Leadership’s Role in Building a Cyber-Ready PSAP

0:05

Everyone, welcome to today’s webinar from Secular Leadership’s Role in Building a Cyber-Ready PSAP.

0:11

We’re going to wait a few more minutes for some more people to join and then we will get started at the top of the hour.

1:45

All right, thank you for taking the time out of your day to join us and welcome to Secular’s September 2025 webinar, Leadership’s Role in Building a Cyber-Ready PSAP.

1:55

Before we get started, please note the webinar is being recorded for future viewing and you will receive a follow-up email at the end of the week with the recording of today’s presentation.

2:04

We are definitely looking forward to getting questions from you throughout the webinar and then answering them.

2:08

So if any questions come to mind at any point during the webinar, please use the questions pane in your interface and make sure to ask it, and we will make sure to attempt to answer all the questions during the webinar as well as our Q &A section at the end of the presentation.

2:22

We also have some interactive polls during the webinar, and we’re looking forward to your interactions and feedback.

2:28

Secular provides resources on our website to inform our clients, public safety and entire cybersecurity community.

2:35

Our cybersecurity resources archive offers access to free recordings of all of our past webinars and today’s recording will be available at the end of the week.

2:42

If you would like a PDF of the slides and any of our presentations, just let us know in an email.

2:47

We also have an extensive state by state cyber attack archive that we update daily with notable cyber attacks that have affected public safety, local government agencies, healthcare, educational institutions, and critical infrastructure.

3:02

Cyber threats can disrupt or disable a 911 center in minutes.

3:06

Unfortunately, technology alone cannot stop every attack in its beginning stages.

3:11

The culture set by leadership determines how quickly teams can recognize threat, report issues, and recover from these incidents.

3:18

Today’s webinar will give PSAP and ECC leaders practical strategies to instill in a resilient cybersecurity culture and keep life-saving services running.

3:28

We’ll dive into the public safety threat landscape, leadership’s role in cyber readiness, how to build a cyber ready culture, and at the end we’ll give you the steps to take and then answer some of your questions.

3:40

Your host for today’s webinar is Sean Scott, Secular’s Chief Technology Officer.

3:45

Sean has over 30 years of cybersecurity experience and is a veteran of the United States Air Force Rudy served as an electronic warfare specialist.

3:53

He possesses expertise in both hardware and software development and has built numerous types of cyber defense systems.

4:00

Today, he continues to contribute to upgrading new layers of cyber defense technologies and now builds Secular’s patented proprietary state of the art cybersecurity monitoring device used by Secular’s 24-7-365 SOC to cyber protect our clients.

4:15

Sean is also on the board for Sysric 9.

4:18

And with that, Sean, I think we’re ready to get today’s presentation started.

4:22

Awesome, thank you, Justin, and welcome everybody.

4:26

And let me emphasize it again, questions are really, really welcome through this process.

4:31

We wanna make sure that we get to the heart of the issue and really address, what can leadership do?

4:37

How do we make it better?

4:38

What are the things that we can do to improve our world going forward so we can be more cyber secure?

4:45

And as we look at it, there’s a bunch of attacks.

4:48

We all know this, but it continues to increase.

4:52

We track those, all the publicly reported ones available on the internet or through reading materials, et cetera, newspapers, old school, right?

5:01

What we’re doing there is giving you a view and understanding what’s happening in your locality, right?

5:09

Or what’s happening next door, because that’s really where you should be looking.

5:13

And I know it says 46 states and DC over the past 24 months, But once again, remember, these are the ones that made the news.

5:22

And unfortunately, attacks are becoming commonplace, especially against critical operations in our public safety and local government areas, right?

5:30

We see it every day.

5:32

And so sometimes it isn’t reported.

5:35

Doesn’t mean it’s not happening.

5:36

And as we look forward into this and get a better understanding, we have to acknowledge that the threat is real.

5:44

I did have a director recently come up to me and said, is this kind of like a Y2K?

5:49

And I’m like, no, unfortunately, this is real.

5:51

And in some parts, Y2K were too, by the way.

5:54

I had to live through that as well.

5:57

And the idea here is to understand that it’s not just a technology problem, right?

6:03

It’s really all of us.

6:05

And leadership actually is the most critical role.

6:08

And that’s why we’re focusing in about the culture and leadership and how to get ahead of this, right?

6:13

Or at least how to keep up with it.

6:15

That’s really important, especially as we look at the urgency of the attacks.

6:21

We talk about 83% of attacks that impacted computer-aided dispatch side of things began on the municipal and law enforcement network.

6:30

In other words, it came in in one of our additional necessary network or one of those connections to a very important service or vendor, and that’s how it came in.

6:43

And we continue to see the increase right, two times increase in 2024. And unfortunately, 2025 is even bigger. And we keep seeing that.

6:53

And if we look at just the beginning of this year, 52% spike in overall public safety attacks observed from January to February. That’s in one month. So we need to be aware of it.

7:04

And when we look at the impact, what is this, you know, what’s the issue?

7:08

How hard is it to overcome.

7:10

Well, if we have to go back to pen and paper or heaven forbid, we lose the calls themselves. We’re not able to actually answer the phone. It’s really bad.

7:21

When we look here, the minimum time, the average time of the lesser attacks was 15 days.

7:30

And if you look at how some extended it into six weeks and some months and others, it was a years before they were fully back up and running the way they wanted to be, right?

7:40

Because of the impact.

7:42

So let’s start with our first poll.

7:44

And you wanna go ahead and launch this one for us, Justin.

7:47

When we talk about how confident are you?

7:50

So where are you today?

7:51

How do you feel today about your status, where you all are, and really get behind that?

7:57

Are you very confident?

7:59

One, are you somewhat confident?

8:01

Two, or are you really worried about it?

8:03

And that’s why you’re here on the webinar, right?

