This episode of the Tyler Tech Podcast features Ryan Jacobson, manager of software engineering, and Sonya Newell, team lead in cybersecurity at Tyler Technologies. They discuss how artificial intelligence is transforming cybersecurity — creating new opportunities for defense while introducing fresh risks for public sector agencies. The conversation explores the evolving threat landscape, from ransomware and zero-day vulnerabilities to AI-generated phishing and voice scams. Tune in to hear how leaders can build awareness, adaptability, and a strong security culture to stay resilient in an AI-driven world.
In this episode of the Tyler Tech Podcast, Ryan Jacobson, manager of software engineering, and Sonya Newell, team lead in cybersecurity, join the show to discuss the changing nature of cybersecurity and the growing impact of artificial intelligence (AI).
Ryan and Sonya share how threats like ransomware, zero-day vulnerabilities, and legacy technology continue to challenge public sector agencies, especially as more services move to the cloud. They also explain how AI has lowered the barrier for attackers to create sophisticated phishing and voice scams, while at the same time giving defenders new tools to monitor, detect, and respond.
The conversation underscores why resilience is about more than just technology — it requires awareness, adaptability, and culture. By asking the right questions, starting small, and reinforcing strong internal processes, public sector leaders can take meaningful steps toward strengthening cybersecurity in an AI-driven world.
This episode also highlights the advantages of cloud infrastructure and how it is transforming the public sector. From reducing technical debt and streamlining operations to creating the flexibility to adopt AI and other emerging tools, the cloud provides a smarter, more resilient foundation for modernization, security, and innovation. Explore our resources in the show notes to learn how governments can maximize long-term value and take the next step toward a future built to adapt.
And learn more about the topics discussed in this episode with these resources:
Listen to other episodes of the podcast.
Let us know what you think about the Tyler Tech Podcast in this survey
Ryan Jacobson: Anyone can create a fancy email that sounds very believable, and you can have voice generated phone calls. So, it’s a different landscape than before when the emails are maybe formatted a little weird. You didn’t recognize the voice. All that goes away with AI.
Josh Henderson: From Tyler Technologies, this is the Tyler Tech Podcast, where we explore the trends, technologies, and people shaping the public sector. I’m your host, Josh Henderson. Thanks so much for listening.
The month of October marks Cybersecurity Awareness Month and we’re bringing you a special two-part series recorded live at Tyler Connect 2025 in San Antonio.
In part one, I’m joined by Ryan Jacobson, manager of software engineering, and Sonya Newell, team lead in cybersecurity at Tyler. Together, we explore the rapidly evolving cybersecurity landscape and the growing role of artificial intelligence, both as a powerful tool for innovation and as a force reshaping risk. We’ll also look at what this means for public sector agencies and why resilience, adaptability, and organizational culture matter more than ever. Let’s get right into it. We hope you enjoy.
Alright. Sonya, Ryan, welcome to the Tyler Tech Podcast, and thank you both for joining me. Let’s start by setting the stage. What are some of the most pressing cybersecurity challenges public sector agencies are facing right now?
Sonya Newell: So, one of the key risks right now that all agencies face is ransomware, phishing. People are the primary target, and they’re usually the weakest link. So, there’s a lot of that going on. The other thing is zero-day threats. You don’t obviously know, you know, what could go wrong with some of the systems you have. And the other targets that are really big are the Internet of Things, you know, a lot of legacy technology.
Ryan Jacobson: And then with AI, the social engineering, the phishing, it enables all those things to the bar goes lower. Anyone can create a fancy email that sounds very believable. You can have voice generated phone calls. Now I sound like I sound like Josh all of a sudden, and I trust a phone call from Josh. I hear your voice. So, it’s a different landscape than before when the emails were maybe formatted a little weird.
You didn’t recognize the voice. All that goes away with AI.
Josh Henderson: I wanted to before we kind of move forward, wanted to get you both to kind of define the idea this idea of zero-day vulnerabilities or zero-day threats.
I know from my perspective, it’s something that I necessarily wasn’t super familiar with, so I just wanted to get some more insight on that.
Sonya Newell: Well, when you’re developing an application, there are things that can slip in that you may not be aware of, and users may not be aware of it. The organization may not be aware of it. And then someone somewhere, it may actively be trying to get into these types of systems, and it’s not announced. So, something will happen on a zero-day. And I think there’s actually a series out called zero-day on one of the channels, but it’s something it’s out there. You don’t know what it is, and it’s taken advantage of before people can respond.
