Building Relationships to Strengthen Cybersecurity in Indiana With State CIO Tracy Barnes

April 12, 2023 NASCIO Episode 93
Building Relationships to Strengthen Cybersecurity in Indiana With State CIO Tracy Barnes
Show Notes Transcript

Alex and Amy talk with Indiana State CIO Tracy Barnes about his whole of state approach to cybersecurity, visiting all the counties in Indiana, partnering with universities, identity and access management, workforce and more. 

Episode 93 --Tracy Barnes

Tue, Apr 11, 2023 11:10AM • 29:16


state, indiana, cyber, awareness, workforce, partnering, technology, footprint, support, cybersecurity, identity, opportunity, assessment, visibility, work


Tracy Barnes, Alex Whitaker, Amy Glasscock


Amy Glasscock  00:05

Hi, and welcome to NASCIO voices where we talk all things State IT. I'm Amy Glasscock, in Lexington, Kentucky.


Alex Whitaker  00:11

And I'm Alex Whitaker in Washington, DC. Today we're talking with Indiana CIO Tracy Barnes about whole state cybersecurity, identity and access management, workforce and some of his other priorities in the Hoosier State.


Amy Glasscock  00:23

Tracy, welcome to NASCIO voices. And thanks so much for joining us today.


Tracy Barnes  00:26

Thanks so much Amy. I appreciate being here. 


Amy Glasscock  00:29

Well, I know it's your first time on the podcast. And I want to say a special thanks to you. First, because you're on our NASCIO Executive Committee, which I know takes up extra hours out of your busy day. But we do appreciate your service to NASCIO. So thank you for that.


Tracy Barnes  00:43

Absolutely. I'm very excited to be a part of the executive committee now and getting more involved and engaged in this good timing overall, to be able to be more assistance to the overall committee.


Amy Glasscock  00:53

Great. Well, we're excited to have you. So before we get into all the great stuff that you're working on in Indiana, tell us briefly about your professional background and how you became the CIO for Indiana.


Tracy Barnes  01:04

Sure, it was actually a kind of a bit by mistake, I'd say. I mean, it was definitely not something that was planned or on the roadmap that, you know, we all kind of map a map on our own personal lives, but really just good timing and situational opportunity that presented it. So you know, I started out my early days as Oracle DBA. And transitioned pretty significantly over into the ERP space doing PeopleSoft consulting for a number of years had my own IT company for about 10 or 11 years before making that full transition over in the state government doing it for a small bit at that time. But But really, the majority of my state government experience as an employee was done, when I served as a chief of staff for lieutenant governor, again, not a job that I think any of us grew up saying, hey, I want to be chief of staff or someone, but you start, you know, getting connected, and understanding how things are working and having the ability to bring some perspective to elected officials that they are looking for, and just being the right person in the right place at the right time. Having done that for three years. And then my, my predecessor, our good friend, for all, it was the one the lead decided to leave. And he approached me and said, Hey, Tracy, I think this would be good for you. And we talked about it, I think I told him no two or three times, and eventually had a fourth conversation with him, and then also with our, our budget director and said, you know, we really, we really think this could be a position that you can help transform and bring some some additional awareness and opportunity to and so having been around the state consulting with the state, partnering with this day, serving in the state agency, for a number of years just really kind of gave me some insight and awareness that the administration was looking for governor's office and their team, were asking for some good recommendations and references from some folks on the outside with my backgrounds, specifically around application space and enterprise approach to solutioning. As such, and like I said, just kind of fill in fill in the position at the right time, and very grateful for the opportunity. And I've been having a lot of fun ever since then. I mean, not. Not that I would say that I took it over at the most opportune time. If you recall, my first day was March 16 2020, which was the day our state shut down for the pandemic, it really did bring forward a position that challenged me which I was looking for at the time and eager to take on and unify a lot of our agencies and a lot of our state operations from a technology standpoint, which I do think I was I was well suited for.


Amy Glasscock  03:47

That's great. Yeah, I don't know that I've heard of somebody being a chief of staff before becoming a CIO. But you know, it doesn't make a lot of sense, like you do gain executive leadership in a chief of staff position, you know, you are in charge of a lot of folks and keeping things running. And that's important in the CIO role as well. 


Tracy Barnes  04:05

It also is it gave me an understanding of policy and legislation that I never had before, which, which has been very advantageous and beneficial, coming into this world with the proliferation of technology and getting more of that policy and legislative footprint and involvement that I don't think I would have gotten in any other capacity anywhere else. Right. Not having grown up in the political world or in the policy space. It was definitely a big learning edge and piece for me to bring to this team.