8:05

I imagine we’ll have all three.

8:07

And this is just for us to share between ourselves and really talk about the usefulness and really understand where we are today or where we feel we are, right?

8:17

Which is the most critical component.

8:20

So let’s do this one really quickly and give another 10 seconds or so, Justin, and then go ahead and close it for me.

8:28

One, very confident, two, somewhat confident, or three, not confident at all.

8:33

All right, let’s go ahead and close the poll.

8:36

Did we get some replies?

8:38

We did.

8:39

So 50% of the audience today feels very confident, which obviously is good.

8:44

25% of the audience said they’re somewhat confident.

8:47

And like you said, we get all across the board.

8:50

25% say they are not confident in their cyber readiness today.

8:56

Well, that’s good.

8:56

And there’s more than four people, by the way.

8:58

So that’s actually a good number.

9:00

I’m just sure it worked out to be an even number this time of who responded.

9:04

So we very much appreciate it.

9:06

Your feedback just keeps us going, helps us understand where you’re at.

9:10

So those who are very confident, that’s good.

9:13

I hope today is a reminder, I hope it re-emphasizes or verifies the things that you’re already doing.

9:18

Those who are somewhat confident, well, maybe this will give you some ideas.

9:23

And for the group that said, we’re not confident at all, the goal will be here to not just understand the threat, but what do we do first?

9:32

How do we start down this journey, if you will?

9:35

And I’d like to say that cybersecurity is a journey, not a destination.

9:40

We have to keep moving.

9:41

We have to keep improving, even if we think it’s good enough, right?

9:45

That’s the time when they usually get us, is when we are feeling a little too relaxed about it.

9:51

So let’s not go there.

9:53

Why?

9:53

Because there’s plenty of threats against it.

9:55

It’s really happening.

9:56

And if we go back in time and we look at what happened to Baltimore in 2018, Now this is not the citywide attack.

10:03

This happened a few months before that, actually a year before that, and this was actually targeted at the 9-1-1 side.

10:10

I know a great deal about this one because we made recommendations.

10:13

We came in after the fact, helped them understand the attack, and by the way later on when the entire city was affected by a major attack, the 9-1-1 side was not because they had stepped up their preparation. They had done a lot of the things we asked them to.

10:30

All kudos to them and their team so that they didn’t have to lose the cat yet again when the rest of the city was affected.

10:37

Now, the rest of city go down, did still affect them, right? They couldn’t get paid. They couldn’t get emails.

10:42

You know, there were a lot of issues for the 911 side of Baltimore in the later attack, but it wasn’t directly affected because they had done the work, right?

10:52

And so that’s really the lesson learned here.

10:55

Their leadership stepped up after an attack, And that’s what everybody does, by the way.

11:00

Once we’ve been hit, we get better, so that it’s much harder to hit us a second time, although we are 80% likely to have another successful attack after the first one.

11:09

So let’s be prepared.

11:11

And we’re also seeing a larger number of TDoS attacks, Telephone Denial of Service, those attacks that are designed to hit call centers.

11:19

And 911 is a big call center, right?

11:22

And so really understanding that and really preparing for it is something we have to look forward to.

11:28

We have to start planning for, we have to ask our vendors the hard questions.

11:32

And when we look at the overall effect, and 911 related systems experienced some form of cyber or infrastructure outage, nearly 90% of ECCs every year.

11:44

So it’s really important that we get our hands around it.

11:47

And once again, just in the TIDAS world, we’ve seen a 9% significant rise and successful attacks against us, right?

11:57

Public safety.

11:59

Why should we be concerned?

12:00

Well, one, it makes it harder for us to do our jobs, disruption of our services, delaying our responses, our ability to take calls and handle them more readily to use the computer aid to dispatch and sometimes the radios, the other side of it, really important, breach of data and evidence, whether that’s our personnel data, right?

12:20

Not something we want released or our evidentiary data.

12:24

And is the chain of custody broken because the bad guys got in and touched something, right?

12:29

So we really need to understand that.

12:31

We have to include that in the scope of what we’re thinking about.

12:35

How do we protect it?

12:37

Strain on operators.

12:38

Yes, working from pen and paper and old school is harder.

12:42

We’re not as efficient and therefore we struggle more, especially in operationally more advanced times, right?

12:53

during a storm or during a holiday, for example, and they love to hit us. Why?

12:57

Because they know that we’re on holiday. And so they really look at that.

13:01

And then the risk to public safety, right? And any time public safety is affected, it could endanger lives.

13:08

So we really want to get ahead of that. All right. The other side here is we see this misconception a lot.

13:17

Our, you know, that’s an IT problem or the tools that we have should take care of that.

13:21

Our firewall is there to protect us.

13:23

Well, yeah, if you’re updating it, you’re doing it right, and it’s not full of holes, and it itself isn’t a vulnerability, right?

13:30

So really understanding the risk, getting our hands around it, and building a culture that isn’t just based on those tools and technology, you know.

13:41

I like to call it ostrich modes, right?

13:43

We have our heads buried in the sand, assuming nobody can get us, because they can’t see us.

13:47

Well, we really need to look forward into building a culture around cybersecurity from RFP to all of our call takers and everybody assuming some level of responsibility so that together we can do it.

14:03

And when we talk about attacks such as what recently took out Minneapolis, St.

14:08

Paul, they had an issue where it’s a massive cyber attack disrupted citywide communications really affected everything they send in the National Guard.

14:19

And interestingly, the dispatch state operation, they went old school, they had the methodology, they knew what to do, and they followed it.

14:29

Even the even the mayor made really good communication, right?

14:33

So part of their plan was to communicate what our status is, because if you don’t communicate, people assume the worst and panic ensues, and they’ll start calling 911 to see if it’s working, right?

14:45

The worst kind of case, because then suddenly our own people are dosing us, right?

14:50

They’re taking us out because they’re calling us too often.

