Dissecting Popular IT Nerds

Apply
Episode Cover Image

345- Framework that enables with Meghan Cook

Our guest's LinkedIn profile

framework that enables
Dissecting Popular IT Nerds
345- Framework that enables with Meghan Cook
Loading
/

Meghan E. Cook

Leading the New York State Division of Homeland Security and Emergency Services Cyber Incident Response Team, Meghan Cook brings a unique background in facilitation and public administration. Her approach combines relationship building with technical understanding to help local governments and school districts protect their technology infrastructure.

Enabling Framework

How do you lead effectively across multiple government agencies? Meghan Cook shares her journey from broadcast communications to directing New York State’s Cyber Incident Response Team, highlighting how facilitation skills and relationship building create successful outcomes in government technology. Her unique perspective shows why technical expertise alone isn’t enough to drive change in complex organizations.

Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast

How To Build Bridges in Technology Leadership

3 Key Takeaways

  • Create frameworks that enable diverse stakeholders to collaborate
  • Make implicit knowledge explicit to build understanding
  • Focus on relationships and trust across organizations

Episode Show Notes

02:32 – Career journey and background

07:45 – Leadership approach in government

21:43 – Building preventative cybersecurity services

31:41 – Root cause analysis and blame culture

43:12 – Advice for emerging leaders

Transcript

Speaker 0 | 00:00.500

Welcome back, everyone, to today’s episode of Dissecting Popular IT Nerds. I’m your host, Doug Kameen, and today I’m talking with Megan Cook, the director of the New York State Division of Homeland Security and Emergency Services Cyber Incident Response Team. Welcome to the show, Megan.

 

Speaker 1 | 00:15.252

Hi, thank you. I’m happy to be here.

 

Speaker 0 | 00:18.574

It’s great to have you here. So that is a mouthful to say for your title, but it’s super critical. So I’ve got two pieces to it. One is it’s so long. because you’re one of a couple of different teams that New York State has in this space.

 

Speaker 1 | 00:35.147

Yes. So New York State has a decentralized approach to cybersecurity. And agencies work together. And really, it’s one of the states where it does work well behind the scenes of agencies working together. But another agency is New York State Information Technology Services, which has a very large cyber team. And they address many of the state agencies. So in the Division of Homeland Security and Emergency Services, we focus on helping the local governments and the school districts, which in New York State, there are many of county, cities, towns, villages.

 

Speaker 0 | 01:15.796

That’s a lot.

 

Speaker 1 | 01:16.756

Yes, there’s a tremendous amount. So that’s where our focus is. But yeah, but we also work hand in hand with New York State ITS. the New York State Police Cyber Analysis Unit. We work hand-in-hand with the other agencies that might have their own connections to local governments. So I like to say which agency I’m from I work for, but really I say to people, we’re all talking to each other multiple times a week across these state agencies because everything’s so interconnected in our state.

 

Speaker 0 | 01:48.990

And now for the listeners out here, you and I have some background here. We know each other. We’ve known each other for a number of years in part. because in past lives, we both worked at different places, but I have worked in the local government space in New York State. Me as a CIO and you were providing a ton of support for the New York State Local Government IT Directors Association. We love long acronyms, I’ll point out. So the NYSCLIDA organization is through your work with the Center for Technology and Government, if I recall.

 

Speaker 1 | 02:22.099

Yes, yes. So I… Let me just give you, I like to give the bird’s eye journey of how I came to be where I am.

 

Speaker 0 | 02:32.185

Yeah, absolutely.

 

Speaker 1 | 02:33.686

I think it makes sense to me. So I started out, I was going to be a newscaster. I went for broadcast communications. So I saw the newscasters on TV and I thought, that’s exactly what I’m going to do. So I did, I graduated with a broadcast communications degree. And then… Realized that maybe it wasn’t the path for me, but the skill set really helped me understand different types of communication, how to analyze, how to produce events. It really gave me a foundation. And then I felt the pull towards public service. And I ended up getting a master’s in public administration. And from there, my… My first internship was at the New York State Forum for Information Resource Management, which today is now called the New York State Forum. And it was an organization of what they used to call data processing managers, you know, back in the day. And from there, I loved that, you know, as an internship. And then when I started working at the Center for Technology and Government, it is a global applied research center. that focuses on this intersection between policy management and technology in the public sector. So that, you know, when I think when you’re young, you always think, I’ll be here five years, maybe, you know, I’ll do this job, and it’ll be really interesting. And then before you know it, you turn around and you say, I’ve been here 25 years. And one of the things that at CTG is that I really got to focus on local government. And that’s where I got to know the folks from the IT Directors Association and really learned that there was not a lot of connection between state and local. So here I was in these spaces of these state agencies who are putting together programs and trying to understand more about local government. And here I am, you know, in the other part of my week with local governments who are saying, you know, we really wish these programs would. the state agency programs and all these connections, we could better inform them. So I kind of started to take that role and just start jumping in and help connecting those dots. And I think that’s what I’ve done quite a bit is in, you know, when you see a gap. and nobody’s filling it you just say okay what can i do to help here and um it’s kind of how it grew it grew from from there and i i my role was advisor but really support to the association for about 20 years it was somewhere between 15 and 20 years you know everybody says we lose track you do lose track after a while um but yeah i think i answered your question on that but but coming from broadcast communications into public administration um being at CTG. So one last thing I’ll, you know, I’ll say about that is CTG provided an opportunity to build a skillset in so many policy areas of government, because we worked on everything from health and human services. So I spent a lot of time with child protective services, to elections and election security. Of course, cybersecurity, I got to work in that area but also open data so spent a lot of time working with the federal government in open data initiatives and then work globally so we did lots of work for the un and the world bank yeah so it

 

Speaker 0 | 06:13.333

was building a set of skills but going into different policy areas and i think that’s why the 25 years went by so fast so diving in a little bit into the leadership question here for you. I definitely appreciate you sharing that leadership journey. Starting out broadcast journals, that’s often one of the questions we ask is like, what did you want to be? And you want to be a journalist, and here you are leading one of the elite cyber teams in the state of New York, in the state of New York, I should say. But leadership and thinking about your work at CTG, you did a lot of work in policy, and policy is a government. policy requires different kind of leadership than say, like, I work for a business and the businesses, you know, we’re building, you know, let’s say we’re building engines, we’re building motors, we’re building whatever the widget is we’re building. You have a specific business focus. And that oftentimes drives the type of leadership that you need to deliver in order to get the job done. But in your space, leadership is a much more nuanced and intangible. component because there’s a lot of influence, there’s a lot of coordination. And I don’t want to speak too much for you here and put all the words in your mouth, but I’d love to hear your take on how different the leadership is, the types of leadership that you have to do, and how and the tactics you use to excel in that space.

 

Speaker 1 | 07:45.131

So, you know, in preparing for this talk, I was thinking back because, you know, I know one of the questions is, At what point did you recognize that maybe you had emerged into a leader? Because we all show leadership qualities, but this idea of leader really got to me and I thought, okay, when I look back now and I understand what I was doing at CTG, which was bringing together people from sometimes from different departments within the same agency or leaders from different agencies because we all had to work towards a goal. Okay. So we might be in a program or policy area, but so many of our public service problems are not confined to one mission. There are multiple missions coming together and that increases complexity of understanding the problem, of understanding the competing values that exist within each of the organizations and bringing people together to determine what areas do they agree on, what do they disagree on, and are the areas that they agree on solution-based? And that skill set of being able to bring people together to do that, I didn’t understand at the time was a leadership skill set. I thought it was simply a you know, an approach, a strategy in order to get this group of people to create a product or to agree. They didn’t understand at the time. So I think, you know, when we talk about government and we talk about leadership in a way, it was never directing people where to go, but rather creating the construct. that allowed them to ask questions of each other in a way that help them understand each other’s point of view. So we talk a lot about the mental, you know, your mental model. So as a facilitator in those roles, what I would be able to do is get people to talk about the context of their mental model and take the very implicit and make it explicit so that another person listening who may have been at odds in a policy area or in an approach, hear that. And maybe understand, I know where you’re coming from. I know where we’re trying to go. So I can work towards a more clear understanding of the problem and the potential solution. But I can’t say that I absolutely knew that that was leadership when I was doing it. I know now because now I’m in positions where we have to lead cross-agency efforts. So we have state-level problems that require. 10 different agencies to weigh in. Now I understand how to pull those people together and do that, but it’s never me out front saying, here’s what I think we should do. It’s saying, hey, I know how to gather all these people together and create a framework that allows them to have conversations and get their ideas down and get documentation of what their agencies are already doing so they can see progress towards this goal together. It’s almost like I’m helping them. I’m helping.

