As part of Industry Insider — Texas’ ongoing efforts to educate readers on state agencies, their IT plans and initiatives, here’s the latest in our periodic series of interviews with departmental IT leaders.
Nancy Rainosek is the state’s chief information security officer. Rainosek first took on the role in January 2017 under the Texas Department of Information Resources (DIR). Since taking the job, she has overseen various efforts such as advocating for legislation that requires all government employees who use computers to undergo security awareness training. She's also built relationships between the executive branch and other state entities to create a cyber support network.
Rainosek has more than 35 years of IT experience within the state government and private sector. Prior to DIR, she served as deputy chief information security officer and enterprise security operations manager for the state’s Health and Human Services Commission. Before that, she was an IT audit and information resource manager at the Texas State Auditor’s Office.
Rainosek holds a Bachelor of Business Administration degree with a concentration in management information systems from Texas State University.
Industry Insider — Texas: As CISO of your organization, how do you describe your role?
Rainosek: With Texas being a federated government, my role is different than most state CISOs’ across the country. My role includes setting the strategic direction and security policy at the statewide level; offering services for state agencies and institutions of higher education, including training for both security professionals and end users, penetration testing services, security assessment services, incident response services, etc.; and providing reports to Texas leadership on the status of cybersecurity across the state.
IITX: How have the role and responsibilities of the CISO changed in recent years?
Rainosek: We have a whole-of-state strategy for cybersecurity. Therefore, my office has implemented programs to assist local government entities in improving their security and responding to incidents. This includes establishing the Texas Information Sharing and Analysis Organization (TX-ISAO) to share critical security information to both government and private-sector members in Texas; establishing DIR’s first Regional Security Operations Center (RSOC) in partnership with Angelo State University to serve local governments and K-12 in West Texas; and establishing a volunteer incident response team to respond in case of a declared cybersecurity disaster.
IITX: In your tenure in this position, which project or achievement are you most proud of?
Rainosek: Can I name two? First is the recent ribbon-cutting ceremony at Angelo State University for the first regional security operations center in that region of West Texas. This center will provide “boots on the ground” to assist local governments should they face a security incident, provide monitoring for those local governments, and train the workforce of the future through student participation working in the RSOC. Second is the establishment of a statewide incident response plan, which led to the successful response to an August 2019 ransomware event that impacted 23 local governments.
IITX: What projects will you be looking to fund in the next biennium? Do you have exceptional requests that may be before the Legislature?
Rainosek: We have an exceptional request for funding for two additional regional security operations centers at the University of Texas at Austin and the University of Texas Rio Grande Valley. Our goal is to eventually cover all areas of Texas.
IITX: What big initiatives or projects are coming up? What sorts of developing opportunities and RFPs should we be watching for in the next six to 12 months?
Rainosek: We are planning to add an identity and access management managed service to DIR’s shared technology services program.
IITX: What do you read to stay abreast of developments in the government technology/SLED sector?
Rainosek: I read a variety of online periodicals focusing on both the government cybersecurity sector and cybersecurity in general. In addition, I follow a number of experts on Twitter and LinkedIn. I am also very much in communication with other state CISOs. They are a talented group of public servants, and I learn a lot from each of them.
IITX: What do you think is the greatest technology challenge in Texas?
Rainosek: Texas is a large state and is federated so that each agency and local government operates their own IT department. Protecting Texans’ information at all levels of government is a challenge.
IITX: How do you prefer to be contacted by vendors, including via social media such as LinkedIn?
Rainosek: I tend to pay more attention to emails instead of social media. And I tend to answer those emails who have targeted information about my program and what might be useful to Texas instead of a generic form letter sent to many.
IITX: How might vendors best educate themselves before meeting with you?
Rainosek: Read our statewide security strategic plan and our website to learn about our agency and initiatives before contacting me.
IITX: What conferences do you attend?
Rainosek: I usually attend the Gartner (Security & Risk Management) Summit, the RSA Conference and NASCIO events.
IITX: What do you do to unplug in your downtime?
Rainosek: I have been involved in showing and raising Shetland sheepdogs since the early '80s.