14:53

And so that denial of service grows and it becomes more difficult in the midst of a difficult time.

14:59

And so when we look at this and when we have the communication, when we’re prepared, we build this resiliency, if you will.

15:07

And it comes right out of the Cyber Incident Response Plan from CIS.

15:10

It’s one of my favorites, by the way.

15:12

NIST has a really good one too.

15:14

And I often use the NIST graphics because it’s a really, really good learning tool.

15:19

But all of this comes back to effective leadership, making the decision to make cyber important, to listen to webinars, to show up, to bring it up to date, and really start training and doing the other less expensive parts.

15:33

I’m not talking about spending a tremendous amount of money, but I am talking investing in your cyber on a daily basis, really, really stepping up our game and building that into our day-to-day operation.

15:45

So our operational technology is part of the IT information technology and they have to work well together. And so that really gives us a culture of resiliency.

15:56

It gives us the ability to to get into it and really step up our game. And this is a perfect poll for that.

16:04

Which cultural challenge is hardest in your organization today, right?

16:08

So what are the things you guys are really having difficulty with.

16:12

Public schools, for example, have a huge issue with running phishing tests, training around phishing because they feel like somebody is testing them.

16:23

And that causes kind of a distrust, if you will, but it’s a necessary thing, a very necessary thing.

16:30

All right, so in your organization, we know how difficult reporting is.

16:34

Is that the number one challenge?

16:36

Is it trying to get people to buy in on multi-factor authentication or updating their passwords and doing all the password stuff.

16:44

I mean, for over 30 years, I’ve been talking about passwords, right?

16:48

And it’s really important we understand that there’s a risk.

16:52

And when we talk about vendor trust, we’re talking about the entire vendor management process and having them part of the answer, right?

16:59

Including them as partners in us surviving a cyber attack and what happens if they get hacked and how is that gonna affect us?

17:06

And then training fatigue, there’s a lot going on in our centers and we have to train for pretty much everything all the time.

17:15

Is this also difficult to get them to pay attention to?

17:19

I know it is, the question is, which of these is the worst?

17:22

So give us your best here.

17:24

How are we looking on the responses, Justin?

17:27

Pretty good, and I was gonna add it too.

17:29

If you don’t see one on the list that’s been an issue for you, if you’ve got something that specifically stands out to you that we don’t have on the list here, feel free to leave it in the comments or chat or as a question to see which other ones are impacting you if you don’t see the one here.

17:43

But yeah, we’ve got pretty much everybody in at this point.

17:46

So we can go ahead and share the results.

17:51

And 25% say that reporting is an issue for them right now.

17:55

And 50% say that MFA buy-in is their biggest challenge.

18:00

And then 50% also say training fatigue is an issue as well.

18:05

Interesting.

18:06

So vendor trust didn’t make the list, which is good, right?

18:09

I want to see the vendors stepping up the game and hopefully helping.

18:13

A lot of attacks we’ve seen recently have unfortunately come through a weakness on the vendor side.

18:19

So we just want to make sure we’re covering that.

18:21

Reporting is always difficult, right?

18:23

Getting people to follow whatever the procedures are, the audit requirements and CGS, criminal justice information and that side of the world.

18:32

But multi-factor buy-in is surprising to me because everybody has to deal with it at their bank or in some way, shape, or form in some area that’s concerning to them or a service that they’re being provided.

18:47

So when I talk to people about multifactoring, talk about the importance, I really focus in on the fact that there’s a reason why your bank makes you do it, right?

18:57

If all else fails, multifactory can save the day, right?

19:02

If somebody were able to get your password or find it under your keyboard or all the things that we shouldn’t do, including using bad passwords, then we have at least another step or maybe two on that multifactor piece.

19:18

And so there is really what we’re trying for on the buy-in.

19:22

And training fatigue is really about how do we keep people interested in all of these things and what can we do next to encourage them and really get them behind this process because training is perhaps the easiest, most return on investment, if you will, in the cybersecurity realm.

19:43

If we start spending more time, really focusing in on those things.

19:48

So I hope that helps with those concerns and answers.

19:51

Let’s move on a little bit and talk about how can we be ready?

19:54

What is leadership’s role and why should leadership step up, right?

19:58

Let’s give you some good reasons here.

20:00

when we talk about really CISA addressing, I’ve got some help here, the CISA addressing the needs on cybersecurity.

20:10

What we’re really trying to do is make sure that we understand the effect and the aspects within our organization that we want to achieve success.

20:22

Really understanding that and getting behind it, whether it’s Trent Frazier from CISA making those recommendations.

20:29

And once again, it’s the number one thing that we can do.

20:33

It’s the first pillar is stepping up and saying, we need to be more cyber secure.

20:37

Even if you feel confident in where you are today, I challenge you to continue improvement, right?

20:44

I challenge you to find those things and make sure that we’re sharing all the way down through the ranks that it’s not just an IT job.

20:52

I, you know, we do a lot of talks and show up at a lot of the shows, APCO and Nina and others.

20:58

And one of the things I keep getting from people is, oh, the IT job does that, or the IT team handles all our cybersecurity.

21:05

I don’t have to worry.

21:06

I’m like, no, we should all be worried, at least at some level.

21:09

I don’t want people not performing their job because they’re so worried about cyber, but I do want them to think about whether or not they just did a good thing with clicking a link or that password, right?

21:19

So we really want to make sure that it’s not just an IT job, and that really comes from leadership.

21:25

and you’ve got to buy into it.

21:27

You have to embrace things like multi-factor.

21:31

I was at a sheriff once and in his office talking about cyber use, if you make me change my password again, I will shoot you.

21:38

Now, I think he was joking.

21:41

The point is, it’s really annoying.

21:43

Everybody is tired of changing their passwords.

21:47

So when I talk about multi-factor, I said, yes, but this also makes it more protected, better protected.