 

Speaker 0 | 11:26.783

A lot of facilitation going on there.

 

Speaker 1 | 11:28.664

Yes, it is. So I’ll stop there.

 

Speaker 0 | 11:31.526

Yeah, no, I think that’s great. I wrote down while we were talking, I just wrote a little note there that I’ve always said, and I recognize this even at the county level, you have all these different departments and each one of them has their own ideas of what they want or their own needs for what they need to do. You know, the sheriff’s office needs are completely different than the county clerk. you know, than the mental health department. And each one of them is going to have tools that they need to do their jobs and all these other pieces that come together. So running any of these organizations as an IT leader, whether it’s coordinating the cybersecurity responses at the state level, doing IT services at the, you know, at a mid-level of government, you are oftentimes pulling together. It’s like running a managed service provider for like, you know, 20, 50, 100 different customers. And then trying to tie them all together. And rather than just like servicing each one individually, you also have the added burden of going to each of them and being like, hey, like you use the same back end tool as this other group of people. Maybe we should work together, you know, like rather than you buying a bunch of stuff and you buy it, a bunch of stuff. Let’s figure out a way to coordinate this. So we’re not, you know, there’s no duplicative effort, duplicative efforts. We’re not, you know, just spinning our wheels on things where we get enough scale to do it well. And. That type of effort is a superpower, the ability to pull people together, the ability to talk them through that process, the ability to see that facilitation and do it without having them basically like, I’ll jokingly say, come to fisticuffs, but they do sometimes in certain ways. I mean, we’ve all been on a call where somebody’s like, I ain’t dealing with this crap, and they’ll hang up the phone or get off the Zoom call or whatever the case may be.

 

Speaker 1 | 13:15.450

Yeah, well, you know, so. It’s one thing to be able to put together a plan to gather people and understand the complexity of their mission, of the tools they’re using, and then the personalities altogether. But when your responsibility is to get some type of solution or end product, the skill set needed to bring a large group of people together is… has to be honed. And so there’s two mentors that I had for 20 plus years, Sharon Dawes, who’s the founding director of the Center for Technology and Government, and Teresa Pardo. And I got to work side by side with them every single day. So in the latest effort that I just ran a large workshop this past year, someone asked me, did you go to school to learn how to do this? And I said, well, I did. But it was this working side by side, two great mentors for many, many years. And a couple of things that they did that I had to learn how to do. One is a very active listening. So when people are speaking, there’s a lot of preamble. So there’s a lot of things they say at the beginning and a lot of things they say at the end. But you want the crux. You want the real piece of what they’re meaning. and you want to pull that out. So you have to be able to tease out that information. You have to be able to say it back to them so they know that you heard them. And you have to be able to connect the dots as people are talking and help them see that they probably have more in common than they have different. But also document those differences. You’re not trying to smooth over them. You’re trying to bring them out in front of everyone. The other part is being a regular person. Right. So we’re all just people together trying to solve a problem and creating those relationships. One of the. There were two leaders of the local government IT Directors Association from the very beginning when I was, you know, wondering, am I going to stay in this field? I’m not sure. Ed Heminger was one of the first CIOs who really drove home the point about relationships. It’s really hard when you’ve developed a relationship with someone in another agency to be, you know, to be like just dismissive, because then you’re going to pick up the phone and say. Hey, we’re having this challenge. Can you help me figure it out? And then there’s also Tim McKinney, who was, you know, a leader in our state ITS services, as well as in the county, who spent a lot of time focusing on the development of relationships. So added on with the skill set of facilitation is this ability to think in real time, document in real time. actively listen to people and bring to the forefront what they’re saying. And I’m not going to lie, it’s physically exhausting to do all of those things, especially when you’re have had many, many people in the room, you know, even a 20 person workshop I’ve done. I think the largest one I’ve had is maybe 160, 170 people. That’s a, you know, a hard group of people to… to really bring to a consensus. But, and then I’ll, I’ll wrap up here because I do want to say that this idea of bringing people together and seeing across agencies is just one of the skill sets because, you know, the other part of being a leader is sometimes you are making the decisions. Sometimes you are ahead of everyone. And so it’s not always this supportive facilitation type of environment. When you do become the director and you do become the leader of organizations, it requires…

 

Speaker 0 | 17:22.179

You got to make the call.

 

Speaker 1 | 17:23.460

You got to make the call, right. And knowing when to play that role. So I just want to make sure it just wasn’t one-sided in that approach.

 

Speaker 0 | 17:34.825

Yeah, no, I think that the part that’s really great about what you’re sharing here is that one of the things on this podcast that we so often interview IT… I would call them operational leaders, the people who came up through the operational space, like myself. I was an operational leader all along. But your background is very different in a really constructive and complementary way, because the leadership skills that you’re bringing to the table revolve around the skills of facilitation, the skills of being able to hear and bring to consensus groups of people who might otherwise be people. practical purposes diametrically opposed when they walk to the door and and and getting them to be like you know what excuse me you know you know what these are this is actually a good uh you know i see what i see what you know joe’s saying i see what jane is saying and we should all agree and that’s all good and you know so like that that’s a really valuable skill set and a lot of folks even if they’re not in a space like you are where they’re going around and and it being asked to facilitate large groups of people and so there’s a ton of transferable skills you even within organizations for that type of work.

 

Speaker 1 | 18:46.434

Right. And I think it’s the clarity. It’s gaining clarity. So even if you walk out of the room, many times there is not agreement, but at least we know the points that we disagree on. And it’s not everything, right? So I don’t want to paint it like it always turns out happy. It doesn’t always turn out happy. But I think the other part of this idea of leadership is asking people what what they need, what they need to do their jobs, you know, and, and if they’ve never thought of expansion or growth, encouraging them to do that, and then asking them what is standing in their way. And then if those are things that you can help move out of the way, then you do that. And that’s really, I’ve seen my role in this organization that I’m in now. I had, you know, the opportunity to join a team that is extremely successful, has a tremendous amount of expertise, highly regarded around the state. So, you know, it. They were all created by the time I got there. So when I walked in the door, for me, it was saying, what more do you want to do and why can’t we do it? And then documenting those and saying, okay, let’s start chipping away at all of these obstacles that are in the way of the things that you want to do. And then proposing some new ideas. So I’m a big proponent of let’s, we created a teaching and learning series. So. You’re all smart people. Let’s take, you know, twice a year, you stand up in front of your colleagues and you teach them something about this field we’re in and just to see what we can learn. And it gives people an opportunity to get up in front of each other, to maybe learn something a little bit different. But this idea of we’re all in this together, we’re all just regular people, and we’re going to spend some time thinking about some new ideas. and really delving into some topics that are maybe outside of our day-to-day.

 

Speaker 0 | 20:52.687

So I want to ask a question about what do you think is important to lead in an organization or be a leader in an organization where the output is, I would call it intangible. So if I’m a CIO, there’s a certain amount of tangibility to the outcomes of what we do. You know, hey, look, we need to do ERP. Yay, we implemented an ERP. Did we do it on time? Did we do it on budget? Did we do it on this? But in your space, in the cybersecurity space, a lot of the work that you do, and some of this will be, I guess, maybe a caveat to your team because they do specifically respond to incidents. They are the cyber incident response team. But a lot of effort is avoidance. It’s the intangible work of making sure that people don’t drive the car off the cliff. And so how do you make sure to convey the value of that work and make sure that that’s visible and seen?