Ryan Jacobson: You’ve got teams of people, both the good people and the bad people looking for those things. And the good people can make money finding these things. And the bad people are also trying to make money by selling the idea of these things. So that’s what people are looking for to break down a system because no nobody knows about it.
There’s no defense.
Josh Henderson: It’s a tricky situation. Absolutely.
Now, I mean, speaking to that point a little bit, how have these threats changed over the last few years, especially as more agencies move services online and adopt these sorts of modern technologies?
Ryan Jacobson: I mean, the biggest thing is everything moving to the cloud. You no longer have that perimeter where I’ve got everything in house. I’ve got my barrier set. You can only get to it when I’m in town hall, and now everything’s in the cloud.
And so, you’re relying on your authentication to say, hey, I’m me. So, you got to have your multifactor in place, some monitoring, hopefully, to say, hey, why are you logging in from Guam today where you were in Maine yesterday?
So, all those kinds of concepts of tracking, who’s accessing what from anywhere, the cloud.
Sonya Newell: You know, and similarly, you know, configuration. When you think about configuration and systems, there may be things that you may not have needed to put into place a couple of years ago or they may not be have been available. So, you got to keep current on the current trends in the software you use, the systems you use, and just make sure that that you’re on top of patching. Another big thing.
Josh Henderson: Making sure software’s up to date, making sure you’re not missing any sort of gaps along the way.
Ryan Jacobson: Keep keeping up with training like it’s a different training.
Like, the skill sets on prem versus files are slightly different. It’s the same ideas, but it’s just a different mindset of what how you’re securing those things. Yeah. You know, as opposed to having it all under your desk or whatever it was, you know, your server room. It’s just a different mindset, different skill set, but same concepts.
Josh Henderson: AI has quickly become part of the conversation as well, and not just for defenders, like you’re saying earlier. How is AI being used today in both cyber-attacks and defense efforts? So, like, on both sides of the coin, how would you say it’s being used as a technology?
Sonya Newell: So, you think about defense. You can use AI to analyze traffic that’s coming to your organization, different tools implement that. I think when you’re talking offense, it’s a different world in some ways.
Ryan Jacobson: Yeah. I mean, the defense is always in any sport, and AI attacks the same. Offense always I don’t want to say they always win. They always have the advantage.
You know, they’re always a step ahead. They know what they’re planning on doing. So, defense is always lagging because they’re trying to react to what the offense is doing. So, you’re always playing that kind of catch up game.
And that’s what they say. You know, AI, in in our opening session, they talk about the pace of change is just growing rapidly.
So, the pace of defense has to grow at that same pace. And it’s just it’s challenging. You know, it’s just this like I said earlier, the bar is so low now for someone to do something sneaky. It’s incredible.
Josh Henderson: As a basketball fan, I hear defense wins championships a lot. So, I don’t know if that extends to this the world of cybersecurity, but it sounds like it might a little bit.
Sonya Newell: I mean, when you think about it too. Right? AI has advantages. So, if you’re a small organization and you use it, you can get a lot more done. But you’re also defending against countless other organizations out there that that are that may be nefarious that are using it too.
Josh Henderson: Now there are there’s a lot of excitement, also a lot of caution around AI. There’s still a lot that we do not know, and the evolution has been so rapid that it’s hard to kind of keep up with.
What should public sector leaders keep in mind as they consider AI-powered cybersecurity tools?
Ryan Jacobson: I mean, the with any AI, whether it’s their defensive tools or how they’re using it internally, you just have to know where that data is. You know what I mean? Because, like, ChatGPT, you type your password in there. Now that’s part of the Internet.
You know what I mean?
It’s no different than a Google search. And so, we always say the first thing is realize where that dataset is. So, like, Copilot is a perfect example of where it’s following the same rules as your email. So, if it’s safe in your email, it’s safe in Copilot.
So, there’s always that, you know, with these AI tools, Tyler included, like, you ask those questions. You know, where is my data going? Does anyone else have access to it? Is it becoming part of a bigger model?
Those are the things that people have to think about now because this, you know, it’s all part of when big data started. You know, it’s like where is this data? And where is it going and who’s using it? Who has access?
Sonya Newell: I think along those same lines, I mean, you may know where your data is, but if you if you work with third parties, are they using AI? What are their policies like? How is your data being used by a third party that that legitimately has access, but maybe sharing it with fourth parties?
Josh Henderson: I think what what’s the rule of thumb I’ve heard is that, like, if you don’t want to if it’s something that you don’t want shared broadly on the Internet, it’s probably not best to share with the generative AI tools.
