Alex and Amy chat with Mike Watson, chief information security officer for the Commonwealth of Virginia all about his background, the whole-of-state approach to cybersecurity, predicting costs for cyber incidents, baking cybersecurity into the procurement process, how VA is handling the State and Local Cybersecurity Grant program and the new technology that is his biggest cybersecurity concern these days.
Alex and Amy chat with Mike Watson, chief information security officer for the Commonwealth of Virginia all about his background, the whole-of-state approach to cybersecurity, predicting costs for cyber incidents, baking cybersecurity into the procurement process, how VA is handling the State and Local Cybersecurity Grant program and the new technology that is his biggest cybersecurity concern these days.
Episode 90 -- Mike Watson
SUMMARY KEYWORDS
state, cybersecurity, technology, security, people, CISO, Virginia, kids, standards, questions, work, organization, citizens
SPEAKERS
Alex Whitaker, Amy Glasscock, Mike Watson
Amy Glasscock 00:05
Hi, and welcome to NASCIO Voices where we talk all things state IT. I'm Amy Glasscock, in Lexington, Kentucky.
Alex Whitaker 00:11
And I'm Alex Whitaker in Washington, DC. Today we're talking with the current longest serving state chief information security officer, Mike Watson from the Commonwealth of Virginia.
Amy Glasscock 00:21
We'll find out how he got there, what he's working on, and his thoughts on the state and local cybersecurity grant program. Mike, welcome to NASCIO voices. And thanks so much for joining us today.
Mike Watson 00:30
Thank you so much for having me.
Alex Whitaker 00:32
Well, Mike, before we get into your work, can you tell our listeners briefly about your background and how you ended up in your current role as the CISO for the Commonwealth of Virginia?
Mike Watson 00:40
Sure thing I, you know, it's funny, you never, you never necessarily start out knowing exactly where you're going. But you're, you're always GLAD where you end up. That was the case. For me my background, I've always been a technology geek from childhood. And you know, I started a little bit on working at a university a while back. And, you know, we were looking into a few things and trying to figure out what was going on with some of our equipment. And I kind of caught the security bug there. As I was trying to chase the person that was trying to mess with their stuff and keep them out of our environment. And I went and learned a little bit more over time and said, hey, you know, this is this is something that I'm really passionate about. I like a lot, I enjoy the technical challenge attached to you know, all sorts of the new and exciting that kind of comes up. I've been working in the state and once I saw an actual job opening at the state for specific cybersecurity role, I transferred there and haven't looked back, I've been working at the central IT agency for a really long time and now longer longer than I think I realized. And then, you know, kind of progressed with the development of security over time. And eventually, I was fortunate enough to be named the CISO for the state where we've been trying to keep ahead of the bad guys ever since.
Alex Whitaker 01:56
Awesome. Well, as a current resident of the Commonwealth, I especially want to thank you, I often use your state services, and I appreciate the work that you do.
Mike Watson 02:03
W're glad to have you as a citizen.
Alex Whitaker 02:07
So you've been in your role for over 11 years now, which makes you I believe, the longest serving current CISO, when you started in 2011, though not every state had a CISO, what are some of the biggest changes that you've seen in the last 11 years?
Mike Watson 02:21
So I will say that I think one of the unique scenarios that I've been in, and that, you know, sort of my generation of folks has been as we've gotten to see, you know, technology sort of progressed overall and security, as developing as a component of, you know, the way that the technology has sort of grown and expanded. You're right, you know, not every state in the beginning even had a CISO, let alone had a, you know, functioning, you know, capable security program. And all of us all of the different states and government and us as citizens have gotten way smarter over the last, you know, umpteen years trying to get a handle on what is it that we care about? What is it that we need to protect, how is it that all of the information and data and technology that we've got out there can be used to cause problems we've seen. I'll say, going from the sort of technology geeky level counterparts on the bad guy side, right? The the people, the kids, the adults, the criminals, all that live in the basements or in the shadows, has sort of changed from those this concept of these one off super user really intelligent folks to commoditized criminal businesses, and technology that allows folks to sort of easily exploit in its citizens and other folks in the country. It's been an interesting sort of change in development over time, we are obviously doing our best to keep up with all of the challenges, but just like technology has progressed pretty rapidly. We've seen the cybersecurity platform and sort of, you know, threat actors change pretty rapidly to and I think that will continue as we get into, we're already looking at the whole new data science stuff. And the chat GPT stuff is a new vector. It'll be interesting to kind of see where that goes next. Yeah,
Amy Glasscock 04:08
awesome. Yeah, that will be really interesting. We've started to talk about that around the world of NASCIO as well. So Mike, one of the several things that you focused on during your time is really embracing the whole of state approach to cybersecurity, talk about that work and the importance of having strong relationships with other entities in the state.