 

Speaker 1 | 21:43.722

That’s a good question. So one of the things that were when we were created in late 2017, it was in response to the need for a cyber incident response team. Since then, we’ve grown into a whole set of preventative and proactive services that we carry out. So I hear what you’re saying. It’s it’s very hard to you want to communicate to people that we need to do all of these things up front. So we’re not in a situation. by which that we are responding to an incident, which we will always have that. And that’s important to have. You know, one of the things that we have found is that we’re trying to get at an organization from multiple perspectives. In any area that I’ve worked in government and talked with government leaders, what we’ve learned is that people are trying to figure out where they fit into the process. So if I am the head of procurement, I’m trying to understand where do I fit in in keeping our organization secure? Is it just in my role in procurement? Is it my role as an employee? So one of the things that we do is address this from multiple standpoints. So we have a group of technical experts. They do cyber risk assessments. They do a pen test program. They do a lot of research. They are like a virtual CISO, so they spend a lot of time helping the technical leaders develop a strategy to move forward. But we also have other services and many conversations with legal risk management. So in them thinking about, you know, what are the components that I should be paying attention to when I review contracts for, you know, all third party services? Because the third party risk, as you know, is a big one. But then there’s also like human resources. They’re wondering what to do. There’s all the department heads. We just did a workshop a couple of weeks ago and we had all of the people from public works there. So they’re wondering, how do I play a role in cybersecurity? So we talk about all their touch points on their devices and, you know, firefighters. So we’ve used to talk with a lot of police officers, firefighters who are. Um, you know, they may get it, hear from their colleague about, Hey, there’s this new, there’s this new service. Um, there was this app that allowed you to slow down videos and they thought this is really cool because we need to slow down these videos. But what does it mean to just download something? Well, you shouldn’t be able to just download something and there’s, there’s a danger to that. So it’s anything that you have on your device that could potentially be a vulnerability and they just start to shift their perspective. Um, one of the other things we’re doing. is there’s many administrative people, and I would consider myself part of this group, that believes… that we should have access to all systems, right? Everybody’s like, I’m so busy. I absolutely have to have access to these systems. So when I say to them, do you understand this idea of least privilege? They’re like, not really sure what you’re talking about. So we actually sit down at their-For everyone else,

 

Speaker 0 | 25:07.940

right? For everyone else, least privilege is fine.

 

Speaker 1 | 25:09.621

Exactly, yeah. So we sit down at their computer and we say, okay, show me everything you have access to and how do you get into them? And then- I say, can you imagine that now you’re the most vulnerable because you have access to all these systems? Do you absolutely need admin rights to all of these? And I find that when you break it down like that, and you might be in a one-on-one and you’re having a conversation like that, you say, okay, no one’s taking away your authority to do any of this. But let’s think through the way that your administrative rights are in all of these systems. And if you actually need all of those, because it has this other implication of keeping your organization secure. And we do this with a lot of clerks. So, you know, town clerks, village clerks, and having this conversation, because they all want to do the right thing. Absolutely. Haven’t met a person who doesn’t want to do the right thing, but they don’t understand how A and B connect. And so it’s… breaking it down and putting it into terminology that they may not have thought about before. And I realized that many times my metaphors are not perfect. And I do make some of my colleagues cringe when I talk about a metaphor of how to explain something. And I say, but if it gets that other government leader to pay attention to cyber a little bit more, then I’m okay with that. Because I know it’s not perfect, but they make, you know. They got it. And they’re like, oh, yeah, I get that now. So now I’m going to think a little bit differently.

 

Speaker 0 | 26:48.811

Yeah, I think about one of the other things that I dovetail with that is just on the other side is if there is an incident, the fewer people that have access to something, the fewer questions are to ask. So like if I’m the CIO and I have admin access to every single piece of equipment in our space and something goes wrong, there’s a compromise. Now there’s an investigation. Think of how much time that actually slows the investigation down, notwithstanding the fact that you get asked questions. But the first question becomes, like, who had admin access? So now if you had admin access, you’re on the list to get follow-up questions. Be like, did you secure this stuff? Did you do these steps? Did you take care of these things? Whatever the follow-up may be. And I’m not saying that in, like, an accusatory way, like they’re going to be on the hot seat to be accused of doing bad things. But you create more hassle for yourself in the long run by not following those principles. Andy? and it can actually slow down the larger cycle of the investigation work that might need to happen because if they have to interview if you open up a system and there’s 20 admin logins that’s a lot of investigating that a lot more investigated than if there’s two yeah yep yes

 

Speaker 1 | 27:53.946

exactly exactly so um so yeah it’s it’s you know you get what works for one entity your approach on how you get through doesn’t necessarily work with all of them and Sometimes people need to hear things multiple times before they say, I get it now. And even with all of that, we say, this is just all preventative. You may have an incident. And it doesn’t mean that you didn’t put all of these measures in place. It just means that this is the world we’re living in now. And that’s another hard thing to accept. But I find that the discussion around governance and decision making is an interesting one because when there are multiple requests made for staffing, for tools and resources, for more secure ways of storage, when those requests are not met, then because those leaders don’t understand the implications of saying no, and we’re all in tight budget. everyone has limited resources yes but when those discussions are happening at the governance level and they’re not being funded people need to know why how what the implications are of that and um you know i do one of the things that gets me gets me angry every time i see it is um when an organization has an incident and then After the fact there is an investigation. So there’s an investigation, you know to understand the root cause and the IOC’s but then there is more of sometimes it’s Maybe a political or administrative Investigation and in that case It’s pointing out the things that weren’t done. And to me, that’s only half of the story. I want to know about all the times that the IT leaders from that organization tried to put things in place and it wasn’t funded and it wasn’t given, it wasn’t put on the agenda. Okay. Because what I have found is that IT leaders and cyber leaders, and I say IT because many of the organizations we’re working with are not able to have. to fully resourced staffs. They can’t have a cyber staff and an IT staff. So that’s why I say they’re one in the same because it’s the level of organization. They were not able to fund all of those things. And therefore, when a report comes out and it says, you know, we’re throwing this department under the bus, which it feels like, and I’ve read some of those, it’s not fair. Number one, because you’re not only seeing one side of the story of what happened there. And two, this is a really difficult field to recruit and retain people. So, you know, being an IT or cyber leader in local government is challenging, but it’s also rewarding. And so when we’re looking, you know, at the pipeline of students, I want them to say, you know, local government is a place that I can go and work in. I can have so many different experiences across different policy areas and still work in this field that I like of information technology and cyber. And it makes it challenging when there is a report that comes out that says it is the fault of this organization. So that’s I know you didn’t ask me, but it was one of the things that makes me a little bit crazy.

 

Speaker 0 | 31:41.704

Yeah, we can have a, you know, you know, it really grinds my gears segment here. Like, right. But to your point, though, I think that’s a really insightful commentary on how we do follow-up investigations. So in a lot of organizations, or well, not a lot of organizations, I don’t want to be too generalized rapidly there. I’m aware that a lot of engineering teams in major corporations, so I’ll state that as a generalization that I am aware of, they will… find, do root cause analysis for the purposes of educating the folks. Like, hey, we did something wrong. Yes, this was what happened. But the goal is not punishment. The goal is education and learning. So as a consequence, the environment becomes more open because if I have made a mistake, even inadvertently or clearly not intentionally, if I think that, say, my job is on the line or a reprimand is coming. or some other problem is going to follow up with this, then I’m much more likely to just keep my head down and hope that nobody really figures it out. You know, I’d be like, well, you know, this will blow over, right? You know, hey, is the system down? And then as you’re watching it reboot and it comes up before you get a chance to respond, you’re like, no, I don’t know what you’re talking about. It must have been a glitch with the internet, right? So, you know, 100%, I’ve been there. Like, you know, we’ll just let that one slide, right? But the… That environment of punishment or blame in the IT space in particular can stifle the learning process that people have to actively learn from their mistakes. So the lesson they take away is like, I better keep my head down because I saw what happened to Jane when she said something, and that was not good. So let’s just kind of, we’ll shut up. We’ll hope that this kind of blows over and move forward. And then that short circuits the learning process of like. Like, did we make a mistake? What was the mistake? And how do we prevent it from happening?