21:54

because now if they get that password, we still have another plan, another way that they have to hack something else as well before they can use it.

22:01

It is not 100%.

22:03

And so when we talk about that and we start considering implementing things, and then let’s make this a daily thing.

22:10

We have a cyber minute, just a minute each day, each time we do a briefing or a shift change.

22:16

And then we also do the drills.

22:19

What happened next door?

22:20

What happened in our neighboring county or community or PSAP?

22:23

And what did they do about it?

22:25

How did they recover?

22:27

How bad was it?

22:28

Or did they simply laugh it off because they were ready and it didn’t really impact their overall operation.

22:36

So getting our arms around it, doing those cyber briefs, really a good place to start.

22:41

And once again, it’s modeling cyber leadership.

22:43

You’ve got to develop your own desire, your own understanding.

22:49

You are here today to learn this stuff, right?

22:52

You’re here at least to hear my opinion on a lot of these things, or Justin, in my opinion, backed by lots of research and really accurate findings so that we can understand that sharing accounts is bad.

23:06

Well, we all know that.

23:07

We know we’re not supposed to share accounts, but we also have systems in place where sometimes people don’t want to share account or do want to share account because it prevents downtime.

23:18

We don’t have to reboot that system.

23:20

We don’t have to log off and log back in.

23:22

But those simple things can also mean that we’re better protected, not if, but when something bad happens, right?

23:29

If we do log off and we log back in, maybe that second account isn’t as accessible as the first one was, right?

23:36

And maybe they’re using better passwords or multifactor or our IT admins are, and social leadership, by the way, let’s start there and work down.

23:46

And then what happens is people stop sharing.

23:49

People stop writing it down because we make an issue of it We talk about it and we build a culture around that information sharing that it’s them Enthusiastically helping us protect ourselves, right?

24:02

That’s really the goal here I’ve seen organizations where you know, it’s okay.

24:07

There’s no social media whatsoever anywhere in our organization Mmm, and then you walk around and you see it, right?

24:15

We see it running in different places we see people utilizing it in sometimes necessary ways, right?

24:21

They’re doing investigations or they’re looking up to see to make sure that somebody’s at home or there’s other ways to actually look in and use social media.

24:31

I’m not against it a hundred percent, but it belongs in a very protected, very rigidly controlled environment, same as I would do with AI.

24:40

And a lot of places are saying, oh, we’re afraid of implementing AI.

24:44

Actually, it’s a useful tool.

24:45

And the bad guys are already using it against us.

24:48

We use it daily.

24:49

And I want to encourage others to do so as well, as long as they understand the risks, they train about it.

24:56

And the biggest lesson here is really, if we scare people into not telling us, right?

25:03

If they click the link, the worst thing they can do is pretend it didn’t happen.

25:07

Delete the message, get rid of all the evidence and not tell IT or anybody else because they’re afraid of getting in trouble.

25:15

So, what happens is that little bit of access that they gave somebody by clicking link or that bad series of events that they just kicked off, right, and the step one in the attack plan, if you will.

25:27

And step two is then passwords, and step three, you know, as they grow through that process, if they don’t tell us they did step one, if somebody doesn’t step up and we can’t look into it, we don’t know about it, we will be surprised later.

25:40

And the average well time, that means the average time that the bad guys have access to our systems is 80 days on average.

25:51

What does that mean? Well, that means something happened to let them in and we weren’t aware of it.

25:56

Could have been it clicking on a link. And if they don’t report it, they don’t honestly be able to tell you because they’re afraid.

26:03

What we have to do is step up and change that culture. We have to make sure that they trust they’re not going to get in trouble about it.

26:10

Yeah, we’re gonna we’re gonna talk about it. We’re gonna have to do some more training.

26:14

That’s that’s at least Part of the process at the same point. Thank you for stepping up.

26:20

Thank you for telling us you made a mistake Thank you for telling us that your password or your building ID may have been lost or compromised You know really understanding it so that we can build this culture of trust So they tell us so we can report it we can investigate it Hopefully before it becomes bad, right?

26:40

I’ve seen that be incredibly impactful in the middle of an attack.

26:44

And so we wanna make sure we understand that and encourage that as leaders to make that trust viable, to make that trust exist because people will make mistakes and they will be attacked.

26:57

We know it’s almost inevitable.

26:59

We’re gonna have to clean up a mess sooner or later.

27:02

It’s not if, but when.

27:03

If you accept all of that as possibilities, then we have to also accept the fact that if we punish everyone all the time for making a mistake, well, and they don’t have to tell us about the mistake by clicking a link, then they’re just going to hide it. And it’s not going to go away. It’s going to get worse, right?

27:23

It’s going to faster. They’re going to use that time to do more damage, to do more harm.

27:28

And so when we look at it, when we step up and we follow like CIS’s recommendations here about looking at how are things disruptive?

27:37

Well, a lot of the times it’s because we’re not patching as often as we should. Now, why does that happen from a leadership standpoint?

27:44

Well, because patching is painful, patching breaks things, patching is sometimes not done at the vendor level, right?

27:52

And so when we don’t do those things, when we are not keeping up to date, because it’s very difficult and hard and takes a lot of resources to do so, I understand the problem, but then we’re also opening us up to greater attacks.

28:06

And so really assuming that it will happen, if we don’t patch and update as quickly as we possibly can, we still do the best we can to keep up.

28:18

And then we plan for what happens when it all goes wrong, building that into our continuity plans, building it into an instant response plan, and training on it, really stepping up.

28:30

because when we talk about the disruption to our data, the tampering or corruption of our evidence, if you will, especially in the CGIS side.

28:41

But what about GIS?

28:42

When we talk about location services and information services tied to that location, if they were able to affect that too, that would be really bad, right?

28:52

So we have to look at it from hackers’ eyes and from that perspective of what could happen if.