Ryan Jacobson: Which is, again, the case in chat GPT when it’s because it’s out there. But if you’re doing things in Copilot, that’s okay. You’ve already got your list of Social Security numbers in your Excel sheet. That’s if you say, hey, do a pivot table of the socials by this. That’s fine, you know, because it’s all protected by Microsoft’s rules as governing your instance of 365.
Josh Henderson: Stay tuned. We’ll be right back with more of the Tyler Tech Podcast.
Every day, public sector leaders are rethinking how technology supports their communities.
Jade Champion: And more than ever, they’re finding the answer in the cloud.
Josh Henderson: From streamlining operations and reducing technical debt to creating the flexibility to adopt AI and other emerging tools, cloud infrastructure is transforming how governments deliver services.
Jade Champion: It’s not just about migrating systems. It’s about building a smarter, more resilient foundation for modernization, security, and innovation.
Josh Henderson: At Tyler, we understand how governments are making that shift, the trends driving adoption, ways to maximize long term value, and the steps to make your journey a success.
Jade Champion: Check out the resources in our show notes to learn more about the cloud advantage and how you can take the next step towards a government that’s built to adapt.
Josh Henderson: The future of government is in the cloud.
Now let’s get back to the Tyler Tech Podcast.
And now with attacks kind of growing more sophisticated, day by day, how can agencies take a more proactive approach to defending against the innovation that’s happening on the cyber-criminal side of things?
Sonya Newell: You know, you know what you do well internally.
And if you know that you need help in some areas, look for organizations to help you. I think that’s a really big thing. It’s hard, I think, for a lot of small organizations to have 24/7 monitoring. And you’re often behind the eight ball if you’ve, you know, people if you don’t have a 24 hour SOC. It’s a big deal.
Ryan Jacobson: And a lot of it comes down to just awareness training. You know, sadly, the weakest point of almost anyone’s organization is their employees.
They just have to be aware what to think of what to look for, what are those patterns or things that someone’s trying to get me to do. You call me. It’s it sounds like Josh. I trusted it as Josh, but you’re asking me for iTunes cards for some amount.
It’s like, well, is that does that make sense? Like, can I reach out in Teams? Okay. Do you use another method?
So, like, what are those things, like, when the story doesn’t seem right, you know, where my other avenues to reach out to someone because, like, you seem weird to say, but you can no longer trust just a phone call.
Josh Henderson: That trust element is definitely a big factor.
Sonya Newell: I think that’s where your internal processes come in as well. When you think, for example, you’ve got an accounts payable department, accounts receivable department, there are verification procedures for a reason. And what leadership can really do is reinforce to their staff that this is what we want you to do. If someone says they’re me or if, you know and I call you to say bypass this, that’s a red flag.
Josh Henderson: I think that’s a great advice and great approach, thinking about how other folks get authentication from folks.
Now, at Tyler you obviously both work closely with clients and teams across the country. Are there any real world insights or lessons learned you can share or highlight about successful resilience and what that looks like in action?
Sonya Newell: No organization will ever have every control perfect.
But it’s not always a good thing to say we’ve never been attacked because we often find is you have, and you just don’t know yet. And that’s the reality. I think part of it is accepting that there are going to be weaknesses and figuring out how to bolster your controls to minimize those. I think the other thing that I’ve learned is, it’s very difficult sometimes for change to be brought up from, you know, your core staff up to leadership and whatever can be done to have leadership proactively engage their staff to show their support in putting in some of these changes that will really protect their environments. Like, having management support, things like multifactor authentication.
Yes. It’s an extra step. It’s not fun. But in the long run, that’s going to prevent a lot of work down the road.
Josh Henderson: From both of your perspectives, for agencies who want to strengthen their cyber cybersecurity posture, where should they start? What frameworks or approaches can help guide them, without really needing to start from scratch necessarily?
Sonya Newell: Oh, well, you know, I think the biggest thing is frameworks are a one size fits all, but you can make frameworks work for you. The biggest thing is the National Institute of Standards has, the cybersecurity framework. They just released 2.0. I think it was 2024. So, I mean, that’s a big piece of it. A lot of states also align with it, so it’s very recognized.
Other things that people can look at if you get a small organization might be, I think it’s CIS controls – CIS. They’re a good place to start. But, I mean, the reality is you’re always going to start from wanting to understand what you currently do today and what your risks are. So even before you start mapping out a framework, you want to know what your risks are so you can take a look at how you can improve in those areas.