Amy Glasscock  04:38

Yeah, that's a really good point. Yeah, important as well. So speaking of policies, we've been talking a lot around NASCIO world about this idea of a whole of state approach to cybersecurity, and correct me if I'm wrong, but in April of 2021, Indiana, passed legislation giving your office greater authority and responsibility and helping not only state agencies but local governments and dealing with cybersecurity attacks. So, I'd love to hear more about how you and your team took on this responsibility, this new authority and how you work to build relationships with local governments, especially


Tracy Barnes  05:18

sure, this was a very exciting opportunity that we weren't sure we will be able to pull off. But the team did a great job embracing the idea. And, as we say, running all the traps everywhere possible, to try and help bring this to fruition. So the idea really started ironically, as I was finishing up my time in lieutenant governor's office, I had started working on a master's degree in cybersecurity law and policy, and had read a lot about some federal initiative that we're trying to get into incident reporting and Incident Management. And getting into this role. I said, why don't why can't we try it and see if we can at least try and take it on at a smaller level, smaller scale, mean a difficulty with with whole of state that, you know, I know, we're we're heavily bought into it. And we have a lot of good support from our executives here in Indiana. But the difficulty with it is is is trying to make sure there's a good delineation and demark between what should we own at the state level? And what should we rely on and let the locals and other municipalities continue to own and manage and govern for themselves. And so without trying to, you know, boil the ocean and take on that battle, immediately, we just we've decided to start with let's at least say see if we can get a unified reporting process, authority and framework that gives us more visibility and awareness, with a main goal of just trying to bring awareness to the situation and problem and potentially help to quantify it, you know, a lot of times the issues would be reported, and it would only get awareness from media, or word of mouth, or if someone happened to reach out. And this legislation changed that. And it really kind of put us in the middle of the conversation or offers that IoT here in the middle of that conversation, to say, hey, look, the state wants to know about it. Well, we're not necessarily trying to control you or dictate or your business and definitely not trying to penalize and punish you. But we're trying to figure out quantities of issues and scale and volume as the potential at that time, early potential that there could be funding in the future to help support and remediate and resolve some of this. So we were able to get that legislation passed, that still didn't necessarily fix the problem, I would say, because another facet and piece of that problem was there was not a connection and relationship between our state office from a technology standpoint, and our local government partners and municipalities across the state, there's many years of having different opinions on how to approach them and how to manage that and how to deal with that. We were very internally operationally focused in supporting our state operations. Again, my footprint and background with the intent to go reads off his help to say let's Is there a way we can look at this differently and, and then I was able to bring a few more teammates on that had more of that local involvement perspective. And we decided to, very easy for me to say, we decided to go on a 92 County tour for all of our counties, to sit down with them and at least sit across the table and say, hey, here, here's who we are. Here's what we do. Here's what we're trying to accomplish, what problems do you have? What are you experiencing and seeing, are there things that we can do at the state level to kind of help resolve your problems, and it was overwhelmingly received very positively, it created a litany of new relationships and connections that we had not had. And that have been very influential and helping us start to really get aggressively down this path of whole of state. I think we all realize and recognize, even though we really hadn't talked about it, that the interconnections of our systems and our frameworks and backbones and technologies between state local services and such that we're providing to all the same citizens. We've all known it was there, but we've not really sat down to say, How is what I am doing impacting you, and how can I look at that differently to either help enable you empower you and help make your side of things work a lot better. And so that 92 county tour was my folks will tell you how grueling it was to do it's not easy to do. It's the top and bottom of the state of Indiana and the topology is a very different with very flat areas, very rural areas, very hilly areas and everything in between. But it it was the cornerstone to helping us create a foundation that fortunately, then piggybacked or dovetailed right into the availability of the federal infrastructure dollars. So we weren't having to start from scratch when that was announced and say, hey, now we need to go find people. We already had people wherever he had connections. We had contact information through legislation, and other contact information through our outreach in our local town halls. And so it was just a matter of how do we pull all this together now to say, let's actually get some things done. So it's been very exciting for for everything to kind of really just kind of come together the way that it has over the last last two years.


Alex Whitaker  10:38

Yeah, for sure. And I think one of the things that you mentioned, the cyber sort of indirectly mentioned the cyber grant. But you can see, it's just so clear that states that have set up those personal relationships between state entities and localities are just able to kind of, I think, kept the ground running so much quicker with putting that money into action. And I think just knowing who the other person is, on the end of the phone call, when you're having a crisis is just so helpful when it comes to cybersecurity issues. So So I think it's great that you guys have done that tour is as as grueling as it must have been for you.


