IT'S a Tech Podcast
The “IT’S a Tech Podcast” is an engaging conversation about the game-changing technology solutions being advanced by the state’s Office of Information Technology Services. Learn how we make IT happen for more than 50 state agencies and over 20 million New Yorkers.
IT'S a Tech Podcast
Episode 17: CX and Cybersecurity
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Cybersecurity is important. Staying safe online and keeping records safe is crucial in a day and age where bad actors are pulling out every stop to gain access to your information. ITS is proud to make New York a national leader in cybersecurity – through the NYSOC, or the New York Security Operations Center, ITS is safeguarding more than 450,000 endpoints and billions of sensitive records.
But what happens when security comes into conflict with customer experience? How do you balance keeping data secure while making it accessible to the user? How many layers of verification is too many, and how much risk is acceptable?
In part three of the IT'S a Tech Podcast multi-part series on customer experience, or CX, we’re sitting down with ITS Director of Cyber Defense and Response Brian Koon as we navigate the friction between keeping systems user friendly while keeping them safe.
Thank you for listening to the IT’S a Tech Podcast. For more information about ITS, visit our website at its.ny.gov. Follow us on X, LinkedIn, Instagram and Facebook.
0:01
You're listening to the IT'S a Tech podcast, an engaging conversation about the game-changing technology solutions being advanced by the state's Office of Information Technology Services.
0:12
Learn how ITS makes IT happen
0:15
for more than 50 state agencies and over 20 million New Yorkers. Cybersecurity is important.
0:24
Staying safe online and keeping records safe is crucial in a day and age where bad actors are pulling out every stop to gain access to your information.
0:33
ITS is proud to make New York a national leader in cybersecurity.
0:36
Through the NYSOC, or the New York Security Operations Center, ITS is safeguarding more than 450,000 endpoints and billions of sensitive records.
0:46
But what happens when security comes into conflict with customer experience?
0:50
How do you balance keeping data secure while making it accessible to the user?
0:55
How many layers of verification is too many and how much risk is acceptable?
1:01
In part three of our multi-part series on customer experience, or CX, we're sitting down with ITS Director of Cyber Defense and Response, Brian Koon, as we navigate the friction between keeping systems user friendly while keeping them safe.
1:14
Brian, thank you so much for taking time out of your busy schedule to share your insight today.
1:20
Can you tell our listeners a little bit more about your role and how you came to ITS?
1:25
First, it's great to be here.
1:26
Thanks for, you know, for asking me to come do this podcast.
1:30
I've been working with ITS for about four years now, maybe a little bit over, a little bit less than four years.
1:36
And I come from private industry where probably like 20-25 years and the major background I have in is a, you know, a cloud-hosted services.
1:49
And I got to work with a lot of great companies over the years doing, you know, some accounting firms, some top five banks.
1:57
So it was really cool to do some projects with them.
1:59
And during the, the end of the private industry years for me, I kind of really started seeing cybersecurity being a bigger focus and really wanting to take a further step of, OK, I've been doing security for a lot of my career, but it would be really great to make that as, as a focus.
2:20
And so I kind of went ahead and, and, and made that more part of, you know, where, where I wanted to go my career.
2:26
And at the same time, right around when I got done, you know, really how how do I, you know, got certain certificates to be really focused on security.
2:36
New York State actually had a lot of security positions opened.
2:40
I wasn't directly trying to get into the state, but I was like, you know what I saw that I go, "That would be really good way to give back to New York State and its residents."
2:51
Thinking about my personal family where my mother, who is disabled in a wheelchair and has had a lot of services over the years, and some had some issues with my brother where he's had a lot of services.
3:06
So it's like this would be a perfect segue for me and my career to New York State, give back.
3:11
And you know, for over the years in private industry, it's been great.
3:14
All the projects that I got to work on.
3:17
The focus has more been, you know, how do you make profit?
3:20
How do you make the profit for the company you're working for?
3:23
And this would be of different focus for me.
3:25
So it's like this is a great way to segue the middle part of my career to, to come here to New York State.