 

Speaker 1 | 33:44.666

Right, right. And it may not even be a full mistake, but rather the realization that the organization didn’t put value, which typically turns into resources, behind multiple requests for either centralization. Because we know that the shadow IT leads to purchases that are, you know, connected to the network that may not be protected. So it’s the request to pull things in in order to protect that the organization, the leadership doesn’t understand that. So, you know, when I it’s just one of the things that I say, let’s get the full story before, you know, I never want to put blame because it’s really the entire organization. together and let’s get away from this idea of blame.

 

Speaker 0 | 34:43.324

Yeah. And I’ll put the, I’ll put the caveat on, you know, for both of us, you know, for future listeners of the, of the podcast that, that I think we both understand that it is important to understand why things were done. And if there are egregious errors that were made, we absolutely want to focus on those and make sure that we understand if somebody made some sort of like catastrophic decision, that was the wrong one. And it was clearly the wrong one. They should probably there’s accountability is different than blame. And, and, and those two have, they have different. meanings and different purposes. I do want to jump to a more, I call it the more fun side of our conversation. So you mentioned that you started, you originally started in a degree in broadcast journalism. And so one of the questions we often ask is, is a lot of folks here are technologists first. So this question would look a little different for you. And I think it’ll lead a little different place. How and when did you start getting exposed to technology in a way that like… We would often ask, hey, what was your first computer? And it’s like, oh, I would take her to the computers when I was 12 years old or something like that. But that’s not your background. You were not a computer person before stepping into some of your later roles. So how did you come in to be in technology and when did you kind of get interested in it? And where do you feel you are today? You might not even consider yourself to be a technologist as much as you are a leader in the technology space.

 

Speaker 1 | 36:07.627

Well, that’s when you… You know, one of the things I was thinking about was I don’t walk in the room and say that I’m a technologist. Absolutely, I don’t. Because I can speak the language. And I think where I am now is there is a strong need for what I call this translation between technologists, IT experts, cyber experts, translating from what they’re saying for the leaders of. the non-technical leaders of organizations. So I’ve gotten really good at this middle space of translation. Here’s what they’re saying, here’s what it means, and here’s why you need to make a decision or pay attention to that. Here’s the risk associated with this. So I’ve gotten really good at listening and then translating in different words to a non-technical population. I would say when I interviewed… for my first internship at the New York State Forum. And that’s another one of my mentors, Terry Maxwell. He hired me. And I said, I told him everything I was working on. Of course, you know, you’re a student, so you don’t have a ton of experiences. And I was very upfront. I said, I don’t have, you know, a computer science degree. I have a public administration degree. And I remember in the interview, he said, you can learn that. He says, you already have things that you can’t teach. I’ve seen you talk. He was also a professor at the school. So he already saw things. And so then I realized that I could learn this. So it’s really been a 29-year education working side by side with technologists and not being afraid to ask questions. So people may look at me and say, well, yes, Megan, you can speak technology.

 

Speaker 0 | 38:06.188

I can vouch for this, by the way. You have a very great understanding of technology, even though you can speak about how networks are built without having to throw a switch on a table, it can be able to configure it.

 

Speaker 1 | 38:21.094

Right. So I think it’s just been along the way and talking with people and really working side by side with government, middle management. You know, large systems, we used to do a lot of business process analysis when they were looking to procure statewide systems. And you have multiple agencies that have to use it. And everyone comes to the table saying, we’re unique. We do it differently.

 

Speaker 0 | 38:51.603

Sure you are.

 

Speaker 1 | 38:52.464

Right. And you spend six, seven months, you know, as a project mapping out their processes. And then when you bring them all together, you show them, okay, I know you call it this and you call it this. But really, you all do the same 15 steps. You’re just calling it something a little bit different. And I get that there’s some business rules that are different. But, yeah, mine’s been an along the way. And then there’s been, you know, little short courses and being okay with asking questions of people. Because if there’s one thing I’ve. I have found there’s People in government are there because they’re called to public service. If they’re working in IT or cyber in local government and you ask them about why they chose those tools or why they’re taking this approach, they love to tell you. And I like to listen. So it’s just been a lot of asking people who are smarter than me in this area and pulling out the pieces that I need for the work that I need to do to help them achieve what they need to do.

 

Speaker 0 | 39:59.983

So. We’re coming to the end of the podcast here, but I have two more things I want to ask. One is a fun one is share something about yourself that people wouldn’t ordinarily expect. So I can I can you know this story so I can share this with you and it won’t like intimidate you. OK, but, you know, like I once delivered a baby in a car. Right. So so like just something like like, wow, I there was a gentleman on the podcast, a couple of. months ago um who was uh when he was a kid he was clinically dead for 12 minutes wow yeah and it led to like a whole like out of body experience for him like it was it was you know like he it was a real like pivot point in his life but uh i mean it doesn’t have to be that big but you know like maybe i don’t know maybe you were a fencing champion when you were a kid right travel the world as a kickboxer so there is um i call myself athletically delusional

 

Speaker 1 | 40:59.352

So, yes, I think that I can just try any sport and I don’t care if I’m not great at it. You know, so I’ve done boxing. I am I row now on a master’s crew team. Oh, yeah. You know, I do remember back in high school when my I was on the field hockey team and I sat the bench all the time. And, you know, I always was working hard during practice, but I really didn’t get into a game. And, but I was never cut. And, you know, I did go to a small school. I figured that was the reason. And one of the, one day the coach said to me, you know, you really don’t have any athletic skill, but you’re the glue that holds this team together. And I, I thought about it for a minute. And then I said, I don’t understand what that means. What does that mean? And she described to me a person who it wouldn’t be a team without that person. And. And, you know, I walked away thinking, OK, I don’t have any real athletic skill. I kind of knew that.

 

Speaker 0 | 42:01.873

But was I insulted here or not? I’m not quite sure yet as a kid.

 

Speaker 1 | 42:07.594

But I also started to understand this other role that I might play in in team sports, you know, because you want to be in a team sport. So, you know, all the way up to now, I have run a marathon when I probably shouldn’t. I run half marathons. And. I don’t do particularly well at any of them, but I continue to try. So I think that’s one of the things I’ll say about me is that I am athletically delusional. When I tell people that I’ve tried something new, they’re like, of course you have, because I said, because it looked interesting. Awesome.

 

Speaker 0 | 42:42.648

And last, what advice would you have for other leaders coming up in the space? And I’m going to, I’ll give you maybe the, I’ll call it the obvious framing, but the clear framing. Like you’re a woman in this space and that that that presents unique challenges. You know, you’ve really had a lot of success. But for others, you know, other folks who might not be from the kind of like the common, like traditional groups of people who come up in the leadership space here, what what advice do you have for them?

 

Speaker 1 | 43:12.360

So I believe that I believe that people are typically ready before they make a big leap into something. So, you know, I think if we look back, we go. I probably could have done that a little bit sooner than I did, but I felt like everything had to be in place. And so what I would say is that not, you don’t have to be perfect in every area to take that leap. Um, because some leadership qualities you’re going to have, and some you’re going to develop along the way. And I really think if you take this idea of, you know, I didn’t even get into the whole idea of servant leadership, which is not a big deal. really working for your people. But I hope that I described some of that.

 

Speaker 0 | 43:58.833

We can have a whole other episode on that. I know.

 

Speaker 1 | 44:02.315

I love the idea of it. And I do read a lot about it because what you’re doing is you’re serving the needs of the people who work with you. And so I think if you keep that perspective, that helps you as a leader. So knowing that you’re probably ready a little bit before you take that jump. And also, you’re there with them, helping the entire group. And you’re helping get obstacles out of the way. And you’re learning about people. And you’re making sure that, you know, it’s an environment that people want to be in. I think, and also letting others see who you really are. Many times, leaders want to be someone who is only perceived a certain way. I’m okay with people seeing the real me. And… And, you know, it’s just it’s part of what makes each of us unique. You know, I really enjoy the different personalities on my team and all of their expertise. And most of the time I talk about the team as if I am with them. I don’t think I say that I am the leader because I consider myself part of that team.

 

Speaker 0 | 45:18.654

Awesome. Yeah. Well, thanks. Thanks for that awesome insight. So, Megan, thank you so much for investing your time with us on the podcast today.

