Nevada names retired Army officer as cybersecurity chief
Less than one year after a ransomware attack disrupted many of the state’s operations, Nevada on Monday announced the hire of Bertrum Carroll, a retired Army lieutenant colonel who most recently worked for a workers’ compensation insurance firm, as its new chief information security officer.
Carroll replaces Bob Dehnhardt, who retired last May, several months before officials would discover that an employee had mistakenly installed malware and enabled a prolonged ransomware attack. Timothy Galluzi, Nevada’s chief information officer, in a press release called Carroll a “seasoned professional who understands the gravity of the modern and ever-changing threat environment.”
According to his LinkedIn profile, Caroll most recently spent eight-and-a-half years at the workers’ compensation insurance firm Employers, where he was CISO and a vice president. His resume includes several other private-sector IT jobs, including at General Electric and Rockwell Automation, but much of his career was in the Army, where he spent 27 years before retiring as a lieutenant colonel. The state’s press release, issued by the Governor’s Technology Office, notes that Carroll brings “a disciplined, mission-focused approach to leadership.”
Caroll is quoted in the release as noting that AI is “interwoven into everything we do. That means security leaders have to think not only about the technology itself, but also about governance, workforce training, vendor expectations and the responsible use of data.” The new CISO said he’ll start by surveying the state, to understand its “most important risks.” “Cybersecurity is not about chasing perfection,” he said. “It is about managing risk in a deliberate, responsible way that protects public trust.”
Since recovering from its ransomware attack last last year, Nevada has made some adjustments. It most recently advertised the state’s adoption of new cloud security standards. In February, the technology agency announced a policy aiming to uniformly classify the state’s data, a “proactive” measure designed to ensure that sensitive data is treated sensitively. “A lot of these accidents could have been fortified a little bit. The one lesson we got out of that [cyberattack] is if you don’t know what’s sensitive, you can’t really protect it consistently,” Michael Hanna-Butros Meyering, the technology bureau’s communications chief, said at the time of the announcement.
Dehnhardt, the state’s former CISO, left the state last May, the same month that Nevada’s cybersecurity incident began, though the state would not become aware of it until August. The attack was disruptive to Nevada’s operations, affecting services at 60 agencies, including some of its most critical: Health and Human Services, Motor Vehicles, and Public Safety. It disabled or disrupted numerous services for weeks, including the ability of police to conduct background checks, for residents to renew their driver’s licenses or receive unemployment support or for small businesses to apply for permits through the secretary of state’s office.
Galluzi, the state’s CIO, not only helped the state recover from the attack (and saw the costs covered by the state’s cybersecurity insurance), but has also helped rally support for a statewide security operations center and expansion of a technical threat analysis program.
Dehnhardt, the former CISO, meanwhile seems to be enjoying himself. His jokey LinkedIn profile lists his current employer as “none to speak of,” with his present responsibilities listed as attending brunch, providing “expert commentary on daytime television and neighborhood happenings,” delivering “regular updates on how things used to be” and offering “unsolicited consulting services to former coworkers, fellow sports bar partons, and random passers-by.”
