About
John Thomas Flynn
John Thomas Flynn
John Thomas Flynn serves as a senior advisor for government programs at MeriTalk. He was the first CIO for the both the State of California and the Commonwealth of Massachusetts, and was president of NASCIO.
Tags

There’s a long history in the higher reaches of the IT sphere of substantial cross-fertilization in the form of public sector CIOs moving across government levels, transferring among Federal, state and local jurisdictions, and then sometimes landing in the private sector.

We spoke with an old friend this week who recently completed the full arc of that transition, and has plenty of light to shine on the process.

By the Numbers – Customers, Budgets, Paychecks

I’ve known Chris Cruz for over two decades, beginning when I was California’s first CIO at the end of the last century. Chris has spent 30 years in California government, most of it with the state, and culminating in his position as chief deputy CIO. He left that perch just over two years ago to take over similar reins as CIO for San Joaquin County, in Stockton, Calif. Just last month, Cruz left government to join the “dreaded private sector” – as we state CIOs used to call it – to become Tanium’s CIO for SLED.

Before we discussed his new role with the endpoint security company I had to ask about his earlier transition – going from a state with 35 million citizen-customers, to a county with a population of 700,000. Cruz agreed the demographic changes were significant, but first opined about the pay. “In San Joaquin County, believe it or not, I was making more money as a CIO than I was as the chief deputy director of the state. So I think California needs to get with the times and pay their CIO accordingly.”

Beyond the pay issue, Chris explained some of the differences between the roles of state and county CIOs.

“At the state level … we’re talking billions of dollars in budget. When I was the chief deputy CIO for the state of California, I had a half billion dollar operations budget plus was responsible for $3 billion in IT projects. So that’s no easy feat, as you know, with the bureaucracy and complexity that came with that, it was hard to navigate the waters.”

At the county level, Cruz said one of the biggest differences involved oversight and stakeholder constituencies. “I reported to a board of supervisors at the county level while at the state, the governor effectuated policy at the executive level, and it was our job as managers reporting to the governor to carry that out.”

Cruz admitted that being closer to the citizens at the county level was vastly differently than at the state, and that had a lot to do with him taking the job in the first place.

“One of the distinct differences was that county citizens came to our board of supervisors’ meetings, they were really ingrained and interested in what we’re trying to accomplish in the county, where you heard from the citizens directly, the good, bad or indifferent in terms of trials and tribulations in the dealing with county policies. Especially things they didn’t like,” he explained.

For Cruz, these changes were a major challenge, and a huge opportunity at the same time.

“Whereas when I testified at the state legislature, the citizen was very rarely ever in attendance,” he said. At the county, however, he heard from citizens on the street. “They would actually follow you outside, at the end of the meeting, asking to talk to you about voter registration policy for example,” Cruz said. This brought up another big difference involving state versus county CIO jurisdictions. “In San Joaquin County, I was responsible for the register of voters, which is quite different than just being a state CIO and effectuating and driving innovation, transformation and policy,” he said.

Cruz also agreed there was less bureaucratic red tape at the county level.

“The county CEO whom I reported to and the board of supervisors were very clear in what they wanted me to carry out,” he said. “And it was really easier getting folks to want to work together at the county level, getting the sheriff to work with me, the hospital administrator to work with me, the district attorney’s office to work with me, and all the other elected officials bringing all that together collectively into an enterprise governance bucket made it easier for me to get a lot accomplished in the two years I was in San Joaquin County.”

“It was like comparing – how can I say this – a county battleship versus the state aircraft carrier, the county was a little easier to turn around and navigate the waters,” he said.

Asked about lessons he learned at the county level that the state might benefit from, Cruz highlighted some examples of collaboration and communication.

“I think it’s building that collaboration at the constituent level,” Cruz answered. “Getting greater citizen engagement in whatever citizens are thinking, maybe have more focus groups, but building more relationships.”

Within state government, at the director level, the constitutional office level, and the cabinet secretary level within key agencies and departments, Cruz offered, “I think more of that communication and outreach would probably lend credence to giving the state CIO more opportunity to get more done in the state of California.”

Over to Tanium

Asked about his decision to leave the county CIO position, Cruz said, “I’m a big believer in Tanium. I brought Tanium to San Joaquin County because I had some significant challenges.”

When he first arrived at the county, Cruz explained, security was the first issue he confronted. He brought in Peter Liebert, a former CISO for the state, to perform a security assessment, and Liebert was able to make recommendations on security holes that the county needed to have fixed.

“So we looked around at different tools, and we looked at Tanium because I had the opportunity to use them at the state level,” Cruz said. “Having that exposure and seeing what the team was doing around patch management and deployment, and threat detection and response, I determined that I really needed to move forward with a product like Tanium.”

Cruz explained that in most government agencies, 20 to 30 percent of endpoints aren’t being managed. That means there are vulnerabilities in the network that cyber hackers could penetrate.

“So looking at that data, and the governance structure and assessment document that Peter put together, I was able to move forward and convince our board of supervisors that buying a tool like Tanium represented our best interest to put a single pane of glass across the entire county,” he explained. This meant that for those county organizations that were federated, their segmented networks could be monitored and managed, including the hospital, the sheriff’s department, the district attorney’s office, and across all the other 29 county departments.

A ransomware attack – the bane of local government across the country – offered another demonstration of the Tanium value. “Over my two years of being in there, I saw what it did in terms of addressing a ransomware attack that we had at the sheriff’s office, and being able to mitigate that quickly,” he said. “I was sold that this was a brand and a tool that I could get behind as a CIO.”

That value was the primary motivator for Cruz to join Tanium. “I believe the brand is a great tool. It’s a platform that’s second to none, that other organizations or other software companies, quite frankly, don’t provide.”

Read More About