Mike Watson 04:27
Yeah, so one of the things I think that's really great about the way that cybersecurity works is it scales really well meaning that like you can have a strong central cyber point and leverage that across many different areas within an organization or even you know, anywhere we have, you know, the the federal government, the National Institute for Science and Technology, the NIST standards and work that has come out of that organization has done a really, you know, significant amount to sort of progress cyber security setting standards, we've got our folks, you know, NASCIO, we've got our folks at MS-ISAC and center for security, all of those people are doing a really good job of bringing forth standards and, you know, objectives for us to work towards, that are going to protect us overall. And because those sort of standards and structure in place, once you stand it up somewhere, it makes it really easy to sort of embrace that in other locations. And that's what is really wonderful about the kind of whole of state approach, you know how it is you can only you can only take on so much I think if we were in an ideal world, we'd have, you know, a whole-of-nation approach to cybersecurity. But that's, that's a lot, that's a whole lot to ask, right. Getting everybody in the same direction is a really hard thing to do. But I do think at the state level, that's actually possible, we've got, you know, the right influences in the right communication and the right stakeholders identified. Now, it's just a matter of pulling together, you know, with all the folks and saying, "Alright, here are the 15 things that we're going to start with. And we're going to make sure that we're doing these really well within the organization and across the state." And then we just take one step at a time, and we work towards going you know, further and further with that, increasing our capabilities a little bit more every day. And all of that has to be based on us working together, we have to have good strong relationships with our, with our locals, we have to have, you know, good, strong relationships with all of our legislators and our government leaders, and making sure that everybody understands what the goal is what it is that we're trying to accomplish without getting too geeky about it, right, because everybody's eyes glaze over if we go too long. It's the only real way for us to get our arms around the whole scenario, if we try to do this that many millions of different times and very small microcosms it's going to be very expensive and also very difficult to implement. And there just aren't enough people and resources and everything out there to make that work the way that we need it to, to protect our organizations.
Amy Glasscock 06:58
Yeah, it makes so much sense. And it's great that you guys are able to kind of be a leader on that as well. So I understand that you are responsible for directing the cybersecurity strategy for 65 state agencies. And before you implemented the quantitative risk analysis project, your team was struggling to project costs for a potential cyber incident. So can you give us a brief overview of that project and how it works?