28:59

And if we ask ourselves those questions and then we plan for it, at least we have a plan.

29:04

At least we thought about it.

29:05

At least we know that we might have to go to pen and paper and here’s the pen, here’s the paper and this is how you fill it out, right?

29:12

So we really, really try to understand that and understanding that hackers are attacking us.

29:19

They are going after public safety.

29:22

It’s in the news.

29:23

It’s, you know, if you don’t wanna take my word for it, then call one of the centers I had to help last week, right?

29:29

I’m really understanding that it’s there.

29:32

And from a top down, planning for it, making sure that we train for it just as we did for any other incident, right?

29:40

If it’s a hurricane, I’m in Florida right now.

29:42

Well, we are pretty prepared for hurricanes down here.

29:45

And if we’re not, well, that’s shame on us because it’s gonna happen, right?

29:49

We know there will be a hurricane sooner or later.

29:51

And that last year I lived through too.

29:53

So really understanding it and then training for it making sure that we we share that training and that Managers are training, you know the assistant managers and the assistant managers are training the call takers and everybody else so that we have that culture built into it and That we all step up so that we assume it’s not just an IT thing, right and that really helps Where do we get into issues as leadership?

30:20

We often have to juggle resources and it’s hard to invest in something that we don’t feel has happened yet and I hear this a lot and well why would they attack us they have never attacked us before I’m like well you don’t know if they actually attacked you before we found one center where the bad guys were sitting in there since 2012 hadn’t really done anything bad yet they were just waiting for that moment the bad moment to affect that county.

30:51

And so when we understand a threat is real, we are looking for the red flags instead of ignoring them, and we’re talking to our staff about it. If you see something weird, say something.

31:02

When we hear that in our real world, in the operational side, well we have to do that on the information side as well.

31:09

And really understanding that complete trust in vendors, even us, we are not providing a hundred percent protection.

31:17

We can help you lower the risk, improve the cybersecurity, and continue to evolve it every day, every minute of every day.

31:25

Does that make you 100% safe?

31:27

It does not.

31:28

And so when you get into that, hey, it’s an air gap system.

31:32

They’re not gonna attack it because it’s air gap.

31:34

Okay, but then how does it get, how does it actually work?

31:38

How does it function if it’s not tied to a system that somehow delivers, I don’t know, a call, or a radio communication or a microwave transmission and satellite.

31:49

And if you think none of those can be hacked, well, we don’t live in the same world or we do live in the same world.

31:55

And I haven’t had the chance to share my paranoia, which may or may not be real, actually, unfortunately, just because I’m paranoid doesn’t mean they’re not out to get me, right?

32:06

We have to understand that we really understand.

32:08

And then if we stop doing things like punishing mistakes, Yes, I know Bob is going to click on every single.

32:16

Every single time somebody sends me a link, whether it’s in a text or email or on his phone, it’s going to see that.

32:23

And the point is, then we plan for when Bob’s system gets hacked.

32:28

And we train Bob on why not to do that.

32:31

And then maybe we create our own segment and put Bob in that segment, right?

32:35

And make sure that his roles and access are limited.

32:39

And so that when they hack him, it won’t be able to do as much damage, right?

32:44

And then we watch it so that when Bob’s system gets hacked, we’re more aware and we can react more quickly and train Bob’s more on it.

32:51

The point is, these attacks don’t just weaken the defenses.

32:56

They erode the trust.

32:57

They really affect us in a negative way because everybody feels like, well, why didn’t the firewall stop that?

33:02

We should change firewalls.

33:04

Like, do we need to change firewalls or do we need to update ours?

33:08

Do we need to put another firewall to protect our firewall, whatever we need to do and to think out of the box, right?

33:14

Try and stay ahead of it.

33:16

Because when we look at things like in Pennsylvania, they had a statewide intermittent 911 outage.

33:24

Now, I get calls every time this kind of thing happens.

33:29

Why?

33:29

Because people say, are they being cyber attacked?

33:32

Well, I don’t honestly know until we start investigating, right?

33:35

Or they contact us for help or they share information.

33:38

We find that as we share that information, as we get the information out there, it wasn’t an act of sabotage or it wasn’t part of an attack.

33:49

In this case, a system had gone down and they’re working quickly with the vendors to restore it.

33:56

They got it back up and running.

33:57

And the issue is here is to continue to ensure it is there when you need it, right?

34:04

That’s really the heart of 911.

34:06

When people need us, we have to be there.

34:08

And so that means we’ve got to be operational as much as possible.

34:12

And when we look at this one too, once again, a bunch of people called me, it’s Massachusetts hacked.

34:19

Nothing I see is related to a cyber attack against Massachusetts.

34:23

However, in this case, a safety feature that prevents cyber attacks on their firewall was actually blocking all the calls.

34:32

Here is the state where we have to be very careful that we are not corporations.

34:36

We cannot run the same patches or methodology or updates or firewall rules that are used in the corporate world, right?

34:46

And here, Michelle Wu, mayor of Boston, called it out early to help people understand that this has happened.

34:53

We’re working on it. We’re getting it back up and running. And within two hours, they restored services.

34:58

The problem is that firewall was updated in a way and wasn’t tested in how it could actually affect 9-1-1.

35:08

So square peg, round hole, right?

35:10

When we talk about 9-1-1, our mission is unique.

35:14

We talk about public safety and critical infrastructure.

35:17

Each of those missions has a different functionality.

35:20

So understanding that we can’t just apply all the rules like we would in the corporate world.

35:26

Yeah, they don’t need to talk to somebody they don’t know.

35:28

Well, 911 does, right?

35:30

And so really understanding that and building it into the architecture of the culture.

35:35

And so as we move forward here, when we talk about a ready culture, committed leadership, communication is key here, talk about it.

35:44

Talk about how are we gonna do it?

35:46

Where’s the plan?