 

Speaker 1 | 45:26.074

Thank you so much.

 

Speaker 0 | 45:27.217

That’s a wrap on today’s episode of Dissecting Popular IT Nerds. I’m Doug Kameen, and we look forward to coming to you on our next episode.

 

345- Framework that enables with Meghan Cook

Speaker 0 | 00:00.500

Welcome back, everyone, to today’s episode of Dissecting Popular IT Nerds. I’m your host, Doug Kameen, and today I’m talking with Megan Cook, the director of the New York State Division of Homeland Security and Emergency Services Cyber Incident Response Team. Welcome to the show, Megan.

 

Speaker 1 | 00:15.252

Hi, thank you. I’m happy to be here.

 

Speaker 0 | 00:18.574

It’s great to have you here. So that is a mouthful to say for your title, but it’s super critical. So I’ve got two pieces to it. One is it’s so long. because you’re one of a couple of different teams that New York State has in this space.

 

Speaker 1 | 00:35.147

Yes. So New York State has a decentralized approach to cybersecurity. And agencies work together. And really, it’s one of the states where it does work well behind the scenes of agencies working together. But another agency is New York State Information Technology Services, which has a very large cyber team. And they address many of the state agencies. So in the Division of Homeland Security and Emergency Services, we focus on helping the local governments and the school districts, which in New York State, there are many of county, cities, towns, villages.

 

Speaker 0 | 01:15.796

That’s a lot.

 

Speaker 1 | 01:16.756

Yes, there’s a tremendous amount. So that’s where our focus is. But yeah, but we also work hand in hand with New York State ITS. the New York State Police Cyber Analysis Unit. We work hand-in-hand with the other agencies that might have their own connections to local governments. So I like to say which agency I’m from I work for, but really I say to people, we’re all talking to each other multiple times a week across these state agencies because everything’s so interconnected in our state.

 

Speaker 0 | 01:48.990

And now for the listeners out here, you and I have some background here. We know each other. We’ve known each other for a number of years in part. because in past lives, we both worked at different places, but I have worked in the local government space in New York State. Me as a CIO and you were providing a ton of support for the New York State Local Government IT Directors Association. We love long acronyms, I’ll point out. So the NYSCLIDA organization is through your work with the Center for Technology and Government, if I recall.

 

Speaker 1 | 02:22.099

Yes, yes. So I… Let me just give you, I like to give the bird’s eye journey of how I came to be where I am.

 

Speaker 0 | 02:32.185

Yeah, absolutely.

 

Speaker 1 | 02:33.686

I think it makes sense to me. So I started out, I was going to be a newscaster. I went for broadcast communications. So I saw the newscasters on TV and I thought, that’s exactly what I’m going to do. So I did, I graduated with a broadcast communications degree. And then… Realized that maybe it wasn’t the path for me, but the skill set really helped me understand different types of communication, how to analyze, how to produce events. It really gave me a foundation. And then I felt the pull towards public service. And I ended up getting a master’s in public administration. And from there, my… My first internship was at the New York State Forum for Information Resource Management, which today is now called the New York State Forum. And it was an organization of what they used to call data processing managers, you know, back in the day. And from there, I loved that, you know, as an internship. And then when I started working at the Center for Technology and Government, it is a global applied research center. that focuses on this intersection between policy management and technology in the public sector. So that, you know, when I think when you’re young, you always think, I’ll be here five years, maybe, you know, I’ll do this job, and it’ll be really interesting. And then before you know it, you turn around and you say, I’ve been here 25 years. And one of the things that at CTG is that I really got to focus on local government. And that’s where I got to know the folks from the IT Directors Association and really learned that there was not a lot of connection between state and local. So here I was in these spaces of these state agencies who are putting together programs and trying to understand more about local government. And here I am, you know, in the other part of my week with local governments who are saying, you know, we really wish these programs would. the state agency programs and all these connections, we could better inform them. So I kind of started to take that role and just start jumping in and help connecting those dots. And I think that’s what I’ve done quite a bit is in, you know, when you see a gap. and nobody’s filling it you just say okay what can i do to help here and um it’s kind of how it grew it grew from from there and i i my role was advisor but really support to the association for about 20 years it was somewhere between 15 and 20 years you know everybody says we lose track you do lose track after a while um but yeah i think i answered your question on that but but coming from broadcast communications into public administration um being at CTG. So one last thing I’ll, you know, I’ll say about that is CTG provided an opportunity to build a skillset in so many policy areas of government, because we worked on everything from health and human services. So I spent a lot of time with child protective services, to elections and election security. Of course, cybersecurity, I got to work in that area but also open data so spent a lot of time working with the federal government in open data initiatives and then work globally so we did lots of work for the un and the world bank yeah so it

 

Speaker 0 | 06:13.333

was building a set of skills but going into different policy areas and i think that’s why the 25 years went by so fast so diving in a little bit into the leadership question here for you. I definitely appreciate you sharing that leadership journey. Starting out broadcast journals, that’s often one of the questions we ask is like, what did you want to be? And you want to be a journalist, and here you are leading one of the elite cyber teams in the state of New York, in the state of New York, I should say. But leadership and thinking about your work at CTG, you did a lot of work in policy, and policy is a government. policy requires different kind of leadership than say, like, I work for a business and the businesses, you know, we’re building, you know, let’s say we’re building engines, we’re building motors, we’re building whatever the widget is we’re building. You have a specific business focus. And that oftentimes drives the type of leadership that you need to deliver in order to get the job done. But in your space, leadership is a much more nuanced and intangible. component because there’s a lot of influence, there’s a lot of coordination. And I don’t want to speak too much for you here and put all the words in your mouth, but I’d love to hear your take on how different the leadership is, the types of leadership that you have to do, and how and the tactics you use to excel in that space.

 

Speaker 1 | 07:45.131

So, you know, in preparing for this talk, I was thinking back because, you know, I know one of the questions is, At what point did you recognize that maybe you had emerged into a leader? Because we all show leadership qualities, but this idea of leader really got to me and I thought, okay, when I look back now and I understand what I was doing at CTG, which was bringing together people from sometimes from different departments within the same agency or leaders from different agencies because we all had to work towards a goal. Okay. So we might be in a program or policy area, but so many of our public service problems are not confined to one mission. There are multiple missions coming together and that increases complexity of understanding the problem, of understanding the competing values that exist within each of the organizations and bringing people together to determine what areas do they agree on, what do they disagree on, and are the areas that they agree on solution-based? And that skill set of being able to bring people together to do that, I didn’t understand at the time was a leadership skill set. I thought it was simply a you know, an approach, a strategy in order to get this group of people to create a product or to agree. They didn’t understand at the time. So I think, you know, when we talk about government and we talk about leadership in a way, it was never directing people where to go, but rather creating the construct. that allowed them to ask questions of each other in a way that help them understand each other’s point of view. So we talk a lot about the mental, you know, your mental model. So as a facilitator in those roles, what I would be able to do is get people to talk about the context of their mental model and take the very implicit and make it explicit so that another person listening who may have been at odds in a policy area or in an approach, hear that. And maybe understand, I know where you’re coming from. I know where we’re trying to go. So I can work towards a more clear understanding of the problem and the potential solution. But I can’t say that I absolutely knew that that was leadership when I was doing it. I know now because now I’m in positions where we have to lead cross-agency efforts. So we have state-level problems that require. 10 different agencies to weigh in. Now I understand how to pull those people together and do that, but it’s never me out front saying, here’s what I think we should do. It’s saying, hey, I know how to gather all these people together and create a framework that allows them to have conversations and get their ideas down and get documentation of what their agencies are already doing so they can see progress towards this goal together. It’s almost like I’m helping them. I’m helping.

 

Speaker 0 | 11:26.783

A lot of facilitation going on there.

 

Speaker 1 | 11:28.664

Yes, it is. So I’ll stop there.