Mike Watson 07:23
Sure thing, so we, just like any other organization, are trying to make sure that our stakeholders and leaders understand why is it that we need our cyber programs? What is it that we're actually trying to protect? And, of course, you know, we structure very much around, you know, what's the actual cost and overall impact to us? I think, you know, in government, it's really interesting, we have a little bit of a weird model, right, we have both what the cost of something is, as well, as, you know, sort of what the, the impact to the function of society is. The example that I, I always give is to say, elections is not a large cost for cybersecurity records and stuff. But if something happens to it, great, you have a pretty significant amount of investment that's necessary in order to recover, we're not going to, you know, have most of the stuff that we have on the on the election side, it's all public information or information that that folks, you know, aren't necessarily trying to keep super confidential. But if the citizens understand that there's an impact to that organization, it's a big deal to all of us for good reason. So we're looking for ways to figure out how do we quantify that? How do we explain to our stakeholders, and are our leaders that, hey, we need to be able to protect these particular systems. And these environments are these projects, efforts data, to make sure that we're not going to, you know, run into a problem where either we lose a lot of funds a lot of money that belongs to our taxpayers, and it comes from our taxpayers, or that we run into a large issue that loses faith in, you know, the general public so that government can function. So between those two things, we were looking for mechanisms to try to figure out how to quantify that it helped a lot in a number of different areas, and some of which we weren't even necessarily prepared for. One is that conversation about those assets that aren't necessarily large scale expensive, gave us understanding as to say, you know, why is it that we have to invest so much in this? What are our targets? What is the impact in the case that we don't invest our either cybersecurity tools or are upfront project costs to build the security piece in, you know, right away, especially if you're on a budget, right? What is it that what is it that means for us? The other part is it actually helped us a lot with our cyber insurance and liability conversations that we have, were able to understand and say, Okay, if we're gonna go out and purchase or procure a new piece of software or a new service, we know exactly how much it is that we want to make sure that we've got coverage for and usually we help the issue that we're working with to say, hey, look, we're gonna give you a whole bunch of our data. And because you're going to hold our data, we want you to make sure that you have insurance to cover response in the case that something goes wrong, we get that you're running applications yourselves. It's not something that you know, Virginia may be running directly with all the, the software as a service stuff that's out there. But in the case that you are going to, you know, hold our data and you need to respond, you're going to make sure that you've got the right coverage to make that happen and protect our citizen information, and make sure that no one's stuck holding the bag for dollars, that we're not trying to figure out ways to, you know, reduce our investigation costs. So that was kind of a nice ability, as well as to make sure that we had appropriate coverage there. And we have a real clear line with our liability and our cost to make sure that we're being as efficient with our citizen funds as possible.
Alex Whitaker 10:49
Yeah, so that's, that's really fascinating. And you had mentioned procurement and kind of on a related to note to what we're talking about now. So how do you all work to ensure that cybersecurity is baked into the procurement agreements that you signed?
Mike Watson 11:02
Yeah, so this is actually one of the significant most significant approaches that we've got within Virginia, right. So Virginia is a heavy IT outsourced state, meaning that all of our you know, what you would probably classify today is kind of platform as a service functions, is outsourced to third party, it's the basic, like run our servers, and we just, you know, install applications on it as close to like, pre cloud cloud stuff as that that we could probably describe, meaning that, you know, we didn't before the AWSs and Azures and all those existed, we had sort of a supplier that came in and ran it just like that, where there was a platform, that agencies could say, hey, I want a server and we'd give them a server, they don't have to worry about network, they'd have to worry about any rest that stuff. What that means for us is that we have a lot of different people that are working in our organization in our structure, for running IT services. And that also means that we have to be real careful about how we bake and put our procurement requirements together for liability and transfer of security controls. So we do all of the different pieces, we have a standard set of requirements that we have, for an organization to follow along with a compliance check that goes along with it, we very much leverage the sock two type two audits that are out there. We also have, you know, requirements for penetration tests and a few other types of documents that we that we take for assurance that their cybersecurity programs are running correctly, we also have them work with making sure that our our standards and requirements are met. And if for whatever reason, they can't meet the Commonwealth standards, which in our case are very heavily misaligned. We did that intentionally because of our proximity to DC, as well as they're just good standards, they, you know, they kind of cover the gamut of most cybersecurity stuff. We require those those things to be sort of baked into our procurement agreements, it makes it significantly easier, you know, to sort of draw your lines. And then the third part that we have is the liability insurance, as I mentioned before, just in case something goes wrong, that there's some mechanism to to cover them in the case that there is a breach or there is, you know, an issue, we've got a way to respond. They've got a way to respond without, you know, going bankrupt in the case that it's, you know, going to impact the Commonwealth at all. Yeah,
Alex Whitaker 13:26
yeah. No, that's that's also again, very fascinating. So if we can switch gears for just a moment, but still say this in the same ballpark of cybersecurity. I'm wondering if you can tell us about how Virginia is proceeding with the state and local cybersecurity grant that was included as part of the infrastructure bill.