35:47

Bring it out in the light of day.

35:49

Talk about the concerns people have and then build that into the awareness around policies, around training and make sure that people understand what that policy means.

36:00

Great, you have a multi-factor authentication policy.

36:03

Are you using it?

36:05

Does anybody, have they read it?

36:06

Do they understand where it comes from?

36:09

And the same with AI.

36:10

Do you have an AI policy?

36:12

Are you allowing it?

36:13

Is it chaos reigning in the AI world inside your network or are you reigning in chaos?

36:18

You’re saying, here’s how we use it.

36:20

And these are the safeguards, the guard rails.

36:23

As we use it, here’s what we do.

36:25

put that into your policy. Make sure that people know how to get it. They read about it.

36:30

They understand that these are what we’re doing with social media and other things, right?

36:34

Create that awareness.

36:36

And then when things break, when it goes south, when somebody makes a mistake, have them step up and have procedures on how they handle it, right?

36:45

We’re required to do this in the CJIS world, the criminal justice information side, but we can do this across the We really have to understand and protect the person stepping forward, encourage them instead of punishing.

37:00

It’s hard because you’re like, Bob, you click the link again, right?

37:03

And it’s frustrating. I understand.

37:06

Or they forgot their password again.

37:08

But yet if we’re incorporating better passwords, they’re harder to remember.

37:12

So people tend to take shortcuts.

37:14

Well, we have to teach them not to do that.

37:16

It’s better to reset than to have it exposed, right?

37:20

And then in the response side, the numbers we’re still trying to improve on 84% of our centers currently today don’t have an incident response plan that deals with cyber.

37:34

Yeah, we got great continuity of operations plans we always are ready with our coup plan rated to dust it off and bring it out, because we’ve been through a wildfire or an earthquake in the west coast right and so when we talk about these things, we have plans for them. It’s the same in the cyber world. We have to plan for it.

37:56

It can be as devastating as an earthquake or heaven forbid it is that bad, but it could be.

38:01

And so really understanding it and all of these, each one of these layers helps our recovery.

38:06

It helps us understand.

38:08

And if we’ve gone through the drill, we know what to recover first and how to recover it. It really helps us understand the issue, but get ahead of it, get ready for it.

38:17

And that’s really where we want to point you out.

38:20

First steps, in my opinion, appoint a cyber champion, or champions, right?

38:24

Get people behind this process from different areas in your organization and then give them the policies that we want them to use.

38:33

Here’s our multi-factor authentication policy or if you’re still using passwords, here’s our password creation policy and here’s how we protect that policy.

38:42

Here’s how we protect those passwords.

38:44

Getting people to understand that is really important and step one in the training, right?

38:49

That’s how we start down this journey and then how we continue that journey and we can do it in little bits.

38:54

Add a cyber brief to your ship briefings.

38:57

What did we see today?

38:58

What didn’t we see today?

39:00

And all of these little actions actually help develop a culture, they really do.

39:04

And if that champion is outspoken and steps up and really talks to the team once in a while and lets them understand what happened two counties over or a state over or how bad it could be if we don’t do this.

39:19

This will help you improve.

39:20

All right, how do we measure that?

39:23

How do we see it in leadership?

39:24

It’s really important to know how we’re doing, right?

39:27

So if we start looking at more reporting, we’re able to do faster instant response and therefore reduce downtime.

39:34

It’s really important.

39:35

That is a good way to look at it.

39:38

And if we look at how are people doing, how are they accepting the new tools, not just deploying them?

39:45

Are they using the methodologies that we give them?

39:48

And can we get that reporting time down?

39:51

If we can get them to report things more quickly, hey, I clicked a link, sorry, that’s okay.

39:57

Here’s some training about why we don’t do that.

39:58

And by the way, let’s look into that really quickly before it spreads.

40:04

Last year, we had six criticals across our entire install base in 32 states.

40:10

I like this story.

40:11

Six incidents sounds bad.

40:13

Well, four were self-inflicted.

40:15

People did things that we told them not to do.

40:17

We tried to train them not to do, and the bad guys used that to attack.

40:22

And then two were brute force, meaning they knocked on the door and found a weakness, got in.

40:27

In all six of them, because of our customers, because of the IT team, because of the leadership, they stepped up and did whatever we needed them to do to isolate, contain, and immediately remediate those issues.

40:42

There was no operational impact, zero.

40:45

That’s a success, but that’s not our success.

40:48

It’s together our success because you as partners in this relationship stepped up.

40:54

You’ve got to do that with your vendors.

40:56

You’ve got to make sure your people are working together and you include the vendors in that equation.

41:00

Otherwise it will come back to hurt you, right?

41:02

We really want to make sure that we’re getting ahead of it.

41:05

All right, let me give you some next steps and then we’ll move on to some Q &A.

41:09

So get your questions ready if you will.

41:11

Key takeaway from leaders here, cyber awareness and readiness start with you.

41:16

You need to step up this game, you need to step it up and you can appoint somebody else.

41:20

I’m okay with that, but support them.

41:22

Don’t laugh at them.

41:23

Don’t make it, oh, you’re gonna talk about passwords again.

41:26

Well, for 30 years, yeah, I still have to talk about passwords.

41:29

Do you know why?

41:30

Because the number one password last year was 12345678.

41:36

For the first time, they used eight consecutive numbers.

41:40

I’m like, great.

41:41

How long does that take to hack?

41:43

Well, it takes such a short time, it’s hard to measure for the bad guys.

41:48

So we don’t use one, two, three, four, five, six, seven, eight, but yet it’s still there.

41:52

Somebody out there is still using that.

41:55

Hopefully not in our centers, right?

41:56

Because we give them rules on how to create a policy, on how to create a good password.

42:01

And then we make sure that’s enforceable through whatever password mechanism they log into, right?

42:06

That builds that culture.