3:31
And so with the role of, you know, being, you know, the director of cyber defense and response, we have various different teams that will collaborate with operational teams within ITS to provide security services.
3:45
So we have a team that will work with the firewall team to provide services.
3:48
We have a lot of identity and access management.
3:51
We'll work with them to be like, you know, that's probably one of the bigger, you know, ones that you know, public-facing people will see when you go to log in with your multifactor authentication, you know, SMS to your phone or, or whatever.
4:04
So we also have other areas such as a threat response team that will for, you know, 0 days that come out or high profile 0 days like a vulnerability that's just been disclosed.
4:19
And we go, oh, what's going on with New York State?
4:22
Where do we have this and are we vulnerable to this?
4:25
And how does the team respond and appropriately takes, you know, actions depending on what, what is actually, you know, the vulnerability.
4:35
There's been some popular ones in the past of, you know, log for log for shell, which is like runs on like web applications, databases.
4:46
So a lot of systems have that in the background.
4:50
So those are, those are some of the, you know, the major areas that my team will, you know, take a look into and, you know, that's, that's the role in, and we'll see a lot of things when you think about like customer service.
5:02
We, our team will do a lot of things in the background that you don't see, working with a firewall team to make sure protections are in place, such as pot protections.
5:10
You know, you know, bad actors are trying to, you know, break into New York State and get sensitive data.
5:16
And, you know, the firewall teams will have appropriate, like maybe we'll have a, you know, a geolocation to stop like Iran or North Korea from trying to access.
5:27
But so that's kind of the gist of what the, the teams are, you know, teams are trying to do.
5:31
It's so not only do you wear a whole lot of hats, boy, the, the stakes are...the stakes are high.
5:36
It's a lot. Yes, little, little, you know, sometimes you know, you think about it and it's a little big, but it's, it's fun, it's always challenging and it's always different.
5:46
Absolutely.
5:47
And rewarding, and rewarding. 100%.
5:49
So we and you touched on this a little bit when we refer to cybersecurity in terms of customer experience, what exactly are we talking about?
5:58
Yeah, so I probably touched on that a little bit there.
6:01
You know, first I think about cybersecurity is the layers between the public accessing services and data that they, you know, need access to.
6:11
And how do we safeguard that from bad actors.
6:13
Bad actors are trying at the same time reach those things, you know, they'll get get access to that.
6:19
And so I think of like I mentioned the firewall services that might be, you know, as one of the front lines and working with those teams to make sure that the appropriate, you know, levels of security are in place when the bad actors are also trying to get a foothold into.
6:40
And so we look, we look at that and say, what's the appropriate level of security that we need to put in place for this service?
6:47
And that's very important when we think about it.
6:50
So, so it's so when in terms of like me as a user, like when, when you say what are the systems that we put in place to, to, to secure that?
6:59
What does that look like for me?
7:01
So it would look like, you know, so one of the popular ones is probably like NY.gov.
7:05
You come into your NY.gov account, you might see, you know, we put certain levels of like, OK, we want to make sure that your account in whatever data you're accessing has the appropriate level of security control.
7:17
So you know, we might have MFA, multifactor authentication.
7:21
So on your phone, we have, you know, multiple different types of options for MFA with NY.gov.
7:26
And it could be an SMS or it could be one of our applications that you would load on your, your cell phone.
7:32
And so depending on, you know, what you're accessing, you might go to a certain app that it behind, because ny.gov has lots of applications and depending what entitlements you have, which means what apps you're, you're subscribed to.
7:46
But if you say, if you were going, you're going to go log into your tax application, maybe you would be, you know, we'd have to say, OK, we want a, you know, a code sent to your phone that you would have to then approve to get in. Adds friction. You know, so it's always a balance that we're trying to strike between accessing data and and making it a good customer experience.
8:08
But at the same time, when we know what, you know, kind of understand what data you're accessing and how, how we make sure to step up on on those type of, you know, activities that you might be performing.
8:18
Exactly, exactly.
8:19
So.
8:19
And you touched on this a little bit in terms of the, the balance.
8:24
I'm sure all of our listeners right now are thinking in the back of their heads like, oh, we've definitely had that CAPTCHA.