Mike Watson 13:42
I think this is a great bill like this, this particular effort, I think is a wonderful way to sort of start that cybersecurity conversation. So let me start with that I was super excited when we started hearing and I was glad that our our partners over at NASCIO were doing such a great job of making sure that we were a informed and be getting, you know, messages and understanding where some of the gotchas and pitfalls were going to be with a complex, you know, scenario that all of us states sort of present. We are in Virginia, working really closely with a number of our locals and putting our plan together like a lot of other states, we're saying, hey, you know, here's what this looks like, here's what it is, what our priorities are for investment. And, you know, Virginia has got a sort of an interesting layout for us for state area, right? We've got our Northern Virginia folks who are obviously very serious about cyber have to deal with it a lot with their federal interactions, you know, dealing with a lot of those, those components. We've got some of our more rural areas in the south and southwest, which you know, struggle with getting expertise and other folks out there. We have a wonderful group of folks that work really hard out there and do a good job of, you know, keeping things running and moving. But they also you know, it can be challenging in some of those areas, getting the right expertise and availability in there. And then you've got, you know, our central folks that are closer to Richmond. And I'll say Eastern folks, which are closer to the Virginia Beach and Norfolk areas. So you know, you've got the gamut of different types of expertise capabilities and tax bases that are going to support the cybersecurity program. So this particular effort is doing a really great job of sort of leveling the playing field. For folks, those, we are very focused on those areas that are trying to catch up and be at that sort of baseline level. We have set and are working to set in our cybersecurity plan, what our major objectives are the things that we, we say, hey, look, this must be, you know, the base set of components, we are working and leveraging, again, existing standards, we're looking to start with those top critical controls coming from the CIS security group, we think that those are kind of a good place for us to start. And we've structured a lot of our objectives around those, our plan we're figuring is going to be submitted to the federal folks sometime in the spring, we're figuring probably April, May ish, and then we would be able to start handing out the grant funds. Once that plan is approved. The interaction with the locals has been fantastic. They're all wonderful folks, they brought all sorts of interesting, you know, scenarios to us, as well as are doing their best to try to figure out ways that they can best interact with us to sort of take advantage of the grants, and we're doing everything we can to support them as well. But it's it's really been a really good experience. And if nothing else, it's driven a lot of initial communication, and conversation where there wasn't one focus before. So I've met a wonderful, lots of new people that are that are really great. And I'm looking forward to continuing down the path as we get a little further along with the final submission of the plan.
Alex Whitaker 16:45
Yeah, no, well, it sounds like you all are doing everything you can do to make it successful. So that's great to hear. As an aside, you know, I had written in that I may have a quick follow up, but I don't think I do that was really kind of a perfect answer.
Mike Watson 16:59
I aim to please.
Alex Whitaker 17:00
Yeah, no, it was great. It was great. So in your view, from conversation with your peers, what do you think of the top one to two issues that state CISOs are concerned about in 2023?