42:08

using your leadership to improve things around passwords and training and getting people to just think about.

42:15

Really don’t plug that USB you found in the parking lot into your computer, especially in your cat workstation, right?

42:23

Yet it happens.

42:23

It’s still an effective attack methodology.

42:26

But if we start these processes, if we start those conversations, we can actually act now and immediately start that journey.

42:36

And then as we go down the journey, And you’ll find new ways to affect it.

42:40

Henry County, Tennessee.

42:42

Chad, thank you again for allowing me to talk about it.

42:45

Amazing team, amazing step.

42:48

They have the honor of being the first public safety answering point to have been hacked and made the news, right?

42:55

Way back in the day.

42:57

So way back then.

42:59

Today, they have a really strong culture, a really good methodology supported by leadership that allows them to use things like their outside badge is one of their multi-factor things, right?

43:11

So when they enter the building, they can go up to the computer, then they put in their code and everything else, and suddenly they’re in.

43:18

That doesn’t require a password, right?

43:21

But it does require them to be them and then to be in the room, and it’s a different way of doing it.

43:27

And they’ve stepped up that culture across the board.

43:30

That’s just one instance.

43:31

They’ve done a really good job of taking it to that next level.

43:33

So all kudos to them and that’s because it got hacked way back when and now they’re doing the right things Alright, so one more poll here, which leadership action will you take first?

43:44

So I’m challenging you pick one of these Let’s start here. Are you going to lead by example? Are you going to set up the behaviors?

43:50

Are you going to use multifactor first and then make everybody else do it?

43:55

Then also I would encourage the blame-free reporting make them aware that it’s okay to step forward and tell us you made a mistake before we find out the hard way.

44:05

Embedding cyber into daily ops could be a cyber minute.

44:08

It can be a brief.

44:09

It can include, hey, this happened two counties over and this is the way it started.

44:15

And then building that into our training, our tabletops, our drills, we can drill on cyber so that we’re ready and that actually improves our plans, right?

44:24

Because we’re taking the plan out, we’re dusting it off and running through some what ifs.

44:29

And then what about appointing a cyber champion?

44:31

So pick your one.

44:32

pick anyone just let us know which one you guys want to start with first or that you feel strongest about already doing.

44:37

I’m not saying that you’re not doing any of these because pick your favorite and let us know so that others can can understand which one you started with.

44:46

That’s really what this is about. How are we doing Justin? We can just wait on a few more votes here.

44:55

If you don’t see an answer you like feel free to you know show in the comments what other steps are you going to comments, the questions or anywhere else in the chat.

45:09

Very good.

45:11

All right, go ahead.

45:13

So we’ve got an even split.

45:15

50% say that they are going to encourage blame-free reporting and then 50% said they’re gonna embed cyber into their daily operations.

45:24

Yeah, I like both of those.

45:26

Nothing wrong with those choices in my opinion.

45:28

That’s a good place to start and it makes sense, right?

45:32

All right, now we also have as leaders, the responsibility of ensuring compliance right because when we break compliance everybody comes to us and said why did you not do xyz and so there are some new uh fbi requirements and department justice released some new cgs in fact 6.0 takes effect october 1st uh so what 14 days from now make sure we’re ready make sure that you understand the changes and the new requirements And by the way, they’re trying to lead us into better security, right?

46:05

For the longest time, they weren’t where they should have been.

46:09

And so they recognize it, and Chris Weatherly and that team have done a phenomenal job of giving us a big list of things to do that are impactful.

46:19

So get behind it as much as you can, support it, and do the best you can to hit all of those requirements.

46:25

And we talk about good partners.

46:26

NIST has always led the way, especially talking about 853, really impactful in our world.

46:33

Read through the controls, please, and really understand that.

46:37

And of course, the cybersecurity framework from NIST is also amazing, NIST CSF.

46:43

And don’t hesitate to reach to your stated agencies, especially around the new features requirements, because they’re trying to get their hands around it while they’re always a good resource.

46:53

And remember, they’re there to guide us through those steps, if you will, make sure we’re doing everything we can, so they’re also a good resource.

47:02

Ask them what we need to do, right?

47:04

That’s always good.

47:05

We keep emphasizing training, and our partnership with AppCo, they teach all of these courses for us, but we help write the books.

47:14

We are part of that dialogue.

47:16

We’re helping in that way because it’s impactful.

47:19

We’re investing in you all on the training side because, well, that makes our job easier later, right?

47:25

So it is not completely without warrant on our side as well because it does greatly improve our cybersecurity and can reduce the risk by up to 40% immediately.

47:39

So start there.

47:39

That’s one of the good things.

47:41

I’m sure you all are doing it in some way.

47:43

The other thing I would challenge you is to get your hands around and get done a risk assessment.

47:49

Really understanding what’s happening, sometimes statewide, sometimes individual.

47:55

And then compare the notes, share the things that you need help with and ask for resources, but if you don’t do it, you won’t know.

48:03

And make sure that whatever assessment you’re doing is designed for public safety that understands what the FCC requirements are, understands the recommendations out of CISA from DHS or NIST or APCO and NINA, and really getting our hands around those guides and using them in the way that fits us best, right?

48:24

Make sure they’re helping with policy, architectural review, analyzing our plan, making sure we have one, right?

48:32

Doing all of those things so we get our arms around it.

48:35

All right, Justin, do we have, I think we’re doing perfect time.

48:37

Thank you all.

48:38

Let’s go through some questions.

48:40

Do we have any?

48:42

We do.

48:42

All right, we’ll do these in the order they have come in.

48:44

So what are some of your recommendations or advice about cybersecurity when it comes to NG911 or transitioning to NG911?

48:56

Oh, interesting.

48:57

All right, so when we look at NG, next generation 911, what we’re really talking about is all the modern way to receive and process a 911 call, especially since it’s all IPs, right?