 

Speaker 0 | 11:31.526

Yeah, no, I think that’s great. I wrote down while we were talking, I just wrote a little note there that I’ve always said, and I recognize this even at the county level, you have all these different departments and each one of them has their own ideas of what they want or their own needs for what they need to do. You know, the sheriff’s office needs are completely different than the county clerk. you know, than the mental health department. And each one of them is going to have tools that they need to do their jobs and all these other pieces that come together. So running any of these organizations as an IT leader, whether it’s coordinating the cybersecurity responses at the state level, doing IT services at the, you know, at a mid-level of government, you are oftentimes pulling together. It’s like running a managed service provider for like, you know, 20, 50, 100 different customers. And then trying to tie them all together. And rather than just like servicing each one individually, you also have the added burden of going to each of them and being like, hey, like you use the same back end tool as this other group of people. Maybe we should work together, you know, like rather than you buying a bunch of stuff and you buy it, a bunch of stuff. Let’s figure out a way to coordinate this. So we’re not, you know, there’s no duplicative effort, duplicative efforts. We’re not, you know, just spinning our wheels on things where we get enough scale to do it well. And. That type of effort is a superpower, the ability to pull people together, the ability to talk them through that process, the ability to see that facilitation and do it without having them basically like, I’ll jokingly say, come to fisticuffs, but they do sometimes in certain ways. I mean, we’ve all been on a call where somebody’s like, I ain’t dealing with this crap, and they’ll hang up the phone or get off the Zoom call or whatever the case may be.

 

Speaker 1 | 13:15.450

Yeah, well, you know, so. It’s one thing to be able to put together a plan to gather people and understand the complexity of their mission, of the tools they’re using, and then the personalities altogether. But when your responsibility is to get some type of solution or end product, the skill set needed to bring a large group of people together is… has to be honed. And so there’s two mentors that I had for 20 plus years, Sharon Dawes, who’s the founding director of the Center for Technology and Government, and Teresa Pardo. And I got to work side by side with them every single day. So in the latest effort that I just ran a large workshop this past year, someone asked me, did you go to school to learn how to do this? And I said, well, I did. But it was this working side by side, two great mentors for many, many years. And a couple of things that they did that I had to learn how to do. One is a very active listening. So when people are speaking, there’s a lot of preamble. So there’s a lot of things they say at the beginning and a lot of things they say at the end. But you want the crux. You want the real piece of what they’re meaning. and you want to pull that out. So you have to be able to tease out that information. You have to be able to say it back to them so they know that you heard them. And you have to be able to connect the dots as people are talking and help them see that they probably have more in common than they have different. But also document those differences. You’re not trying to smooth over them. You’re trying to bring them out in front of everyone. The other part is being a regular person. Right. So we’re all just people together trying to solve a problem and creating those relationships. One of the. There were two leaders of the local government IT Directors Association from the very beginning when I was, you know, wondering, am I going to stay in this field? I’m not sure. Ed Heminger was one of the first CIOs who really drove home the point about relationships. It’s really hard when you’ve developed a relationship with someone in another agency to be, you know, to be like just dismissive, because then you’re going to pick up the phone and say. Hey, we’re having this challenge. Can you help me figure it out? And then there’s also Tim McKinney, who was, you know, a leader in our state ITS services, as well as in the county, who spent a lot of time focusing on the development of relationships. So added on with the skill set of facilitation is this ability to think in real time, document in real time. actively listen to people and bring to the forefront what they’re saying. And I’m not going to lie, it’s physically exhausting to do all of those things, especially when you’re have had many, many people in the room, you know, even a 20 person workshop I’ve done. I think the largest one I’ve had is maybe 160, 170 people. That’s a, you know, a hard group of people to… to really bring to a consensus. But, and then I’ll, I’ll wrap up here because I do want to say that this idea of bringing people together and seeing across agencies is just one of the skill sets because, you know, the other part of being a leader is sometimes you are making the decisions. Sometimes you are ahead of everyone. And so it’s not always this supportive facilitation type of environment. When you do become the director and you do become the leader of organizations, it requires…

 

Speaker 0 | 17:22.179

You got to make the call.

 

Speaker 1 | 17:23.460

You got to make the call, right. And knowing when to play that role. So I just want to make sure it just wasn’t one-sided in that approach.

 

Speaker 0 | 17:34.825

Yeah, no, I think that the part that’s really great about what you’re sharing here is that one of the things on this podcast that we so often interview IT… I would call them operational leaders, the people who came up through the operational space, like myself. I was an operational leader all along. But your background is very different in a really constructive and complementary way, because the leadership skills that you’re bringing to the table revolve around the skills of facilitation, the skills of being able to hear and bring to consensus groups of people who might otherwise be people. practical purposes diametrically opposed when they walk to the door and and and getting them to be like you know what excuse me you know you know what these are this is actually a good uh you know i see what i see what you know joe’s saying i see what jane is saying and we should all agree and that’s all good and you know so like that that’s a really valuable skill set and a lot of folks even if they’re not in a space like you are where they’re going around and and it being asked to facilitate large groups of people and so there’s a ton of transferable skills you even within organizations for that type of work.

 

Speaker 1 | 18:46.434

Right. And I think it’s the clarity. It’s gaining clarity. So even if you walk out of the room, many times there is not agreement, but at least we know the points that we disagree on. And it’s not everything, right? So I don’t want to paint it like it always turns out happy. It doesn’t always turn out happy. But I think the other part of this idea of leadership is asking people what what they need, what they need to do their jobs, you know, and, and if they’ve never thought of expansion or growth, encouraging them to do that, and then asking them what is standing in their way. And then if those are things that you can help move out of the way, then you do that. And that’s really, I’ve seen my role in this organization that I’m in now. I had, you know, the opportunity to join a team that is extremely successful, has a tremendous amount of expertise, highly regarded around the state. So, you know, it. They were all created by the time I got there. So when I walked in the door, for me, it was saying, what more do you want to do and why can’t we do it? And then documenting those and saying, okay, let’s start chipping away at all of these obstacles that are in the way of the things that you want to do. And then proposing some new ideas. So I’m a big proponent of let’s, we created a teaching and learning series. So. You’re all smart people. Let’s take, you know, twice a year, you stand up in front of your colleagues and you teach them something about this field we’re in and just to see what we can learn. And it gives people an opportunity to get up in front of each other, to maybe learn something a little bit different. But this idea of we’re all in this together, we’re all just regular people, and we’re going to spend some time thinking about some new ideas. and really delving into some topics that are maybe outside of our day-to-day.

 

Speaker 0 | 20:52.687

So I want to ask a question about what do you think is important to lead in an organization or be a leader in an organization where the output is, I would call it intangible. So if I’m a CIO, there’s a certain amount of tangibility to the outcomes of what we do. You know, hey, look, we need to do ERP. Yay, we implemented an ERP. Did we do it on time? Did we do it on budget? Did we do it on this? But in your space, in the cybersecurity space, a lot of the work that you do, and some of this will be, I guess, maybe a caveat to your team because they do specifically respond to incidents. They are the cyber incident response team. But a lot of effort is avoidance. It’s the intangible work of making sure that people don’t drive the car off the cliff. And so how do you make sure to convey the value of that work and make sure that that’s visible and seen?

