I am a seasoned Operations and Management executive with over 25 years of experience in the realm of technology delivery, operations, and innovation. As a hands-on transformational leader, I deliver results in implementing business solutions, retaining and motivating high performing cross-functional teams, and managing multi-million and multi-year strategic initiatives. I tackle problems using data and analytics to drive business outcomes. I am committed to solving business problems utilizing proven methodologies. Holding an MBA, Six Sigma Quality, PMP, ITIL, and CTBME certifications.

In this interview, Mac Avancena presents extraordinary insights into innovative tech and business strategies, collaborative and next-generation processes, compelling cross-team tactics, and so much more. Discover how to proactively evolve your enterprise. Learn from the best. Mac Avancena was also invited to deliver a keynote presentation at Check Point Software’s flagship event, CPX 360.

What do you see as the CIO’s top priority right now?

I see two major priorities. One I think is uniquely qualified for general technology consumption. The other is around the technology and the government sector versus the enterprise growth in endpoint vulnerabilities in response to COVID, primarily because of remote work policies. There are big decisions around virtualized desktop experiences that will manage those imaging standards to reduce variability, for example. But more importantly, just understanding the device type and the configurations that are accessing your networking. Whereas before we would almost look at it like a bring your own kind of device type of model. Now it’s every device. And so what are our overarching policies and how do we manage all the interactions between our network and those endpoint devices with security? So that’s number one.

The other priority for me, certainly, as a CIO in the government sector, is responding to the digital divide. We have a tremendous, I think once in a generation, opportunity to provide technical or technology equity and access to underserved and quite frankly underinvested communities. I look at my environment along Kern County; as the third largest California county by square miles, a lot of our footprint is across agricultural and rural. This is a large-scale private-public partnership opportunity. Security absolutely has to be top of mind as we look to engineer those solutions and manage those ongoing customer experiences.

How do you predict that Kern County’s technology will change over the course of the next two years and how do you see yourself shaping that change?

I wish I could predict that! Listen, I think it’s all driven by the tremendous amount of investment being made in technology. For instance, you’ve got the American Recoveries Act, that’s in flight right now, so I envision our capabilities adapting to different products and services, particularly digital products and services. So for example, customer-first solutions based on what I call anywhere, any-place, anytime availability to manage our digital interactions or their visual interactions with government; I see far more self-service opportunities now that we’re engaging our customers, and the emergence of automation and AI to help rationalize demand and services.

I mean, you’re seeing it now more broadly. In response to that, I think data analytics over the next couple of years is going to help us unearth insights that we wouldn’t have been able to discover otherwise. And when you think about data sharing, for example, whether it’s private or public sector–Just in government alone, that’s a force multiplier for transformation. I think that the way in which we’ll predict what we’re going to do with technology is really going to be driven by our capability and maturity and how we’re managing our data sources and how we’re aggregating information to make informed decisions.

How do you engage with and get buy-in from diverse groups of stakeholders?

You beg. Just kidding. Yes, data driven discussions are a must. I mean, everybody has opinions, and everybody thinks they’re a technology expert and I actually welcome that because I think that tells me they have skin in the game. But it’s no longer ‘this is a tool with shiny packaging that will lead to your board to make that investment’. Rather, it’s ‘we need to be deliberate with the principle or rationalization, the implications around the solutions that we’re presenting’. And in order to get that with internal and external stakeholders, they have to agree to defining what business problem you’re trying to solve. If we can’t agree to what the business problem that we’re trying to solve, we’re just wasting cycles. So think about it– If you’re asking me how do you engage and get buy in, we all have to agree we’re targeting the same issue.

That right there is the equalizer, if you ask me. If we agree that we’re talking about the same issue, where we may disagree is in how we’re approaching it, but at least we fundamentally agree on the problem.

How do you reconcile IT initiatives with the bottom line?

Easy. Finance is the language of business. Period. Look, as technologists, it’s easy for us to get excited, to get deep into the weeds of a solution. But as a technology leader, if you aren’t able to articulate business value and business impact and then guess what; it’s vaporware.

The reality is that the boards are looking to technology to help promote change, but they want to understand how the technology will impact the population and communities. This is especially true in the government sector. What benefit is there for the citizens of Kern County? And if you’re not able to understand how that’s going to drive your financial ecosystem, then in my eyes, it may as well be vaporware.

How do you stay current when it comes to innovations and trends?

I actually think it’s a difficult question…I leverage my partners. I leverage my OEMs, those relationships are critical especially given what we’re doing today, absolutely critical.

As a customer, holding your supply chain accountable to quarterly business reviews and to the same standards that my customers are holding me accountable to as a service provider is top of mind. The other piece too is around affinity teams, affinity groups.

For example in government, there are a lot of counties, cities, and municipalities that are generally part of an affinity organization where they able to talk through some common challenges and goals. That’s an opportunity for us to stay current when it comes to innovations and trends.

But fundamentally, I’m looking to Check Point to help educate and inform me about what threats I need to be positioning for: Your partners, your OEM relationships are musts and you’ve got to hold them accountable to your quarterly business reviews or for ongoing conversations and dialogue.