49:09

It’s all internet protocol.

49:11

it’s little packets of information that are sometimes vulnerable or could contain malware and really understanding that, well, let’s be honest, everything is moving to an IP-based world, right?

49:23

We’re moving everything. We’re transitioning the radio communications and satellite communications.

49:29

All of those things are now just different network protocols, just like we are moving around the inside of our own networks to do good things.

49:37

When we talk about the capabilities of NG, We’re really stepping up our game.

49:41

We’re adopting new things to help improve and give us greater capabilities, more accurate location, better timely responses, and building that all into computer-aided dispatch and our customer PEM equipment, the 9-in-1 side of things, and how those calls are processed.

50:00

All of that piece is greatly enhanced by NG 9-in-1.

50:04

All right, so what’s the truth about it?

50:06

Well, there is a dark side to moving into purely IP-based technology.

50:12

It makes perfect sense, but it also opens us up to greater threat.

50:16

Well, we have to protect those things.

50:18

Now, where we just received a copper phone call, which may have been a swatting call, we don’t know, right?

50:24

But when we look at how are we looking at it as a VoIP call, are we looking at the underlying SIP protocol, or how are we aware of the new threats against that?

50:33

Well, that’s because we’re considering it.

50:36

We start with the RFP and a transition is actually a time of opportunity.

50:42

We can, it’s a really good time to implement these guides, a really good time for leadership to ask the questions of the vendors.

50:50

What are you doing for cyber?

50:52

What’s your plan?

50:52

What happens when you go down?

50:54

How is that gonna affect us, right?

50:56

Asking those questions, building that into your plan so that we know who to call, we know what communication is important and how to get our hands around it and mitigate the risk.

51:06

So look at it as an opportunity to not only improve your capabilities, but your cybersecurity as well, and invest in it.

51:12

We’ve got to start asking the question, what are you doing for cyber?

51:16

And the hens watching the hen house may not be enough, right?

51:19

We’ve got to make sure that we’re using that NIST guide and we understand it.

51:23

We need others to look at it too.

51:25

Really understanding it is really the goal there. That’s a great question.

51:28

I like that Transitions are scary.

51:32

It’s a time of change and therefore it’s an opportunity to improve our cyber But we’ve got to be more aware of the changes of the things that we could be affected by That’s a great question next Our next question is what are the steps that we should be taking to handle vendor relationships as part of cyber awareness or leadership?

51:54

Starts with the RFP in my opinion We put it in the RFP as a requirement, and then we ask the questions, what are you going to do and how is it going to help us?

52:03

Then when we do drills and training and build that plan out, communication needs to include our key partners and vendors.

52:12

We want to make sure that we know who to call, and then it’s not just on the computer that might be hacked.

52:18

Because if that one gets ransomware and we can’t get to it, then how do we know who to call?

52:22

Well, because we printed out the plan.

52:24

It makes a good door stop and hopefully you’ll never need it, but it’s always good to have and it’s not if but when we’ll need it.

52:33

My recommendation there is to talk to them, build it into the plan, and then drill with them as well, include them in that part. Good question.

52:42

Then our other question is, what would you assign to a cyber champion?

52:47

Well, let’s get them started.

52:49

That could be to do those briefings.

52:51

Find out something that’s important for people of stories.

52:56

I always try and talk about it in relation to a real event and how that event was handled.

53:03

And when we talk about the communication coming out of that Pennsylvania attack, for example, and how well St.

53:11

Paul communicated the fact that they were completely overwhelmed by a cyber attack.

53:15

They communicated that almost verbatim.

53:17

And they said, But we are doing everything we can through our plan to to focus on the keys, key and core services and then add the other things as we can. So they immediately shared that and they shared the status when Baltimore got hit. One of the things I regret about that is that they didn’t communicate how well nine on the one who’s doing.

53:41

So they didn’t want the bad guys to have any information at all Unfortunately that caused a different problem because people assumed the worst and when the city went down Right when the city was affected by cyber and all the news said hey cities out by cyber We wanted to make sure that people knew 9-1-1 was still operational They could still process the call they could still use their their CAD and the other pieces because it was isolated enough They followed our recommendations and they did it good to the level of they still could work that’s important.

54:12

So their COOP worked, their incident response plan worked, but they didn’t communicate it as part of that.

54:17

So now you’ll see any communication that includes from that center will also say, hey, here’s where we’re at, we’re up and running, or we’re at pen and paper, but we’re still receiving calls.

54:29

Really important that we understand what the options are and get that information out to people so they don’t assume the worst, right? That’s really the key there.

54:38

Any other questions, Justin? That’ll do it.

54:41

All right. Well, I very much appreciate everybody here, and I appreciate your time today.

54:46

And those who listen to this later, pick one of these topics.

54:50

Do as the teams who are listening to hear and start your journey.

54:54

That’s really my number one recommendation out of all of this. Really help us get to that next level. And we talk about free resources, et cetera.

55:04

Justin and team put together a really good guide, an ebook, if you will, on the CJIS requirements, how to start, where it is.

55:13

And they did a really good job, in my opinion, of making it in English, right?

55:18

So not just the nerds like me can read it.

55:21

No, they did a really good job of putting it so it’s understandable.

55:25

And it’ll start you down that path.

55:26

So make sure you download that or ask us for it.

55:29

Happy to make sure you get it.

55:31

Point is, you guys do an amazing job.

55:33

We are here to support you, regardless of your customer or not yet, right?

55:37

We’re here to help reach out.

55:40

It’s part of our mission.

55:41

And the reason that we exist is to help you all.

55:43

So don’t hesitate to reach out if you need us for anything.

55:47

Or you just have another question later.

55:49

Happy to help.

55:50

Very much appreciate you all and your time today.

55:52

So thank you.

55:54

Thank you, Justin.

55:55

Great job.

55:57

Thanks, everybody.