8:28
Where is the side mirror part of the car?
8:30
I I can't tell if the side mirror is part of the car.
8:33
Can you speak more to the how and why about this friction and why it exists?
8:38
Yeah.
8:38
So I mean, the friction exists.
8:40
I I've, I've had the same frustrations when you're like, you know, is that tire still?
8:44
Is that in this frame? Next frame? It's like a quarter of the tire.
8:47
Does that count?
8:48
Yeah.
8:48
And so, you know, and a lot of times, you know, you know, I'll even, I'll fail, you know, going through it and it takes me a couple of times.
8:57
Like I said, it exists that there's always a cat and mouse game that's going on right between bad actors and, you know, us as, you know, cybersecurity professionals trying to, you know, so really the, the, the, the, the sensitivity of the data is really kind of determines what kind of level of security we're going to put in place.
9:20
So, you know, it's things like the CAPTCHA, you know, bad actors are trying to use scripts and bots to try to get in and make it quick and fast and we're trying to slow them down.
9:31
They might have more sophisticated ways, but you know, a lot of times they're looking for low-hanging fruit.
9:36
Putting these types of security mitigation controls in place will stop the low-hanging fruit from a bad actor.
9:42
Maybe they'll go, they'll go elsewhere where they know there's a more easy way to get in.
9:47
So, you know, and you got to remember, New York State has a lot of data that we're protecting and the the bad actors certainly want to get access to certain those services that they might be able to get.
9:59
So that those, those, those exist, you know, the friction exists.
10:05
What we try to do is balance that friction.
10:07
So try to make it and, and I can, you know, touch base a little bit more on like the MFA.
10:16
See this when like other services, when you go to like your bank and sometimes you, your bank will ask you for, OK, we need to send something to your, it'll send you an SMS check or MFA.
10:28
But sometimes you're, you're at your computer and the bank doesn't ask that because you're sitting at your computer that you always access the bank for.
10:34
So those are types of things we're trying to also think about like how do we make this a little bit better?
10:40
What's the behaviour of someone and how do we, you know, incorporate that into future rollouts of, you know, customer experience while balancing the security at the same time?
10:50
Exactly.
10:50
And it's, and it's a delicate balance.
10:52
It really is.
10:53
So you mentioned this a couple times.
10:55
You know, this issue isn't just, you know, it's not just to annoy the end user.
11:00
That's that's not the point.
11:01
It's obviously, you know, we can be these systems can be exploited by by bad actors.
11:08
Can you talk more about how cyber criminals can exploit this conflict, this friction between cybersecurity and user experience?
11:16
Yeah.
11:17
So, you know, I think where I come from is, and I work with a collaboration with a lot of agencies is we try to classify what kind of data is on the application.
11:27
We've, we have what is called the identity assurance level and that determines the rating on how sensitive the data is and what levels we need to put in place.
11:37
You might go to, you know, create an NY.gov account and it might ask for extra information.
11:43
You might get asked for your driver's license or your, a selfie and, you know, depending on the application, because that data is, is really, you know, it's it's I think the public needs to remember that at the same time, this friction that we're putting into place is there because the data and the responsibility we have for their data.
12:07
And I think I think that, you know, sometimes like it's New York State data or what, what would be the term?
12:11
But I think that if it is their data that we're protecting for them.
12:14
So we have a big responsibility at the same time to make sure their data is protected.
12:19
And so as as the bad actors, when they come in, if they're able to get access to your account, we don't have appropriate, you know, security in place.
12:30
They could take over your account, they could go get services or you know, think of it as, I think back to when I had my identity stolen several years ago.
12:42
God, that's my biggest fear.
12:43
So Apple sent me a, a a thing where I owed them money for multiple iPhones and ended up being when we filed a police report ended up being from a, from someone got iPhones delivered, they transferred.
12:59
So like my house number, they transposed it so instead of like my old one was a 24 and it was went to 42.
13:06
So they must have been waiting at that, you know, mailbox.
13:09
And so it was just enough.
13:11
They had just enough right information to do something like that.
