State governments endure daily cyberattacks. One state is addressing those threats head-on by elevating cybersecurity to a cabinet-level position.
In April 2017, Rhode Island Gov. Gina M. Raimondo appointed Mike Steinmetz as the state’s first cybersecurity officer (CSO), serving as her principal policy adviser on cybersecurity. Steinmetz is responsible for developing and implementing a comprehensive statewide strategy for cybersecurity. He will work in partnership with state CISO Kurt Huhn to strengthen the state's security posture.
Steinmetz has the credentials to take on that challenge, with years of experience addressing security issues in both the private and public sectors. He most recently served as director of strategy and planning and director of governance and compliance within the digital risk and security division of National Grid, a multinational electrical and gas utility company. His prior roles include work as a director of computer network operations at the Defense Department and as the deputy chief of staff for an organization at the National Security Agency.
He spoke recently with StateTech about early efforts to instill a cybersecurity culture in the state, the economic impact of security and more.
STATETECH: What cyberthreats are you worried about for your state?
STEINMETZ: The threats come right out of the headlines. We are concerned about ransomware, and about threats such as WannaCry and NotPetya. We’ve chosen to focus where Gartner and other analysts would indicate that we have the highest payoff, on training people and changing our culture. That has been a priority of the governor since my first day on the job, and we’re identifying ways to achieve this.
We’ve rolled out pilots for executive-level training on vulnerabilities such as phishing. The National Guard and the Rhode Island State Police have been great teammates in helping to find the right training, including how to access free resources.
STATETECH: How does your combination of private and public sector experience influence your approach to these threats?
STEINMETZ: Spending 25 years in the Department of Defense, you learn how to be mission-oriented. In the private sector, you quickly learn how to be profit-oriented, and you understand the perspective of building business and working with the government.
At National Grid, I was oriented toward staying profitable but also protecting critical infrastructure, and I was exposed to a heavily regulated environment.
So now, when I have vendors sitting across from me or I’m working on a regulatory-related project through the state’s energy innovation initiative, I understand the other parties’ perspectives and what they want to achieve. And I understand how great things can be when we find common ground to get important things done.
STATETECH: Do you find that citizens appreciate the significance of cyberthreats?
STEINMETZ: I do. I recently supported a cybersecurity awareness event sponsored by Rep. Jim Langevin at the Johnson Senior Center. I came in contact with a lot of our citizens, and they understand that it’s an issue. What they don’t understand is where to start.
So, I provide a very sensible, cogent, easily understood place for everybody to start. And that is with the basics — things like changing passwords, backing up data and not clicking on unfamiliar links. This crosses economic and educational demographics.
Just because a person went to an Ivy League school and makes a lot of money doesn’t mean that he or she will act responsibly online, or even understand what it means to act responsibly online.