There are only a small number of current public-sector chief information security officers (CISOs) who have served as the top cybersecurity leader in multiple states.
Add if you consider those with both state and local government experience, as well as time in a federal government role, and top that all off with private-sector work, the number gets even smaller. In fact, I am only aware of one such person: Keith Tresh.
Tresh has an amazing background, which includes experience as the former CISO for the state of California, having been appointed by Gov. Jerry Brown in 2011 and remaining in that position until 2013.
Before that, he was employed for nearly 12 years with the California National Guard, working initially as a telecommunications manager before serving as the CIO and IT director from 2006 to 2011.
Between 2014 and 2016, Tresh was CISO for Orange County, and he later served as CIO for the California High-Speed Rail Authority in 2016. He would go on to serve as the commander of the California Cybersecurity Integration Center for the Governor’s Office of Emergency Services between 2016 and 2018.
I have known Keith for more than a decade, first meeting him when I was chief security officer (CSO) in Michigan. I have always been impressed with his knowledge and leadership skills, and I am delighted that he agreed to be interviewed.
Dan Lohrmann (DL): You have held several security leadership positions. What are some of the differences between your government and private-sector roles? What duties are the same?
Keith Tresh (KT): I spent about 18 months working in the private sector and the rest of my career has been in the public sector. I think there were two specific differences I experienced during my time working in the private sector.
First, since the focus of most private-sector entities is profit, it made my work more focused on targeted networking and at times making cold calls to folks for leads. I am not a guy who is good at that, so it was a struggle for me to manage my time and goals.
The second difference I experienced was that you must be much more aware of the leadership qualities and alliances and how that can affect your work and the climate of the workplace. One of the two companies I worked for had a dynamic and strong CEO whom I truly respected and thought was a great leader. He was focused and up front, but also very generous. I loved working for him.
DL: How would you compare your role as California CISO to being Idaho CISO?
KT: Being the CISO for California was my first experience in state government, so it was filled with new experiences and challenges every day. I enjoyed my time working with and for Carlos Ramos, and I learned a lot about the differences between the sphere of influence and scope of the job federal folks have versus state employees. It was a great experience, and I worked with a lot of great people. And in California, the scope of the position was very big.
When I entered my role as the Idaho CISO, I did not realize just how differently each state operates their IT and IT security. I also had to re-learn my sphere of influence and how to create and maintain trusting professional relationships. Having worked in California for so many years, I was a known quantity to most of the IT folks there. Here in Idaho, I am working hard to try to become known as a trusted partner and advocate for the security professionals in state government. It is not a quick or easy process, but it is my most important mission.
The rest of Lohrmann's interview with Tresh is available here.