Mike Watson 17:08
So, you know, it's funny, if you had asked me, like, you know, maybe in the second half of 2022, before the November timeframe would probably say, oh, you know, it's the it's the ransomware is it's the, you know, the the general stuff that we've been talking about for a while, I think the next thing that we're starting to get to is the data analysis, you know, kind of scary components that we've seen as far as like what that's going to do to change the threat posture and the security posture for, for us as government entities, right? You know, I'm sure you guys have been paying attention to all the chat GBT and those sorts of, you know, new bot style things that are coming out. What's fascinating to me is we don't necessarily know where that's going in the security realm yet. But we know it's coming somewhere. We're waiting for level of creativity, we already know. So one of the examples that we started talking about, you know, internally is to say, hey, you know, how can they use this tool? And we're coming to brainstorm and think about things and like, hey, we can people no longer those phishing tags that we used to tell people, like, look for misspellings look for, you know, issues, that's not something that's going to be as easy to find anymore, right? If somebody can go in there and say, Hey, write me a phishing email that looks like this is going to be good grammar, it's going to be good spelling, you know, we're in a different different style position. So yeah, I think, you know, if there's anything that's that's sort of popped the top of the list that in the way that it's going to be used against us, as well as the way it will be used internally. You know, one of the things that we don't have a lot of at the moment, are security tools that work really well or can be sort of integrated into the data modeling and data sciences structure. You know, I know I don't envy the chief privacy officer folks at the moment, because they're, they're probably tearing their hair out, trying to figure out how to make sure that we maintain privacy attached to this. to certain extent, we're in the same boat of trying to figure out how we maintain operational security, meaning that we don't sort of ingests the wrong information, or unintentionally give away details about the environment that we normally wouldn't, you know, make available to the general public, or that wouldn't that could be potentially inferred based off of information. An example I give is, you know, we protect Social Security numbers. What happens if the, the machine itself can actually generate the social security numbers not from one record, but from putting together multiple, right so in Virginia, for example, the wall is that you redact you know, a certain number of digits of your social security number, your driver's license number, it's considered okay, right? Well, if you can all of a sudden get like four different pieces of your social security number from different locations and pull them together. You may then all of a sudden have a single security number or a single driver's license number, and that's a problem for us and we don't necessarily have a way to stop that or figure that out. Currently, you With as long as you know, without trying to make sure that we don't just give any parts of that data up, which obviously hinders the point of the tools. So we've got a lot of questions there and trying to figure out how to handle it. So that's a, that's a, that's probably where my my biggest fear is at the moment. You know, I always have the ones that keep everybody up at night, right? The regular security incidents, the ransomware is the things that would cause us a lot of pain, and discomfort. But I know what to do about those right, if something happens, I know how to handle it. What makes me a little bit nervous is that these this data stuff, we don't necessarily have a way to handle it quite yet. So it's gonna be interesting, I'm sure will people come up with creative security solutions, just like they've come up with creative applications of the, the technology so far, I'm very interested in and, you know, along for the ride here.
Amy Glasscock 20:50
So interesting. I feel like we could have an entire podcast just about these advanced bots, you know, and it's still so new, that I think a lot of people are still kind of enamored with it, you know, and playing around with it, and seeing what it can do for them. And it can make some things easier and more efficient. But to your point there are a lot of things we need to be concerned about as well. And that state government folks should be aware of. So yeah, appreciate your perspective.
Mike Watson 21:20
I love talking like talking to my, my, my kids are always my litmus test for whatever's going on. Right. So, you know, I, I've been trying to educate them and talk to them a little bit about it, because I'm a big believer in saying, like, know, what's out there know what, how to use a tool, and when it's not appropriate to use a tool? Yeah, right. So even just having the communication, I know, it's made a lot of headlines in the education space to people, you know, leveraging it for maybe more nefarious purposes in that in that sense. But like talking to them about how it can, how it can work for them and where it's appropriate. So we talked a little bit about my daughter's taking AP US History, right? So I said, Look, I said you know, you like you love to sit here with your dad, and I asked you all the questions and put it in the machine. It'll pop out some questions for you. You can ask about, you know, what the US History things that are but I said, but look, when you look at this, remember, sometimes it's wrong. Yeah. So you need to make sure that you know that that answer is correct. And if you're not sure, or you don't understand, do your reinforcement learning go out and look and make sure that that's, you know, actually what, you know, what you what it should be saying, so that you're not getting the wrong type of information. So the whole thing to me is just, it is fascinating. You're right, I'm sorry, I was going off a little bit of a tangent, I could go for another hour. That stuff.
Alex Whitaker 22:34
I love it when a NASCIO podcast starts with technology and becomes a parenting podcast. So no worries. It's it's all the way that we relate to our kids and others, right? It's yeah, it's kind of how we navigate our way through life.
Amy Glasscock 22:49
Yeah, yeah, it seems useful for situations like, you know, let's say you write you write the paper, and then you kind of ask questions of chat GPT and see what you've left out that then you can go research and and you know, so things like that. Yeah, it's a whole new world.
