Derek Larson, acting deputy chief security officer, Michigan

July 6, 2021

What have you been working on lately?

I’m continuing to work on a lot of external-facing areas in terms of expanding the state of Michigan’s protection in the digital ecosystem. That’s moving beyond the traditional defense of state networks to defending the state from cybersecurity threats more broadly. That’s our work with county and local governments to provide them with information and threat intelligence as well as support should there be an incident. That’s helping K-12 institutions better improve their cybersecurity. That’s helping develop a cybersecurity talent pipeline. But it’s also continuing to manage those traditional areas of protecting state networks, ensuring that not only are we ready to go when something does happen, but making sure we’re as prepared as possible for anything that might.

What lesson will you take with you from the pandemic?

The thing that was most evident and most impressive was the resiliency of the state’s workforce in quickly shifting from an overwhelmingly in-person environment to a remote one. As we move out of pandemic response and into returning to the office, we’re trying to figure out what the security realities are, and how do those mesh against the ones we’ve traditionally faced in in-person office environments, and what are the new tensions created by having a workforce that combines those two? The workforce has proven capable of doing it, and there are a number of things that are easier when you’re in-person or remote, and as we move to a more hybrid environment, dealing with the challenges that presents is going to be interesting.

How are you anticipating the adoption of a hybrid workplace?

It is very much still a mystery. Even for things that seem fairly innocuous, like meetings. They used to be all in the conference room. For the last year, they’ve been all in virtual environments. Moving to a situation in which you have large numbers of participants in both is going to be a challenge. Making sure we’re providing a security environment that can support both sets of employees is another dynamic piece in the state cybersecurity model.