Tracy Barnes  11:08

Oh, very much so and I won't, I went to a handful of them. And but I will definitely tell you, my team, they loved them. They put a lot of time and effort and Miles making that happen and getting that done. We are often in our role of technology. I mean, it's there's so many people that don't understand technology, that are using technology, right. I mean, that's that's pretty much kind of human nature across the globe is is a lot of folks are consuming. There's, you know, a small footprint of us that understand how things are working in our workings and things of that nature. And so, because of that, you know, the more we can educate non IT folks, elected officials, appointed officials, different legislatures, or different association members and things of that nature, they don't necessarily always understand the impact of what technology can do positively and negatively. So we're seeing that as part of that, that outreach, that engagement, that relationship building as well, not just coming in as as a technician, and definitely not coming in as Big Brother, that turns folks off very quickly. And so we're trying to do all we can to not say that something is mandated or required or standardized. But how do we offer other options and work together for collaboration to move the entire state forward? And so that's, that's really been a big cornerstone to that message that we've been putting together and sending out?


Alex Whitaker  12:35

Yeah, for sure. No, I think I think you really nailed it. When you say avoiding the the big brother relationship. That's that's always helpful. You know, speaking of collaborations and staying in the realm of cybersecurity, I know that in October of last year, you are partnering with both Purdue University and Indiana University to create what is really an unprecedented and unique agreement that provided cybersecurity assessments for local governments across the state. I'm wondering if you can just tell us a little bit about the agreement and how it came to fruition and how that projects been going?


Tracy Barnes  13:04

Sure, again, this was let's let's take a multi pronged approach and see what we can pull off and make happen. And this one took a while to come together. But so very appreciative that the folks at Purdue University and the folks at Indiana University were willing to sit down and have a, a much more direct conversation with how do we improve the posture of the state of Indiana, you would probably not be surprised at how many people said it couldn't be done. You know, these are they're as much as they're competing. They're, you know, they do collaborate, and they work together in various capacities. But there's neither definitely competitive universities that see themselves in very different spaces. And both bring some significant capabilities in the cyber realm that can be taken advantage of. And then I'll just kind of dovetail that with the reality that you know, we are government and say this very wholeheartedly, right. We're not always welcome in that room, when we're talking about trying to bring forward awareness or exposure to problems with locals and with others as well. Because we often do regulate in different areas in different agencies and such. My office does not but but they still see us as as somewhat of a threat at times. And so in order to figure out ways to increase awareness of that posture across the state, we sat down and said, How can we put together a relationship that gets them to understand the state is is interested and involved and concerned? The state is not trying to come in and control and dictate the mandate, but the state wants to bring forward the right folks that can help them at the local level and help with some more statewide awareness and analysis and data to help support are some potential legislative features and functions and footprint to make This happened. And so the reality that we had little to no awareness across our jurisdictions. And a lot of them don't have it themselves of where their actual security posture is what is in place, what isn't in place. What are they doing? What aren't they doing? Where do they rank, do they rate things of that nature, we thought we'd start with let's let's find a way to make available, a cyber assessment program that everyone can take advantage of, we'll fund it and put the framework in place. And all they have to do is raise their hand sign up. And we'll come out with the team to actually put that together, give them a report, we're not getting detailed data at the state, we're getting aggregate data, which is a lot more advantageous as we're looking at, again, themes, commonalities, areas where we can offer up solutioning. From a state level, it's not a matter of needing to know that county X has doesn't have MFA turned on. But figuring out that, you know, we just we just saw that 12 counties that they can't afford MFA. Is that something that we can look at addressing either through a MFA vendor through one of our contracts, or finding funding to help set it as a more legislative priority to help them get into a better position. So that's really been the core of what we wanted to do with these assessments. If you look at the two largest universities in the state of Indiana, our partners are Purdue and IU, the capabilities are bringing the teams that they have that are very focused on cyber, they both have strong technology and cyber curriculum and academic programs and a pretty broad student population focused in the in the space as well. The other piece that I'll kind of say tongue in cheek, right, as if the three of us to come together and make something happen to think it should show the entire state that we're serious about the overall mission, not any one of us getting the recognition or any one of us being in control, per se. But realizing that this is a statewide problem that is going to take that teamwork and partnership in order to make happen. So project is we've been spending the last two to three months really mapping out the framework for what that assessment will look like. The rubric, the CIS controls, and we're including the NIST controls, you know, trying to not not deter folks, because they start to think there's this 200-300 question, Interviewer assessment that they're going to go through, but narrow it down pretty small and focus that gives us some some good awareness and visibility gives them somewhere to start with, that can be built upon later and reassessed later, as well, but starts to bring forward and information that will help lead into our cyber grand cyber strategy, that data and information again, other areas where we're doing procurements for state needs and issues that that we can determine are also local needs and issues. And we can potentially negotiate a more enterprise statewide contract vehicle with those vendors, and then continuing to work with our legislature to educate them and help them understand where they have an opportunity to fill those gaps.


