Ernesto C. Ballesteros, JD, MS, CISSP, CISA, Security+, has the distinction of serving as both state cybersecurity coordinator and chairman of the Texas Cybersecurity Council. In this role, he oversees cybersecurity matters for the state of Texas.
The initial scope of the state cybersecurity coordinator and Texas Cybersecurity Council was established in 2013 by Senate Bill 1102. It was later expanded through House Bill 8 in 2017. The position is designated by the executive director of the Department of Information Resources and reports to the State Chief Information Security Officer Nancy Rainosek.
Texas Banking interviewed Ballesteros on his goals and priorities, background, ransomware attacks on organizations and advice for Texas bank executives and board members.
Following are his responses:
What are your responsibilities, goals and priorities as cybersecurity coordinator?
The state CISO oversees cybersecurity matters pertaining to state agencies, whereas the coordinator oversees matters affecting counties, local governments and private sector entities.
As both the coordinator and chairman of the Council, my goals, initiatives and priorities align with the interests of the state and the coordinator’s statutory mandates. Currently, however, my priorities are to establish a statewide information sharing and analysis organization, pursuant to Senate Bill 64, and statewide certified cybersecurity training program, pursuant to House Bill 3834.
Several governmental entities in rural Texas communities were targeted this summer in Ransomware attacks. The Department of Information Resources led the response. What do these attacks say about the willingness of cyber criminals to target organizations regardless of size?
While it is important to consider that not all threat actors share the same motivations, in many cases, it is reasonable to assume they are primarily financial, based on the following:
- The victim’s email system is the most common attack vector for ransomware attacks;
- For nearly any organization, email systems are both ubiquitous and mission-critical;
- Typically, these emails will prompt a user to open a file attachment.
- Although some organizations can afford to deploy sophisticated email controls designed to identify and block these kinds of file attachments, some may slip through and show up in the user’s inbox. When this happens, it’s important for an organization’s workforce to have some degree of awareness or training on how to identify and report them to the organization’s IT or information security department.
- The perceived risk of attribution — or being caught — by law enforcement is low;
- The potential financial gains of a successful attack far outweigh the costs to conduct these attacks; and
- Where the victim’s insurance policy covers ransom payments, it often proves to be a profitable endeavor for the threat actor.
What have you learned from the ransomware attacks that should be of concern to banks, particularly Texas community banks?
We have learned that many of these attacks can be prevented by adhering to common information security best practices. To that end, DIR publishes resources designed to raise information security awareness statewide. In fact, with regards to ransomware, DIR recommends organizations adopt the following best practices, if they have not done so already:
- Keep software patches and anti-virus tools up to date;
- Create strong unique passwords that are changed regularly;
- Enable multifactor authentication, especially for remote logins;
- Modernize legacy systems and ensure software is as current as possible;
- Limit the granting of administrative access; and
- Perform regular, automated backups and keep the backups segregated.
You chair the Texas Cybersecurity Council. Is this a strictly public sector entity or is the private sector engaged as well?
The council’s composition and charge are statutorily defined in Sec. 2054.512 of the Texas Government Code, which provides:
“(a) The state cybersecurity coordinator shall establish and lead a cybersecurity council that includes public and private sector leaders and cybersecurity practitioners to collaborate on matters of cybersecurity concerning this state.”
To address the diverse and sophisticated cybersecurity matters of this state, the council is composed of professionals representing academe, critical infrastructure — including Chris Furlow, CEO and president of the Texas Bankers Association — and the state government.
As the chairman of the council, I have the distinct honor of serving alongside a team of accomplished professionals. Indeed, the value of the council cannot be understated with regards to the expertise, insight and wisdom they provide in our statewide initiatives.
What advice do you have for bank executives and board members regarding cyber oversight, particularly those without a technical background?
Traditionally, the role of the chief information security officer oversees cyber/information security matters for a financial institution. Given the complexities of the operational, compliance/legal and technical requirements a financial institution contends with, it is in the best interests of the executives, board members and customers for that role to be filled by a professional who has a thorough understanding of each.
Moreover, the role of the CISO — especially in the financial services sector — must also enjoy a high degree of independence, given the role’s similar, yet distinct, mission of the chief information officer or chief technology officer. Indeed, this would include a direct and clear line of communication and reporting to the board of directors.
The path to cyber coordinator
My parents proudly served in the U.S. Army, so I grew up as traditional military brat, moving wherever my parents were stationed. That said, I spent most of my formative years between the South Bay of Los Angeles and San Antonio. During my teen years, my parents decided to settle in San Antonio, where I attended high school at Judson High School, college and graduate school at Our Lady of the Lake University and, ultimately, law school at St. Mary’s University School of Law.
I enrolled as an undergraduate at Our Lady of the Lake University – a small, private Catholic university – with the goal of breaking into the video game industry, as a designer or programmer. Shortly after 9-11, the Department Chair of the Computer Information Systems—Robert August, Ed.D, CISSP— successfully redesigned their undergraduate and graduate programs under the National Centers of Academic Excellence in Cyber Defense Education and Research program, jointly developed and managed by the Department of Homeland Security and National Security Agency.
In light of the university’s new focus on cyber defense education and research, I had the great fortune to get exposed to cyber/information security early on. Prior to joining DIR as the coordinator, my career ebbed and flowed between academe and the private sector. Upon graduating with a master’s degree in computer information systems and security at OLLU, I was hired as a fulltime visiting professor of Computer Information Systems and Security from 2007-10.
During this time, I found my professional callings: information security, service and teaching. Around 2010, I ventured into the financial services sector and became Jefferson Bank’s first C/ISO.
During this time, I learned that information security — especially at the policy level — had more to do with compliance and risk management than computer science. During my tenure at Jefferson Bank, I decided to go to law school, with the specific goal of becoming a more complete and competent information security professional.
During my time in law school, I focused my legal studies on foreign relations, intellectual property, privacy/information security law. During my second year of law school, I had the perfect opportunity to head back to academe, when I took on the role of Assistant Professor of Computer Information Systems and Security at OLLU, where I also served as the director for the Center for Information Assurance Management and Leadership. In both roles, I had the great fortune to help shape the personal and professional pursuits of my students.
Additionally, as the director of the CIAML, I led OLLU’s efforts to maintain their national designation as a CAE-CDE, under the DHS/NSA CAE program, which made it possible for students to qualify for the CyberCorps, which provides scholarships to participating institutions through grants awarded by the National Science Foundation.
In May of 2018, I made a personal choice to pursue public service, and applied for the role of the state cybersecurity coordinator. Honestly, I was quite surprised when I was given the opportunity to interview for the role. To my surprise, after completing a rigorous and thorough interview process, I was offered the job and accepted without hesitation.