Ryan Jacobson: And I you know, to piggyback on what she said is a lot of times if someone’s doing nothing, we just want to start with a conversation. You know, what are your concerns? What are you doing today? And just going from there because some organizations are doing a lot, and it’s great to hear. And other organizations I don’t want to say they’re not doing anything, but very little. And so just having that first conversation is really where we’d like to start just so we can kind of guide what we can do for them or suggest for them.
Josh Henderson: I do you hear that a lot on the show, right, where it’s like take the step the small steps you need, to then, you know, find that success in the long run.
But, yeah, you have to start somewhere. And, yeah, no matter kind of where you start, it’s going to be helpful.
Ryan Jacobson: You know, in some site, like, you know, it’s like this game where there could be a thousand things that you need to do to have this situation that’s 99% safe. But if you did four of those, you’re at 95%. You know what I mean? And so, it’s like this, you know, you got to pick and choose what you can do and what your organization consume.
You can turn on everything at once because now business isn’t getting done. So sometimes, yes, we need to turn these on, but we need to change these processes first. So, start, yeah, start small. Start small.
Josh Henderson: Now as you both look ahead, I know we can’t predict the future, obviously, when it comes to cyber security. But how do you see the cybersecurity landscape continuing to evolve? And what should public sector leaders be preparing for today in your opinion?
Sonya Newell: I mean, the reality is there’s still a lot of legacy technology out there. And that’s going to be where your core investments are going to be in the next, you know, five to ten years. So, really understanding what your weaknesses are in that area and looking at, you know, what current technology we have and how that can bolster your defenses.
Ryan Jacobson: And I think kind of back to the training thing, make sure at some level, both your IT staff that should be trained, but also investing in your employees and making sure they’re trained and just try to keep up with those things, get involved with the right programs that are keeping up for those things for you so you don’t have to be informed, like, this program you’re using for your employee training is getting updated each year. Because I really a lot of stuff we see had someone known, they probably would have seen the signs. You know what I mean? Or known known to do something a little different. And a lot of they’re just they’re not aware.
Josh Henderson: Like, you don’t want to you definitely don’t want to, to your point, not be aware of something, and then suddenly, you’re dealing with a major issue.
Yeah. That sounds not ideal. So, to kind of wrap things up, for leaders listening today who want to take action, what would be one piece of advice you’d offer to help them strengthen cybersecurity or build that sort of resilience within their systems starting today, starting now?
Sonya Newell: Ask questions. I mean, really try to understand your environment and where, your staff may be struggling. And they may just be doing things that they’ve done for years.
And sometimes just proactively asking, you know, what’s your pain point today? What’s preventing you from getting other stuff done?
Can give you a lot of insight.
Ryan Jacobson: I agree. It’s really just asking those questions like, what are our critical services? Like, you know, there’s certain things that our clientele needs to keep online 24/7, so we pay attention to that. You know, what it was impact if our town website goes down?
Is that the end of the day? Maybe it is, maybe it isn’t. If that’s where our 911 information is, that is a big deal. So, like, understanding where the critical touch points to their constituents are, so that’s how they’ll get that’s how they’ll get support when the citizens can realize, oh, yes, we need to spend effort on this because it ensures this. They’ll get by, and then it all it all works out because you’re getting the constituents behind it and getting the support they need.
Josh Henderson: I think it all comes down to just being proactive when it comes to cyber resilience.
Well, Sonya and Ryan, thank you so much for both sharing your expertise and insights today.
I really enjoyed having you both on the podcast.
Ryan Jacobson: Thanks, Josh.
Sonya Newell: Thank you.
Josh Henderson: As we heard today, cybersecurity continues to grow more complex, and artificial intelligence is accelerating that change. But with change comes opportunity.
Public sector leaders can use this moment to build cultures of awareness, adaptability, and shared responsibility.
Ryan and Sonya highlighted why keeping people at the center, asking the right questions, and starting small are key to building resilience in an AI driven world. This conversation is just part one of our cybersecurity awareness month series.
In part two, out in just a couple weeks, you’ll hear from Tyler’s Tim Walsh on how agencies can strengthen their teams and empower their workforce to play an active role in cybersecurity.
Check out the show notes for more resources and we’d love to hear your feedback. Fill out the listener survey linked in the notes or reach out anytime at podcast@tylertech.com. And be sure to subscribe, rate, and review the show so you never miss an episode. For Tyler Technologies, I’m Josh Henderson. Thanks for listening to the Tyler Tech Podcast.