Mike Watson 23:03
I know, I know, people are using it to write emails and things like that, which are great. Like, if I if I could, if I could cut down the number of, of emails that I've got to write a day, that would be awesome. But you imagine what types of information they're providing in there. Yes, things that get weird about what about procurements, right, that maybe in the past would be considered or not in the past, but are considered, you know, under wraps up to a certain point, right? When you're doing the procurement process, you may not be releasing all the information right away, that all of a sudden, you've got these little bleed outs by that by themselves aren't a big deal. But when you combine them, you can get a really interesting picture about what's going on. And that's sort of the purpose of the software, right, is to figure out when you combine it all together, what is it that you see, you know, and we are we as humans are really bad at that. So taking a system that's really good at it, we are having a very difficult time predicting what those outcomes are going to be the insecurity space, especially that's that, you know, we're super excited for the machine learning and AI capabilities that things like chat bots, you know how awesome it would be just the walk wake up in the morning, it type in the thing to say, Hey, do we have any incidents last night? And it spit back? You know, whole list of things that I've got to worry about? That will be fantastic. I know we're a little ways away, but it's probably not that far off, right? I mean, right now, you figure if you've got such a complex model that's working now it can't be that different.
Amy Glasscock 24:24
Right? Yeah. Yeah. All right. Well, we've come to the end of the main questions in our interview, but we aren't done just yet. As our listeners are well aware, we always like to take a moment to talk about our lives outside of work more than we already have. In a segment we call the lightning round. Are you ready?
Mike Watson 24:46
Always. Yes.
Amy Glasscock 24:47
Okay. All right. First question. What do you like to do outside of work?
Mike Watson 24:53
So, I am a parent of three kids. So my life generally revolves around watching sports games, taking them to different appointments for hanging out with them in some form or fashion. But beyond that, I am still a huge tech geek as much as I do a lot of stuff at work, I love tinkering with the things at home, I'm fortunate enough to also you know, be be able to like sort of make my way around to different locations. So I'll be while my kids are doing their swim meet, thing, I'll be outside sitting in the chair, watching them swim and looking up and reading about Chat GPT or something else at the same time. So I try to combine as much as I possibly can together. I also, you know, like to go up in a while at this point, but I like to go ski and do things outside as much as I can. You know, I just I generally, a lot of times to try to keep up with the kid that kiddos is what takes up a good portion of my time. At the moment, though.
Amy Glasscock 25:44
Absolutely. And you're the go to person in your family to fix everyone's phone problems and computer problems.
Mike Watson 25:51
I laugh at my kids. So I will say the thing that I thought was, was interesting for, you know, folks might with my kids age, and my I said our generation of, you know, people is that we're sort of trying to do that marry together with the technology into something that's, you know, not overly burdensome, but also at the same time, like, realistic. So, you know, when when I do get the questions from the kids all the time about how does this work? Or why is this worker, you know, and I tell them, you know, whatever it is that you're putting in there, you have to consider going to be you know, public information. And I said no, to that end, I am going to watch whatever it is that you do. So whatever you put into your phone, whatever you put into your computer, assume I can see it. Because you know, I have no problem with my kids having privacy. And I want them to be able to do that. But I also need them to know that somebody else always sees whatever they put into the magic box, right? And you're trying to teach them to understand those and have them understand those lessons is like encryptions, great, all of the technology capabilities that we have are great, but if I've known anything from the security realm is that somebody's going to make his mistake somewhere and whatever you typed in there is likely going to be available to someone to see. So if you really don't want him to see it, don't put it in there. And generally, when we were growing up, right, it was the don't do anything you don't want published on the front page of the newspaper. Yeah. Nowadays, it's, you know, don't do anything you don't want published on the internet. So, you know, we try to keep those lessons there. So yes, it's to the point of do a lot of technology work for the kids try to do lots of education and teaching them on how all this stuff works. It does always come down to though Hey, Dad, the Xbox doesn't work or Hey, Dad. Can't get away from the basic tech support either.
Alex Whitaker 27:36
Absolutely. Yeah, that's funny. My kids are three and one. So right now tech support is just putting in new batteries. I might be there one day, doesn't say enjoy it while it lasts. Yes.
