She’ll stay active in Indianacyber, however, working as the state's cybersecurity coordinator under the Cybersecurity and Infrastructure Security Agency (CISA). The state has yet to name her successor.
CISA has been working to designate a cybersecurity coordinator for each state. So far, a cyber adviser has been tackling those responsibilities for Indiana, but with her appointment, Mosley-Romero will become the first official coordinator, she said. She expects the work to include building strategic public-private partner relationships, supporting communities’ cyber response preparation efforts and sharing key threat information with critical infrastructure entities.
Mosley-Romero became Indiana’s cyber program director in 2017. Indiana’s CISO focuses internally, while Mosley-Romero’s role saw her work across several government agencies and on efforts that reach outside of state government. She leads the Indiana Executive Council on Cybersecurity (IECC), a volunteer body including several hundred advisory members. Participants come from academia; local, state and federal government; military, private sector and research entities.
While Mosley-Romero has already been engaging with local governments on cybersecurity in her cyber director role, switching to CISA lets her make this a primary focus.
“My heart is in local governments,” Mosley-Romero said. “… My role at the state is very large, and I have been able to work on local government as, honestly, [in] my extra hours. I get to do that because I love it, and I have to put in extra hours to do it, because there's just not enough time to do everything … . I’m really looking forward to being able to focus in with local government and [while] backed by resources at the federal level.”
Looking back at her time as state cyber program director, Mosley-Romero recounted starting at a time when Indiana lacked key elements, like a central cybersecurity website, a state-level cyber annex or a tested approach for how to communicate during a cyber emergency — all of which it has since added.
During the past years, she’s also worked with the IECC to guide the creation of statewide cybersecurity strategies — one in 2018 and one in 2021.
The first strategy document set a foundation for later work, establishing common cybersecurity definitions and background knowledge. The second plan built on this, adding best practice guides and tool kits as well as revisiting and expanding on many of the initiatives set forth in the earlier plan.
The state approach to cybersecurity strategies was an unusual one: While the plans came with shorter executive summaries, each document, in total, stretched roughly 2,000 pages long. But that kind of in-depth approach was essential to turning ideas into action and clearly tracking the state’s progress, Mosley-Romero said.
“It is a big plan, but if we were really going to tackle cybersecurity as a whole of state, it couldn’t have been a super-simple plan,” she said.
The plan isn’t meant to be read cover to cover but instead “a la carte”: Readers should turn to the section that speaks to their sector, where subject matter experts on the IECC have pinned down specific deliverables.
“We have 70 percent of our 2021 plan already done. And that plan was 1,900 pages long. But because the plan is so detailed and is created by the subject matter experts at that depth, people have actionable items to do something with it,” Mosley-Romero said. “It wasn’t enough to say ‘we should have more cyber awareness’ … . how do we do it? Let’s write that out.”
Some of projects that came out of these plans focused on communication, leading to the creation of Indiana’s cyber hub website, a cyber blog for residents and a podcast for local governments, per a state press release. Other initiatives focused on offering free resources to public- and private-sector organizations, including tool kits aimed at explaining cyber liability insurance, informing health-care cybersecurity and helping emergency managers plan for cyber incidents and resilience. A cybersecurity scorecard, created in partnership with Purdue University, helps organizations quickly get a sense of their cyber postures and became “nationally recognized,” per the state.
The IECC currently counts more than 250 advisory members, “making it the largest cyber governing body in the country,” according to the release.
Supporting and engaging that council has been one of Mosley-Romero’s prime responsibilities at the state. Bringing so many people to the table gave breadth and depth to discussions of statewide cybersecurity, ensuring that decisions about all of Indiana weren’t just made by 30 people from the central region of the state, she said. The approach has brought members of key sectors like health care and finance to share their expertise and the group includes regulators, which reduce chances of running into issues down the road.
What she’s found to be successful — and what she’d recommend to her successor — is to see her job as one focused on empowerment and facilitating. IECC members are volunteers and keeping them engaged means trusting their expertise and helping remove barriers to the cyber work they believe is important for their sectors. That might mean offering advice, connecting them with partners and helping them navigate bureaucracy.
For example, she said, when members of the IECC Water and Wastewater subcommittee wanted to develop a cyber training for that sector, she was able to help connect them with university partners as well as a state agency willing to provide funding. That training ultimately was shared with and is now offered by the American Water Works Association, she said.
