Rob Main, who retired last month as North Carolina’s chief risk officer said that during his time in government, he experienced his role and those of his fellow chief information security officers steadily rise in prominence as cyber concerns grew in the public sector.
“Think of a large banquet hall with a long table,” he said in a recent interview. “Gradually, that seat at the table has moved from the end of the table to front and center. And that’s absolutely essential to ensuring that cybersecurity is the top consideration, and not just an afterthought.”
In North Carolina, Main told StateScoop, that metaphor was manifested in the evolution of a “whole-of-state” strategy.
Main was named North Carolina’s top cybersecurity official in October 2021, capping off a quarter-century career in the public sector that began at North Carolina State University, where he started as a technical operations manager for the Raleigh campus’ libraries. He then moved to the state Department of Health and Human Services and later became an agency CIO for several North Carolina agencies. He was named the state’s deputy chief risk officer in 2019, working with then-Chief Risk Officer Maria Thompson, who initiated North Carolina’s whole-of-state approach and whom Main called a mentor.
Over the past few years, Main said that strategy evolved further. Gov. Roy Cooper signed executive orders giving an interagency task force broader abilities to assist public-sector entities in defending from cyberattacks, and new laws — like the country’s first outright ban on governments paying off ransomware actors’ demands.
“There’s so many different interconnections between state government and local governments,” Main said. “Take regional offices for health agencies. If there’s an impact in local government, there will be upstream impacts to state agencies. It’s important for us to strengthen each link in the chain and not just focus on the overall chain itself.”
And while the North Carolina Joint Cybersecurity Task Force has brought the state Department of Information Technology — and other agencies — closer to their local counterparts, Main also said those partnerships now extend to the state’s critical infrastructure sectors, like utility providers.
“We can’t be so myopic to focus only on state agencies and local governments,” he said. “It’s the whole of state of North Carolina, and the whole state includes our critical infrastructure partners. Ultimately, if you look at a hypothetically a cyber attack against a utility provider, that utility provider sitting in one of those critical infrastructure sectors, that directly impacts North Carolinians.”
Main also stood by the ban on ransomware payments, even though analysts have questioned the efficacy of such measures.
“To be clear, the law as it exists was not my agency’s legislation, but we strongly supported its passing,” he said. “It’s a statement that was made that North Carolina will not allow for the payment of ransom, and we’re going to focus our effort in bolstering our whole-of-state defenses.”
Carly Sherrod, a cybersecurity task force officer at the North Carolina Division of Emergency Management, has been serving as interim chief risk officer since Main’s retirement. Main said that government CISOs may go unnoticed by the public, but that he’s seen it become “incredibly important” to state government operations.
“Nobody ever will pick up the phone and say, ‘Hey, thank you for stopping the 8 billion security events last week,'” he said. “So it’s an incredibly thankless job, but one, it’s so vitally important to the well being of the residents in their respective states.”