In April, Governor Mike DeWine tapped Kirk Herath to become the state’s first strategic cybersecurity adviser, a position created to guide state businesses in the face of cyberattacks.
Herath has been at the forefront of the industry, with more than three decades of experience in the expanding field of cybersecurity as a retired vice president and chief privacy officer for Nationwide, based in England. ‘Ohio. He is also Chairman of the Board of CyberOhio and a member of the Ohio Cybersecurity Advisory Council – two initiatives designed to address the growing problem of cybersecurity threats.
“I am thrilled that Kirk is bringing this expertise to the state to ensure Ohio leads the nation in cybersecurity and resilience and its cybersecurity workforce,” DeWine said in his decree creating the position of councilor who reports directly to him.
Crain spoke with Kirk Herath about his newly created role and what he sees as his most immediate and pressing goals for the job.
(This conversation has been edited and condensed for length.)
Q: How would you describe this new position created by Governor DeWine?
The position was created to help coordinate and integrate the disparate cybersecurity capabilities that exist within the state government. I will also help facilitate the training of the workforce in cybersecurity in particular. At a time when the threats are very high, there is a huge demand for this talent and we are not mentoring enough new professionals in this field. And then, along with that, also coordinate with the federal authorities. It could be the FBI, Homeland Security, Secret Service. I will also coordinate with other states on the best practice side. Then there are even a few other states that have roles close to this role of strategic cybersecurity advisor.
Q: This role reports directly to the Governor. What does it look like?
Basically and ultimately, it’s about communicating to the governor what the environment is like at any given time. And to do so in a coordinated way using information from all the disparate state agencies and giving a nuanced answer to the question: Are we safe? It’s nuanced because those answers are going to be slightly different from a military intelligence perspective or from a law enforcement perspective, or from a civilian infrastructure agency security perspective. They all have different missions. My goal is to be able to come up with a summary to provide periodically to the Governor, and then at any time to be able to dive deeper into each sector.
Q: How are you preparing for what is a completely new position?
Right now, in information sponge mode, I’m learning what’s going on. There are things I knew when I arrived; and there are things that I knew that I did not know; and every day there are things that I discover.
Q: Talk about some of the work you did at CyberOhio and how it prepared you for this new role.
DeWine created CyberOhio when he was in the AG office, and he had the foresight to bring together a group of private sector experts in law, policy, and technology to come up with a framework to help small businesses. It was the small and medium-sized businesses that he said were unprepared for risk and, #2, didn’t even understand the minimum things they needed to do to mitigate risk. The Ohio Data Protection Act, which created a cybersecurity framework standard, was partly motivated by this. And then when DeWine became governor, one of the first things he did was move CyberOhio into the executive branch. Now, CyberOhio is under Innovate Ohio, and the group has been working on updates on computer fraud and the Ohio Personal Protection Bill on privacy that is making its way through the legislature.
Q: Helping to create a cybersecurity talent pool is another state goal. What are the means you plan to achieve this goal?
Business and education groups have worked with the Ohio Department of Higher Education to come up with new standards for IT careers. There’s a new state report with recommendations that will begin setting cybersecurity standards for K-12 students. These recommendations will be a basic framework, with a sort of minimum IT requirement. If something good came out of the pandemic, and I’m not saying the pandemic was good, but if something came out of the pandemic, at least school systems, schools have a better understanding of how to teach virtually, as many rural and urban school districts do not have qualified instructors to teach computer science. The state can help create distance education for some schools that do not have the means or the capacity in-house.
Q: What other K-12 initiatives would you like to pursue?
One of the things that seems clear to me is that high school guidance counselors need to better understand what this cybersecurity job entails and that you don’t have to be deep in STEM or be a geek in IT to be a cybersecurity professional. There’s a broad spectrum in the profession, and there are definitely elements if you’re going into forensics where having math and computer aptitude is probably a must, but you can also be an arts major. liberals – all you need to know is how to be organized, write, understand, be logical. There is a lot of logic in this area.
Q: Why is building this cybersecurity talent pool in Ohio important?
There are approximately 500,000 open jobs, broadly defined in cybersecurity, in the country right now. From there, estimates go up to the need for 2 million workers within five years. Which means there are good jobs for people with the right experience and education. Most companies today will take a trained person and teach them the ropes, but you have these gaps in your workforce and companies need to secure their digital environments. Right now we are all cannibalizing the same people. Trained professionals can cross the street and they will get a signing bonus and 10% more. This is the dynamic in which we currently find ourselves. We need to start creating, we need to open this cybersecurity workforce pipeline, this faucet, immediately.
Q: What else do you plan to do with this new position?
I think I’m a cheerleader. For now, I’m going to operate in collaboration, as we have a lot of different missions competing here (in the state). I will play a role in holding people accountable for the things the Governor has identified as a priority and speaking to him when there needs to be a decision between competing interests. Because there are always competing interests. Another role of the post is to go to the governor or the lieutenant governor and say, “Here is what we need. We need more resources or we need your political support.
Q: Do you think the companies you talk to realize the growing threat cybersecurity faces?
I think everyone understands it intellectually. I think when it comes to having been at a big company for many decades, there are competing priorities for every dollar. First, there is no perfect security. There really is a metric that says above that level, if you spend, you’re almost wasting your money. Perfection is unattainable. The CIA has been hacked. The NSA has been hacked. There is probably no better protected place in the world than these two organizations. And they have been publicly hacked multiple times as far as we know. And I’m sure there are things we don’t know. Going back to my role, it will be working with cabinet and with the governor to try to determine what is reasonably safe and when and where we need to continue to invest.
Q: How long does it take for someone to get up to speed in this kind of work? What is your transition time?
I’m hoping to have at least some minimal recommendations to the governor and cabinet, but I think I’m at least two to four weeks away from something preliminary. There are elements of governance that need to exist and certain metrics that we need to collect to start managing workforce development, which is one of the first things to address.
Q: How did you end up in this position because you were retired; why do this?
DeWine knew I had a passion for public service, and I knew he believed it was a critical issue. I believe he is passionate about cybersecurity and will give me the support I need to do what I need to do. I think it’s clear he’s a visionary in this space. He saw it before almost anyone at the state level, and he provided us with a lot of support when he was in the GA office. I feel like I have another racing streak in me and I can make a difference. Whether it’s one year, two years, three years, four years — I think I can make a difference, and I think I can improve the community and the state.