 

Speaker 1 | 21:43.722

That’s a good question. So one of the things that were when we were created in late 2017, it was in response to the need for a cyber incident response team. Since then, we’ve grown into a whole set of preventative and proactive services that we carry out. So I hear what you’re saying. It’s it’s very hard to you want to communicate to people that we need to do all of these things up front. So we’re not in a situation. by which that we are responding to an incident, which we will always have that. And that’s important to have. You know, one of the things that we have found is that we’re trying to get at an organization from multiple perspectives. In any area that I’ve worked in government and talked with government leaders, what we’ve learned is that people are trying to figure out where they fit into the process. So if I am the head of procurement, I’m trying to understand where do I fit in in keeping our organization secure? Is it just in my role in procurement? Is it my role as an employee? So one of the things that we do is address this from multiple standpoints. So we have a group of technical experts. They do cyber risk assessments. They do a pen test program. They do a lot of research. They are like a virtual CISO, so they spend a lot of time helping the technical leaders develop a strategy to move forward. But we also have other services and many conversations with legal risk management. So in them thinking about, you know, what are the components that I should be paying attention to when I review contracts for, you know, all third party services? Because the third party risk, as you know, is a big one. But then there’s also like human resources. They’re wondering what to do. There’s all the department heads. We just did a workshop a couple of weeks ago and we had all of the people from public works there. So they’re wondering, how do I play a role in cybersecurity? So we talk about all their touch points on their devices and, you know, firefighters. So we’ve used to talk with a lot of police officers, firefighters who are. Um, you know, they may get it, hear from their colleague about, Hey, there’s this new, there’s this new service. Um, there was this app that allowed you to slow down videos and they thought this is really cool because we need to slow down these videos. But what does it mean to just download something? Well, you shouldn’t be able to just download something and there’s, there’s a danger to that. So it’s anything that you have on your device that could potentially be a vulnerability and they just start to shift their perspective. Um, one of the other things we’re doing. is there’s many administrative people, and I would consider myself part of this group, that believes… that we should have access to all systems, right? Everybody’s like, I’m so busy. I absolutely have to have access to these systems. So when I say to them, do you understand this idea of least privilege? They’re like, not really sure what you’re talking about. So we actually sit down at their-For everyone else,

 

Speaker 0 | 25:07.940

right? For everyone else, least privilege is fine.

 

Speaker 1 | 25:09.621

Exactly, yeah. So we sit down at their computer and we say, okay, show me everything you have access to and how do you get into them? And then- I say, can you imagine that now you’re the most vulnerable because you have access to all these systems? Do you absolutely need admin rights to all of these? And I find that when you break it down like that, and you might be in a one-on-one and you’re having a conversation like that, you say, okay, no one’s taking away your authority to do any of this. But let’s think through the way that your administrative rights are in all of these systems. And if you actually need all of those, because it has this other implication of keeping your organization secure. And we do this with a lot of clerks. So, you know, town clerks, village clerks, and having this conversation, because they all want to do the right thing. Absolutely. Haven’t met a person who doesn’t want to do the right thing, but they don’t understand how A and B connect. And so it’s… breaking it down and putting it into terminology that they may not have thought about before. And I realized that many times my metaphors are not perfect. And I do make some of my colleagues cringe when I talk about a metaphor of how to explain something. And I say, but if it gets that other government leader to pay attention to cyber a little bit more, then I’m okay with that. Because I know it’s not perfect, but they make, you know. They got it. And they’re like, oh, yeah, I get that now. So now I’m going to think a little bit differently.

 

Speaker 0 | 26:48.811

Yeah, I think about one of the other things that I dovetail with that is just on the other side is if there is an incident, the fewer people that have access to something, the fewer questions are to ask. So like if I’m the CIO and I have admin access to every single piece of equipment in our space and something goes wrong, there’s a compromise. Now there’s an investigation. Think of how much time that actually slows the investigation down, notwithstanding the fact that you get asked questions. But the first question becomes, like, who had admin access? So now if you had admin access, you’re on the list to get follow-up questions. Be like, did you secure this stuff? Did you do these steps? Did you take care of these things? Whatever the follow-up may be. And I’m not saying that in, like, an accusatory way, like they’re going to be on the hot seat to be accused of doing bad things. But you create more hassle for yourself in the long run by not following those principles. Andy? and it can actually slow down the larger cycle of the investigation work that might need to happen because if they have to interview if you open up a system and there’s 20 admin logins that’s a lot of investigating that a lot more investigated than if there’s two yeah yep yes

 

Speaker 1 | 27:53.946

exactly exactly so um so yeah it’s it’s you know you get what works for one entity your approach on how you get through doesn’t necessarily work with all of them and Sometimes people need to hear things multiple times before they say, I get it now. And even with all of that, we say, this is just all preventative. You may have an incident. And it doesn’t mean that you didn’t put all of these measures in place. It just means that this is the world we’re living in now. And that’s another hard thing to accept. But I find that the discussion around governance and decision making is an interesting one because when there are multiple requests made for staffing, for tools and resources, for more secure ways of storage, when those requests are not met, then because those leaders don’t understand the implications of saying no, and we’re all in tight budget. everyone has limited resources yes but when those discussions are happening at the governance level and they’re not being funded people need to know why how what the implications are of that and um you know i do one of the things that gets me gets me angry every time i see it is um when an organization has an incident and then After the fact there is an investigation. So there’s an investigation, you know to understand the root cause and the IOC’s but then there is more of sometimes it’s Maybe a political or administrative Investigation and in that case It’s pointing out the things that weren’t done. And to me, that’s only half of the story. I want to know about all the times that the IT leaders from that organization tried to put things in place and it wasn’t funded and it wasn’t given, it wasn’t put on the agenda. Okay. Because what I have found is that IT leaders and cyber leaders, and I say IT because many of the organizations we’re working with are not able to have. to fully resourced staffs. They can’t have a cyber staff and an IT staff. So that’s why I say they’re one in the same because it’s the level of organization. They were not able to fund all of those things. And therefore, when a report comes out and it says, you know, we’re throwing this department under the bus, which it feels like, and I’ve read some of those, it’s not fair. Number one, because you’re not only seeing one side of the story of what happened there. And two, this is a really difficult field to recruit and retain people. So, you know, being an IT or cyber leader in local government is challenging, but it’s also rewarding. And so when we’re looking, you know, at the pipeline of students, I want them to say, you know, local government is a place that I can go and work in. I can have so many different experiences across different policy areas and still work in this field that I like of information technology and cyber. And it makes it challenging when there is a report that comes out that says it is the fault of this organization. So that’s I know you didn’t ask me, but it was one of the things that makes me a little bit crazy.

 

Speaker 0 | 31:41.704

Yeah, we can have a, you know, you know, it really grinds my gears segment here. Like, right. But to your point, though, I think that’s a really insightful commentary on how we do follow-up investigations. So in a lot of organizations, or well, not a lot of organizations, I don’t want to be too generalized rapidly there. I’m aware that a lot of engineering teams in major corporations, so I’ll state that as a generalization that I am aware of, they will… find, do root cause analysis for the purposes of educating the folks. Like, hey, we did something wrong. Yes, this was what happened. But the goal is not punishment. The goal is education and learning. So as a consequence, the environment becomes more open because if I have made a mistake, even inadvertently or clearly not intentionally, if I think that, say, my job is on the line or a reprimand is coming. or some other problem is going to follow up with this, then I’m much more likely to just keep my head down and hope that nobody really figures it out. You know, I’d be like, well, you know, this will blow over, right? You know, hey, is the system down? And then as you’re watching it reboot and it comes up before you get a chance to respond, you’re like, no, I don’t know what you’re talking about. It must have been a glitch with the internet, right? So, you know, 100%, I’ve been there. Like, you know, we’ll just let that one slide, right? But the… That environment of punishment or blame in the IT space in particular can stifle the learning process that people have to actively learn from their mistakes. So the lesson they take away is like, I better keep my head down because I saw what happened to Jane when she said something, and that was not good. So let’s just kind of, we’ll shut up. We’ll hope that this kind of blows over and move forward. And then that short circuits the learning process of like. Like, did we make a mistake? What was the mistake? And how do we prevent it from happening?

 

Speaker 1 | 33:44.666

Right, right. And it may not even be a full mistake, but rather the realization that the organization didn’t put value, which typically turns into resources, behind multiple requests for either centralization. Because we know that the shadow IT leads to purchases that are, you know, connected to the network that may not be protected. So it’s the request to pull things in in order to protect that the organization, the leadership doesn’t understand that. So, you know, when I it’s just one of the things that I say, let’s get the full story before, you know, I never want to put blame because it’s really the entire organization. together and let’s get away from this idea of blame.