What measures have you taken in the last 3 months to identify and address new vulnerabilities?

That’s a really difficult question because the biggest challenge that we have in technology is often times the fact that we’re solving the same business problems, but we’re approaching them differently. And so for example, what Check Point gives me is a line of sight into what’s called a single pane of glass.

The past three months have all been around standardization with the Check Point ecosystem. I am effectively consolidating all of these different technology solutions across cloud, across firewalls, across endpoint and moving them into this Check Point unified system, enabling me to have a single pane of glass through which to make informed decisions.

The cornerstone concepts underpinning which measures have I taken the last three months are no different from those that will support Kern County in the next three months and in the next three years. On a fundamental level, in order for organizations to address the vulnerabilities, you’ve got to have a strong partner ecosystem and you have to be on-point with your tools and how you’re disseminating information. And if you have different types of solutions for different purposes, then all you’re doing is contributing to technology sprawl. So with that, my solution is that I’m leveraging Check Point heavily to help me manage how we’re going to be able to respond to and address existing and new vulnerabilities. 

What kinds of unique security considerations has Kern County had to work around?

Listen, I believe we have more similarities than differences. Security is a universal threat. Government is generally a target that gets more press because of its public-facing nature. And it’s generally targeted because historically, at least compared to the private sector, it’s not as well-funded and or as well-invested. So, unique security considerations really boils down to making sure that we approach security management from a perspective of what’s actionable, what’s repeatable and what’s measurable. It’s just that the optics and the visibility in government is different than that of private sector and we just have to be even more deliberate with how we respond to and manage ongoing threats.

How do you hold vendors/partners accountable for their security?

 It’s a relationship. They’re not going to be my vendors and my partners for long if we don’t have a relationship. That’s key. So, there are a couple of ways I would look at this: From a legal point of view, we always have our contractual vehicles with memorandums of understanding. But ultimately, it’s on us as the customer to make sure that we have those proper controls in place. So again, I go back to holding your supply chain accountable to service levels; making sure that they’re helping you keep your finger on the pulse of what’s new, and then you’re holding your team accountable and making sure you’re keeping your finger on the pulse of that relationship. It’s a relationship first and foremost and if you don’t have a relationship, then how can you honestly hold them accountable, and how can they honestly hold you accountable, and how can you honestly have a partnership, right?

What security concerns are current roadblocks to new initiatives in Kern County?

Alright, so I have two answers for that. You’ve got the regulatory issues around HIPAA around PII while you have the different agencies saying that my data is unique, and I’m not able to share.

The other layer that’s a roadblock to new initiatives in Kern County, specifically around security, is the fear of the unknown. Anytime you preface something with security, naturally the logical thinking is ‘this is a control. I’m going to be prevented from doing something that I’m already doing today’, or at least that’s the prevailing thought. So we have to get into your previous question around how to gain buy-in. Security is a means to an end. People will be far more accepting of the risks, and then the compromises that you’ll have to make with security if everyone agrees to a business problem you’re trying to solve.

Ultimately, there are two elements; there are the legal ramifications around ‘hey this is my identity’, ‘how do I protect my identity?’, ‘how do I make sure it’s secured?’ And then there’s the other piece around ‘okay, now that we’re talking about different security initiatives, how do I make sure that from my perspective, I’m gaining and I’m not losing as a business owner?’

 Just to assist other CIOs or CISOs in benchmarking, in the event of a business disruption, what might your forecast look like regarding recovery time?

That’s part of the overall security playbook development process. I can tell you we have very extensive security playbooks across both customer interactions as well as global interactions. I can say that we’ve made tremendous investments in high availability in recovery, and just general awareness, but for other CIOs and CSOs out there when it comes to benchmarking, you have to get in the rhythm of testing.

Whether you test bi-annually or annually is up to you, but you have to do a test in order for you to obtain benchmarks. The whole definition of benchmark is ‘here’s generation one’ and ‘how can we improve or how can we gain from gen one’. You have to do some type of repeatable process around that. And so my recommendations to others is ‘don’t worry so much about your recovery time today. Worry extensively about where you are and then how to improve from there’.

Anything else that you wish to share with the Cyber Talk audience

Everyone’s talking about security. Everyone has different interpretations of security. But fundamentally, for me, security’s defined as ‘how you would you react if it were your family member being compromised’.

I think if you approach it from that perspective of ‘hey it impacts me’, then it’s no longer a “transaction”. I think that’s going to inform our approach to how we’re going to be able to manage this. In addition, the way to manage this, quite frankly, isn’t a scenario where I have to be the smartest person in the room. It takes a village. And the reason why cyber security firms like Check Point exist in the world is because you guys are the subject matter experts. I’ll be the first one in my leadership team to tell them, ‘hey, we need to defer to our experts and make our decisions based on their information. So, that’s really the key way in which we’re going to be able to really help mobilize our response to security; we need to make sure that we understand that it takes a village. It takes a village to help manage outcomes and help manage how we’re going to succeed with this moving forward.