Alex Whitaker  18:08

Great. That's really fascinating. Again, I think it's that those personal relationships with you all certainly are not neglecting in Indiana. And I know you all have been also working on identity and access management platform for the last couple of years. I'm curious to hear more about that and how it's going.


Tracy Barnes  18:22

Access Indiana is our main footprint, and that's our citizen facing primarily citizen facing platform is going very well, I think we are it's been going on since about 2018. But we really didn't pick up speed, ironically, until until COVID hit and there was that major need to get more services brought to an online capacity. So in the fall of 2020, I think we hit about a million. I think we went from about 200,000 to just under a million citizens involved. We're now currently at about 1.8 million, and went from I think about 20 to 23 provider applications to over about 140 applications that are now being served through the platform. So we're definitely getting a good broadening of usage across our agencies, and continue to mature the security profiles and expectations for those applications. And looking to continue growing that stack and our platform, it's been going very well. We see a lot of continued future potential, especially as we are starting to go down the path and look at digital identity and shared identity across more of our state agencies in order for more robust and holistic view of our citizens and their experience and engagement with the state. We do need to sit down and really think through a bit more long term strategy as the the entire authentication authorization identity world is to like still heavily evolving and evolving pretty rapidly when you think about verification validation, the digital identity side of things and so we are we're over that initial hurdle where I'd say we're kind of out to startup mode, and we're ready into ready to get into more a little bit of sustainability, but also quickly jumping back into more growth mode as well. And getting some more of our major state applications involved in there. And hopefully increase in the identity posture for for all of those stacks.


Alex Whitaker  20:18

Got it? Yeah, that's fascinating. 


Amy Glasscock  20:20

Yeah. Great. So workforce has been a big priority for NASCIO. We've been talking about it a lot this year. So far. And, and all CIOs have been, it seems like and I know that Indiana has done some innovative things when it comes to attracting talent to the IT workforce. We had John Rogers on in February to talk about the state Earn and Learn or SEAL program. That was episode 88. If listeners would like to go back and hear that and that program, hires people from non IT careers, jobs, and brings them in and trains them to do the IT jobs, there in the state. So we already had a whole podcast about that. But I'd love to hear your brief thoughts on the SEAL program, and then also would love to hear about any other workforce initiatives that you guys are working on.


Tracy Barnes  21:05

Sure, um, John is amazing. Thanks for having him on the podcast. And I mean, this was one, ironically, the first class of SEALs, there were two individuals that started my same first day in March 2020. And didn't know what we were doing, didn't know what was going on. I just knew and what we were really talking about at that time were pipeline issues and talent problems and concerns. And, you know, lo and behold, there was a pretty big mass mass exodus of talent from our shop, and from a number of shops across the state that showed the continued value of it. And those first two went so well and went successfully that we continue to grow and expand and are doing a great job now. And it's, it's been cool to watch individuals, as they mature and learn what's going on and how tech works. You start to see the light bulb come on, you see, some of them go from there, we have one gentleman who was a CDL truck driver, now working on our cyber team, and the enlightenment and future opportunity that it brings to him and his family. And he talks about it very openly. That's when you know you're doing doing things the right way. So we're fixing a problem with making sure we get talent. We're training people to get talent to do things that we know we need and doing the way we want them done. And we're also changing lives. And so I give a lot of credit to John for having founded that program, fought for our program and continues to market and solicit involvement and participation and growing that program, partnering with our state workforce department to help support the apprenticeship, facet of that and make sure we're staying compliant with all of those those guidelines and such, we do see continued future operator opportunity with it. And we'll definitely be looking to for more ways to help our other state agencies that are also looking for IT talent. And as we can continue building the awareness and capabilities of the tech tech needs across the state. Other areas around workforce, you know, really professional development. I don't know if we've done a great job there. And I think that's something I want to I want to put some more effort and intention around is both technical development, non technical development, awareness, management, training and preparation, all things that continue to help people not just get into the tech space with us and work with us as technicians, but developing and growing the next generation of tech leadership, that is not always an easy transition to make. You know, I remember my days when I was, you know, really kind of up against the wall deciding do I want to keep typing on the keyboard building databases and installing infrastructure, versus letting go of that and working on Word documents and Excel spreadsheets presenting strategies and plans? And so how do we continue making sure that we have folks prepared, trained, aware understanding what it means to be a tech manager, tech leader, and the support that's needed for the individuals that we'll be reporting to them, and making sure they're prepared to take on that next level of responsibility? So that's probably the top thing that I would say is of utmost priority is professional development and preparation for management and executive positions.