 

Speaker 0 | 34:43.324

Yeah. And I’ll put the, I’ll put the caveat on, you know, for both of us, you know, for future listeners of the, of the podcast that, that I think we both understand that it is important to understand why things were done. And if there are egregious errors that were made, we absolutely want to focus on those and make sure that we understand if somebody made some sort of like catastrophic decision, that was the wrong one. And it was clearly the wrong one. They should probably there’s accountability is different than blame. And, and, and those two have, they have different. meanings and different purposes. I do want to jump to a more, I call it the more fun side of our conversation. So you mentioned that you started, you originally started in a degree in broadcast journalism. And so one of the questions we often ask is, is a lot of folks here are technologists first. So this question would look a little different for you. And I think it’ll lead a little different place. How and when did you start getting exposed to technology in a way that like… We would often ask, hey, what was your first computer? And it’s like, oh, I would take her to the computers when I was 12 years old or something like that. But that’s not your background. You were not a computer person before stepping into some of your later roles. So how did you come in to be in technology and when did you kind of get interested in it? And where do you feel you are today? You might not even consider yourself to be a technologist as much as you are a leader in the technology space.

 

Speaker 1 | 36:07.627

Well, that’s when you… You know, one of the things I was thinking about was I don’t walk in the room and say that I’m a technologist. Absolutely, I don’t. Because I can speak the language. And I think where I am now is there is a strong need for what I call this translation between technologists, IT experts, cyber experts, translating from what they’re saying for the leaders of. the non-technical leaders of organizations. So I’ve gotten really good at this middle space of translation. Here’s what they’re saying, here’s what it means, and here’s why you need to make a decision or pay attention to that. Here’s the risk associated with this. So I’ve gotten really good at listening and then translating in different words to a non-technical population. I would say when I interviewed… for my first internship at the New York State Forum. And that’s another one of my mentors, Terry Maxwell. He hired me. And I said, I told him everything I was working on. Of course, you know, you’re a student, so you don’t have a ton of experiences. And I was very upfront. I said, I don’t have, you know, a computer science degree. I have a public administration degree. And I remember in the interview, he said, you can learn that. He says, you already have things that you can’t teach. I’ve seen you talk. He was also a professor at the school. So he already saw things. And so then I realized that I could learn this. So it’s really been a 29-year education working side by side with technologists and not being afraid to ask questions. So people may look at me and say, well, yes, Megan, you can speak technology.

 

Speaker 0 | 38:06.188

I can vouch for this, by the way. You have a very great understanding of technology, even though you can speak about how networks are built without having to throw a switch on a table, it can be able to configure it.

 

Speaker 1 | 38:21.094

Right. So I think it’s just been along the way and talking with people and really working side by side with government, middle management. You know, large systems, we used to do a lot of business process analysis when they were looking to procure statewide systems. And you have multiple agencies that have to use it. And everyone comes to the table saying, we’re unique. We do it differently.

 

Speaker 0 | 38:51.603

Sure you are.

 

Speaker 1 | 38:52.464

Right. And you spend six, seven months, you know, as a project mapping out their processes. And then when you bring them all together, you show them, okay, I know you call it this and you call it this. But really, you all do the same 15 steps. You’re just calling it something a little bit different. And I get that there’s some business rules that are different. But, yeah, mine’s been an along the way. And then there’s been, you know, little short courses and being okay with asking questions of people. Because if there’s one thing I’ve. I have found there’s People in government are there because they’re called to public service. If they’re working in IT or cyber in local government and you ask them about why they chose those tools or why they’re taking this approach, they love to tell you. And I like to listen. So it’s just been a lot of asking people who are smarter than me in this area and pulling out the pieces that I need for the work that I need to do to help them achieve what they need to do.

 

Speaker 0 | 39:59.983

So. We’re coming to the end of the podcast here, but I have two more things I want to ask. One is a fun one is share something about yourself that people wouldn’t ordinarily expect. So I can I can you know this story so I can share this with you and it won’t like intimidate you. OK, but, you know, like I once delivered a baby in a car. Right. So so like just something like like, wow, I there was a gentleman on the podcast, a couple of. months ago um who was uh when he was a kid he was clinically dead for 12 minutes wow yeah and it led to like a whole like out of body experience for him like it was it was you know like he it was a real like pivot point in his life but uh i mean it doesn’t have to be that big but you know like maybe i don’t know maybe you were a fencing champion when you were a kid right travel the world as a kickboxer so there is um i call myself athletically delusional

 

Speaker 1 | 40:59.352

So, yes, I think that I can just try any sport and I don’t care if I’m not great at it. You know, so I’ve done boxing. I am I row now on a master’s crew team. Oh, yeah. You know, I do remember back in high school when my I was on the field hockey team and I sat the bench all the time. And, you know, I always was working hard during practice, but I really didn’t get into a game. And, but I was never cut. And, you know, I did go to a small school. I figured that was the reason. And one of the, one day the coach said to me, you know, you really don’t have any athletic skill, but you’re the glue that holds this team together. And I, I thought about it for a minute. And then I said, I don’t understand what that means. What does that mean? And she described to me a person who it wouldn’t be a team without that person. And. And, you know, I walked away thinking, OK, I don’t have any real athletic skill. I kind of knew that.

 

Speaker 0 | 42:01.873

But was I insulted here or not? I’m not quite sure yet as a kid.

 

Speaker 1 | 42:07.594

But I also started to understand this other role that I might play in in team sports, you know, because you want to be in a team sport. So, you know, all the way up to now, I have run a marathon when I probably shouldn’t. I run half marathons. And. I don’t do particularly well at any of them, but I continue to try. So I think that’s one of the things I’ll say about me is that I am athletically delusional. When I tell people that I’ve tried something new, they’re like, of course you have, because I said, because it looked interesting. Awesome.

 

Speaker 0 | 42:42.648

And last, what advice would you have for other leaders coming up in the space? And I’m going to, I’ll give you maybe the, I’ll call it the obvious framing, but the clear framing. Like you’re a woman in this space and that that that presents unique challenges. You know, you’ve really had a lot of success. But for others, you know, other folks who might not be from the kind of like the common, like traditional groups of people who come up in the leadership space here, what what advice do you have for them?

 

Speaker 1 | 43:12.360

So I believe that I believe that people are typically ready before they make a big leap into something. So, you know, I think if we look back, we go. I probably could have done that a little bit sooner than I did, but I felt like everything had to be in place. And so what I would say is that not, you don’t have to be perfect in every area to take that leap. Um, because some leadership qualities you’re going to have, and some you’re going to develop along the way. And I really think if you take this idea of, you know, I didn’t even get into the whole idea of servant leadership, which is not a big deal. really working for your people. But I hope that I described some of that.

 

Speaker 0 | 43:58.833

We can have a whole other episode on that. I know.

 

Speaker 1 | 44:02.315

I love the idea of it. And I do read a lot about it because what you’re doing is you’re serving the needs of the people who work with you. And so I think if you keep that perspective, that helps you as a leader. So knowing that you’re probably ready a little bit before you take that jump. And also, you’re there with them, helping the entire group. And you’re helping get obstacles out of the way. And you’re learning about people. And you’re making sure that, you know, it’s an environment that people want to be in. I think, and also letting others see who you really are. Many times, leaders want to be someone who is only perceived a certain way. I’m okay with people seeing the real me. And… And, you know, it’s just it’s part of what makes each of us unique. You know, I really enjoy the different personalities on my team and all of their expertise. And most of the time I talk about the team as if I am with them. I don’t think I say that I am the leader because I consider myself part of that team.

 

Speaker 0 | 45:18.654

Awesome. Yeah. Well, thanks. Thanks for that awesome insight. So, Megan, thank you so much for investing your time with us on the podcast today.

 

Speaker 1 | 45:26.074

Thank you so much.

 

Speaker 0 | 45:27.217

That’s a wrap on today’s episode of Dissecting Popular IT Nerds. I’m Doug Kameen, and we look forward to coming to you on our next episode.

 

Share This Episode On:

HOSTED BY PHIL HOWARD

Dissecting Popular IT Nerds Podcast

Weekly strategic insights from technology executives who understand your challenges

Apple Podcasts
Amazon
Pandora
Spotify
Tuneln

Are You The Nerd We're Looking For?

ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.

Apply

The IT Leadership Podcast

Redefining How The Business World Sees IT

Hosted by IT Leaders... for IT Leaders

Linkedin Rss Instagram Youtube

Resources

Recent Episodes

Company

© Dissecting Popular IT Nerds INC

All Rights Reserved | Terms and Conditions | Privacy Policy

QR Code