13:15
And therefore, so let's think of the same way in New York where we're the bad actors are trying to do those same exact things to grab.
13:21
Maybe it's it's one check from some kind of service before we catch on, but those are the what that's really what the bad actors are looking trying to do. And and having someone who's been had it happened and know the trouble that that I've had to go through in order to clear my name.
13:37
I take that very big responsibility to try to do the same thing to protect New York State residents from having that happen to them from that we're entrusted.
13:45
Exactly.
13:45
And you know, as you mentioned, the low-hanging fruit, you know, it's, we don't want to make these systems too easy for, for users to use because then the bad actors can use them just as easily.
13:55
That is correct.
13:56
And, and the bad actors are very sophisticated and they're going to know when these systems are open.
14:00
We see this is very easy to get into, and they're going to get their quick wins.
14:04
And, you know, as soon as we, you know, and you know, they're very fast and they'll know it.
14:08
And so we might have this lag before we notice what's going on.
14:11
We really try to stay on top of it, but bad actors are quick and fast, and they're going to get their get their money when they can get it.
14:17
Yeah.
14:17
Scary.
14:18
So the 28th annual New York State Cybersecurity Conference was held here in Albany earlier this month.
14:25
It was hosted by ITS, along with the University of Albany School of Business and the New York State Forum.
14:30
Were there any relevant conversations or presentations that touched on this issue?
14:35
So I thought there was a there was a lot of good ones I went to. It was an excellent conference.
14:40
Yes.
14:41
And the big one that it stood out to me was our Day 2 keynote speaker.
14:46
It was Kristen DiCerbo who she is works for Khan Academy, which is provides high school students with, you know, online learning and their use.
15:00
And I would say their embrace of AI - AI is, you know, obviously a big, big craze these days.
15:04
And for rightfully so, there's a lot of great applications are great uses for AI.
15:10
And I saw the interaction on how she showed how AI being embraced with, you know, to allow to to help with feedback and learning and finding where students are falling short in in retuning their their their curriculum to make the, you know, help the students better.
15:31
And I was thinking about how New York State, you know, and how its the residents interact with the state.
15:39
You know, we're always thinking about how are ways to improve customer service and the use of AI certainly something on on our minds and, and, but we have to think about at the same time, how do we guardrail that appropriately?
15:52
How do we, you know, 'cause AI, you know, I think we've all done the chatbot AI where we've gone into a website and typed in, you know, I need help with this or I need help with that.
16:01
We need to make sure that the AI can't then you know, bad actors are going to try to exploit that.
16:06
What are they going to say?
16:08
So both one, put proper guardrails on there to prevent the AI from reaching certain applications and data that it shouldn't, but also just, you know, in ways that it can help.
16:19
All right, you, you're having problems logging in with your MFA, your multifactor authentication.
16:24
Do you have a backup one?
16:26
Maybe next time you might want to get a backup one set up, which we have available so that you have options there.
16:32
You're so I, I saw that I, I and, and just thinking about ways.
16:37
And so that was a week ago.
16:39
So haven't quite formulated all my thoughts, but you know, it's something I'm thinking about and I, I can see that being something that can help us help with that friction that we have for users in the future.
16:49
So that's something that I that I definitely am thinking about here and going forward.
16:53
Absolutely.
16:54
And the balance, the balancing act continues.
16:58
What is something useful our listeners can take away from this discussion if only to give their frustrations a little context?
17:06
Yeah, I would say one that that we are very conscious about the frustrations that users have.
17:13
We pay very close attention to, you know, we rerun data analysis and understanding where where our public-facing users are having issues accessing services and accessing systems.
17:25
And we're so always, always trying to improve that process.
17:29
We're also thinking about new technologies that are out there and how we can implement those that are both secure and maybe a little faster.
17:39
Many users maybe have come across for other where, you know, you go to a bank or you go to, you know, Lowe's or or Amazon where they ask you to set up a passkey.
17:51
And this is a quick like, so it'll, you basically can confirm the device I'm logging into is, is my, my device. In the future, remember this and help my login a little faster.