Alex Whitaker  24:19

And I will also just say that this week, NASCIO and NGA released their joint report on cybersecurity workforce and state government, which maybe we can drop that in the show notes as well. So really exciting. So, you know, we have covered a lot of big topics and projects already going on in the state, but any other major priorities that you want to mention that we haven't been able that we haven't talked about yet? 


Tracy Barnes  24:41

Just one I'll talk about and this is kind of getting to a bit more of the core of of our operation, you know, we've started to dig into TBM you know, technology business management, and understanding what that means and, and preparing to reevaluate our service catalog or product catalog. Implementing a new billing system to help get us more visibility, I think a lot of my peers understand this, you know, we're in a federated model where we have a lot of central footprint of tech, but a lot of the agencies still have at least some application ownership and such. And I think there's more visibility and transparency that's needed to help them and help us understand where we're spending those dollars. How do we plan for future growth needs, and attrition of technology, and better prepare them to say, continue using my office and our team, as a choice not as a requirement. TBM and the new products that we're looking to put into place to support that, and our service catalog, we're going to need some review on and we're we're starting to dig into that and understanding more of our processes and procedures and our cost models and cost allocations. I think its inherent to get to the point where we can start showing better value, and helping our non tech agency leaders across the state understand what that value is and what it means and how it relates and transitions over into the services that they're providing their constituents and their consumers. But I want to be a much better partner in helping them make that connection as such. And so that's really, I'd say the number one priority, we've already started down that path for this next year.


Alex Whitaker  26:23

Can't wait to see how things go there. So as our regular listeners know, we can't end the show without learning a little bit more about you and a segment that we call the lightning round. Are you ready?


Tracy Barnes  26:35

I think so.


Alex Whitaker  26:38

It's it's easy questions. And this first one is fill in the blank. So outside of work, 2023 will be the year of what for you.


Tracy Barnes  26:47

I think I need more personal engagement. Do a lot professionally and do it a lot with work in and around the office and things of that nature. Want to get some more activities with the wife and kids and get out to enjoy life a bit more. I think things are, I would never say things have settled down. I don't want to give that impression. But definitely want to find more enrichment that fulfills more family and personal excitement and not just be so excited from everything at work. That makes sense.


Amy Glasscock  27:19

That's always a good goal, I think. All right. Question. Question two, any good books, movies or TV shows that you've read or seen recently? Or maybe you've been too busy at work?


Tracy Barnes  27:33

Right? Well, this is this, this will be able to get you there as is. You know, I'm originally from Detroit, Michigan. So I'm truly a city boy. But my wife and I just finished all of Yellowstone and it has truly given me an appreciation for my counterparts out in North Dakota, South Dakota, Montana and those guys in the whole world of ranching. So there may be some some inner cowboy that has been repressed for a number of years.


Alex Whitaker  27:57

We all have one. Well, so maybe related any plans for summer vacation, maybe heading out west?


Tracy Barnes  28:05

No, nothing planned at this point. We definitely we definitely have a desire to make something happen. But nothing specific on the calendar. We do have a spring break trip planned out to New York with the kids. But at some point at somewhere, you know, we're in Indiana here. So we got to find a beach on some sand sometime this summer. So we'll probably be heading south to get some good sun in the summer.


Amy Glasscock  28:28

Well, maybe this will be your reminder to go plan that summer vacation then. All right, Tracy, well this was great. Thank you so much for taking some time out of your very busy schedule to connect with us and with NASCIO and to share some of what you're working on. We really appreciate it.


Tracy Barnes  28:47

Thank you both again for the opportunity. Appreciate the conversation and look forward to future engagements. Me too.


Alex Whitaker  28:53

Thank you. Thanks again for listening to NASCIO Voices. NASCIO Voices is a production in the National Association of State Chief Information Officers or NASCIO.


Amy Glasscock  29:03

If you liked this episode, please rate review and subscribe. We'll be back in two weeks, talk with you then.