is it like the icing
Aaron Pritz (23:24):
on the cake?
Chetrice Romero (23:24):
Jesus Sprinkles.
Cody Rivers (23:28):
I love assess yourself before
Chetrice Romero (23:30):
you reconcile.
I know, right?
I really wish I could be that onthe website.
Slow.
I've missed opportunity.
I know.
That is great.
But at least everybody who goesthere will think that when
they're looking for the assessorstuff.
By, there you go.
Yeah, right on the top page.
Awesome.
Good.
Aaron Pritz (23:42):
Well, thanks for joining the show.
It's great to have you on andlearn more about what you're
doing for the state and howyou've leveraged your.
Background in comms and PR toreally, use those core skill
sets to advocate to others.
And super excited to go out andcheck.
I think I've seen some of theitems, but I know I learned even
on in this talk several thingsthat I didn't even know that you
(24:03):
guys had done.
So I'm excited to go check itout and potentially use it for
our, Cohort of, smallbusinesses.
Chetrice Romero (24:09):
Yeah.
I'm more than happy to comevisit them too.
I would
Aaron Pritz (24:11):
love to.
Speaker will sign you up.
Chetrice Romero (24:13):
Awesome.
Yeah, I know I say yes toeverything.
Good to
Aaron Pritz (24:16):
know.
All right, well thanks so muchfor your time and, have a great
rest of the day.
Awesome.
Thank you guys.
Thanks Chetrice.
Bye.-
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com