18:01
It does a lot of stuff in the background by storing certain kinds of files to help with that process.
18:08
I, you know, we are looking at those kind of technologies in the future.
18:10
So, know like why you might be frustrated today, but we also have to think about how do we, you know, continue to make our, our public-facing services even more accessible?
18:22
You've got to think about, you know, someone that's helping their grandmother jump on and, and get, you know, renew their license and then in a way that they haven't done before or you know, accessibility or, you know, think about we support a lot of languages.
18:36
So language translation services.
18:38
We're continuing to think about this holistically in a way that we can still make the, the, you know, the service a little bit better.
18:45
We can't always eliminate security.
18:47
The only way to really eliminate security is just turn everything off and then be like, yeah, from a security standpoint, that's great. Locked down.
18:52
But but no one, no one would love that, right?
18:54
So, so we're we're always continuing that that could go there.
18:57
But know that we, you know, we also experienced those same frustrations and we're continuing and to try to improve that.
19:05
So that that's one thing I can, you know, try to tell the the listeners is bear with us.
19:11
We're trying to our best to try to make this a smooth operation as best we can.
19:14
Absolutely smooth and safe.
19:16
That's the goal.
19:16
100%. Amen.
19:18
Well, Brian, I am very sorry to say that we're almost out of time for this episode.
19:23
But before you go, you get to answer the fun question that I ask all of our guests.
19:27
What is something you are looking forward to this year?
19:29
It can be work related.
19:31
It does not have to be work related.
19:33
You you tell me.
19:34
Yeah.
19:35
So I, I, I've listened to other podcasts and I've heard some people talk about, you know, they play, you know, the, the cello.
19:41
And that's like, I really, you know, some really great stories.
19:44
That was a good answer.
19:45
Yeah.
19:45
And I, I really want to learn how to play a violin in the future.
19:48
So it's like, like, kind of sparked me like I should take some time to to follow this goal of mine.
19:55
But once then one thing that came out just recently is Apple TV announced that they're that they are going to adopt an adaptation.
20:05
Of a book series that I really like Brandon Sanderson is the author and New York Times bestseller and he just the book series he has two Mistborn, Mistborn. Oh I know Mistborn. And then the so Mistborn series.
20:21
I'm reading that one right now, but I the big one I like is the probably call it the Way of Kings, which they're going to turn into... Stormlight Archive? Stormlight Archive.
20:28
I got you girl. And yes, 100% so I'm you know so for those listeners who don't know think of like your Harry Potter and your Lord of the rings fan.
20:35
So that's like the equivalent for me and I am a huge sci-fi fantasy fan.
20:40
I'm really looking forward to seeing that on the big screen.
20:43
So.
20:43
And so that's it.
20:45
While I think he's just writing the manuscripts or the screenplay, whatever the, the term screenplay.
20:50
There you go.
20:51
I'm not a movie person, but so I'm really looking forward to that.
20:54
And my daughter reads that series too.
20:56
So it's something we always talk about.
20:58
My niece reads the series.
20:59
I'm a bunch of friends.
21:00
So we always collaborate.
21:01
We always discussed like after like, right.
21:03
No spoilers until we finished reading the books.
21:05
And then so I just finished reading the 5th book a couple weeks ago.
21:08
So it's been, you know, I'm up to speed and I'm really looking forward to that coming out.
21:13
These are not small books, by the way.
21:14
These are, these are large, large, thick, thick bois.
21:17
Yeah, My, my wife will look at me and, like, how is that fun for you reading, You know, I mean, these look like, you know, encyclopedias.
21:23
But Brandon Sanderson, he's a very good writer.
21:25
Yeah, he is.
21:26
He is.
21:26
He's fantastic.
21:28
Well, Brian, thank you again for sharing your thoughts about cybersecurity and for sharing your expertise. And listeners,
21:35
I hope you'll all think about what you learned today the next time you get frustrated with a CAPTCHA.
21:40
Thank you, Brian.
21:40
Again, thank you.
21:41
Thank you for listening to
21:43
IT'S a Tech Podcast.
21:45
For more information about its, visit our website at its.ny.gov.