Amy Glasscock 27:46
Do you feel like we should have Mike back on to do a podcast about how to talk to our kids about technology?
Alex Whitaker 27:51
Oh, yeah. That's a good idea. Maybe we should do that. Yeah. Yeah. So speaking of kids, and growing up when you were a kid, what did you want to be when you grew up?
Mike Watson 28:03
Oh, I totally knew I was gonna be a tech something when I grew up, right. You know, I you know, I'm a kid grew up in the 90s, like, early 90s, and stuff with the all the new computers and technology. And I was like, I was hooked. In the first time I saw like the blinky little cursor on the screen. You know, I thought all this stuff was fascinating. A lot of the stuff I was self taught trying to figure out how computers work, taking them apart, putting them together, you know, and just like anything else, I was driven by self preservation. I come from a family of teachers, right, my my parents were teachers my aunts and uncles were teachers. A lot of folks were doing that public service thing, right. So it was a big deal when we got a computer the first time in our household. And it was one of the like, you know, the old MS DOS, like black screen types of things where you had to have, you know, a manual that was like 60 pages long in order just to get a word processor, right? Yeah. So, of course, me being the kid, I was like, Look, let me I want to try to figure out how this works. I start and then break it, right. So I knew I had basically like, a day before my parents were going to come and use that thing. And if it wasn't working again, I was in trouble. I learned so much from just the fact that I broke it that I was like, I got overly confident and then you know, eventually was like, oh, you know I can it's okay, I can figure out how to fix this hardware stuff if I fix the software stuff. And that's kind of snowballed into eventually actually know what I was doing. It definitely took a little while, though, and lots of trial and error and lots of weekends in trouble. But it was really crazy experience. And I learned a lot from it. So yeah, so that I mean, I knew go early on. I definitely wanted to do it. I was very fortunate that I had just a few folks that really knew something about the computer stuff growing up. One of my uncle's who actually wasn't a teacher who worked in a company, a small company happened to know a whole bunch of electronics and about computers. So he taught me a ton. And we had a couple other random people, friends, parents that knew stuff. And it was it was fascinating at the time. I enjoyed you know everything about it. I still do. I get tired a little bit more easily now, but that's about it depends on that. I'm sure.
Amy Glasscock 30:08
Okay, and then final lightning round question. Where's your favorite spot in Virginia to spend a weekend away from your home?
Mike Watson 30:14
Oh, man, that's a good question. Um, so I like the family, you know, outings and stuff at the moment. And we probably go most to like Busch Gardens out in Williamsburg. Just because the Williamsburg area is kind of nice and the rollercoasters and stuff are great for the kids to kind of, you know, get some energy out we'll walk around the park, it's hot and they're usually tired by the time we're done. And it's a good time to be all and it's sometimes like my wife and I we can send the kids like go on a couple rollercoaster we can hang out for a few minutes to they're getting older. My oldest is actually like, I don't want to say full she's in she's learning how to drive at the moment. So you know, it won't be too much longer before I can say that I don't have to spend a weekend away doing like Park stuff. I can be like, go have fun with my wife somewhere and do something a little different. That's right, but we always have a good time together. So you know, it's always nice to go to different places with the kiddos. I enjoy it well again, because you know, as as it sounds like you know already you blink in and things change pretty quickly.
Alex Whitaker 31:12
Yes. Yeah, for sure. For sure. All right, Mike. Well, thanks so much for spending some time with us today and telling us about what's going on in Virginia. We really appreciate it.
Mike Watson 31:20
Thanks so much for having me. I had a nice time.
Amy Glasscock 31:23
Thanks again for listening to NASCIO Voices. NASCIO Voices is a production of the National Association of State Chief Information Officers or NASCIO. You can learn more at nascio.org.
Alex Whitaker 31:38
And if you're a NASCIO member registration for our Midyear Conference in National Harbor, Maryland is now open. We hope to see you there.
Amy Glasscock
Talk with you next time.