Nevada CISO Came to the State Because of Their Breach

Like Nevada CIO Tim Galluzi, newly named chief information security officer Bert Carroll had a lengthy military background on his resume coming into state government. But it was the state’s response to the breach they suffered in 2025 that drew him to the organization.

At the NASCIO Midyear Conference in Philadelphia in late April, Carroll explained that his greatest challenge is doubling the size of Nevada’s cybersecurity staff, while committing to growing their expertise in the fundamentals, without which “you're really building on an unstable platform.”



Video Transcript:
What brought you to state IT?
Believe it or not, it was the report that the state put out with respect to what happened to their breach and what were the lessons learned. So many times something's gonna go wrong. Bad things will happen to good people. However, when we're transparent about it, we can not only take that guidance ourselves, we can help others as well. I'm a firm believer that the threat actors are sharing information. If we don't share amongst ourselves as defenders, we're putting ourselves at a disadvantage.

What is your approach to leadership?
 Twenty-seven years of military experience. One of the things they trained us on was situational leadership, something I've really taken to heart. During normal operations, I use this as a time to delegate as much as I can to my staff so that they can learn and they can grow. If we're in a high-pressure, high-tempo mode, I'll be more directive. This is what we need to have done. This is when I need to have it done, the why behind it, because things will go wrong, and when the staff understands the why, they can adjust as needed to accomplish the goal. Also, making sure that I make the staff aware as to where they can find me should they need me.

What are the biggest challenges ahead in cybersecurity?
 We are doubling the size of the staff, and thank you for that question. It's a really good one. This is probably the biggest thing I have to work on that's directly in front of me, is right-sizing our staff. And by that, we're gonna double from about eight to about 16 staff. Making sure that we've got the people with the appropriate skills, with the backgrounds and the drive to do more. The people that are looking toward their future and looking toward the state's future, making sure that we're doing the right things to protect our residents.

How does the workforce feel about AI?
I think we see it both ways, where some people are embracing AI and there's others that are concerned that AI is going to eliminate their job or negatively impact them. And again, as a tool, we have to ask ourselves, what's the appropriate use of the tool? How can we use these tools to help us? When we think about IT, we think about cybersecurity, we never have enough time to get everything done. I don't see this as a threat, but I see it as an opportunity for those who want to embrace AI to be able to get more done.

Next up? “Be brilliant at the basics.”
 When we think about all the things that need to get done, I'm looking at making sure I've got the right staff in the right seats, making sure that we're also, as one of my mentors once told me, are we brilliant at the basics? There's a lot of great tech out there you can buy, but if you're not having your fundamentals in place, really you're building on an unstable platform. So we're getting the staff, 'cause they're going to do the execution. We've got some great tools. We're putting in, finding the areas that we have gaps in our security program, things we need to improve upon. Nothing major, nothing earth-shattering. But until we have those things in place, the next level of technology ... really won't give us a lot of value. Let's be brilliant at the basics.