May 17, 2014    /    by

Cyber leaders in government: An interview with the Nevada CIO and CISO

David Gustafson and Chris Ipsen offer experience, vision and proven information security leadership.

Nevada CIO and CISO

Nevada CIO David Gustafson (right) and CISO Chris Ipsen (left)

There are many great quotes on leadership. Here are a few:

- A leader is one who knows the way, goes the way, and shows the way. — John Maxwell

- A leader is best when people barely know he exists, when his work is done, his aim fulfilled, they will say: we did it ourselves. — Lao Tzu

- Before you are a leader, success is all about growing yourself. When you become a leader, success is all about growing others. — Jack Welch

I was fortunate to hear some excellent speakers at the Great Lakes Homeland Security Conference in Grand Rapids this past week. One workshop presenter’s example on leadership really stuck with me.

Mark McCain, Principal Consultant, Public Works Emergency Management Services, quoted Rear Admiral Grace Murray Hopper. She once said: “You manage objects, but you lead people.”

And in times of emergency or when the going gets tough, we need motivational leaders more than ever to take our teams to the next level. I believe we are in such a time right now in the field of cybersecurity. The need for effective leaders in the public and private sectors has never been greater.

Background on CIO/CISO Interview Series

We are continuing a series of interviews on the topic of cybersecurity with top state government leadership from around the country. I am interviewing Chief Information Officers (CIOs) and Chief Information Security Officers (CISO) from leading state and local governments, because these executives run the programs and set the priorities that get things done to protect sensitive citizen data.

This blog series started in Mississippi back in March, and we continued last month in Delaware and later moved next door to Pennsylvania.

Now we head west. Nevada state government technology is led by CIO David Gustafson. David has a wealth of experience in technology and business, previously serving as MIS Manager for Dunn Companies, holding multiple management roles for Microsoft and Program Manager for Alere Medical, prior to joining Nevada government.

Mr. Gustafson is a certified project manager with the Project Management Institute (PMI). He leads people with a sense of humor and a calm, confident demeanor. David is the current Secretary-Treasurer for the National Association of State Chief Information Officers (NASCIO), and he has spoken at numerous conferences and technology events throughout the country.

I have enjoyed working with and listening to David on NASCIO panels and working groups, and he always brings both his extensive expertise to discussions, along with a fun twist that keeps the audience’s attention and maintains interest.

Christopher (Chris) Ipsen is Nevada’s respected Chief Information Security Officer (CISO). He has been a national leader in information security in government for many years, and his presentations have been heard all over the USA - from the RSA Conference to the National Association of State CIOs (NASCIO) events to MS-ISAC meetings.

Whether Chris is briefing a Nevada Commission on Homeland Security or reviewing controls for the National Commission on Cybersecurity, his expertise and professional guidance is highly sought after by technology and information security professionals all over the country.

Chris also has a very fun, outgoing style which makes him a popular choice for webcasts and expert panels and working groups on MS-ISAC cybersecurity topics. I have thoroughly enjoyed getting to know Chris over the past decade, and I view him as a top go-to expert on numerous computer security and technology management topics.

Nevada CIO Interview:

Dan Lohrmann: Tell us about your scope of responsibilities as CIO of Nevada. How important is information security to NV’s strategic plans?

David Gustafson: My responsibilities as the Nevada State CIO are pretty comprehensive and includes everything from the state network, mainframe, all the way to desktop support. We pretty much cover it all in one way or another with some of our IT services centralized and some decentralized. With that in mind, information security is a part of every decision I make and every policy I implement. It is really that important to me. In fact, when I first joined the government over five years ago, the security group was having a hard time fitting in with the other operational units. Since the 'bad old dark days', I think we have been very successful at bringing all of the teams together driving enterprise, customer focused solutions that incorporate information security.

Dan: What keeps you up at night regarding cybersecurity?

David: When it comes to sleepless nights, cybersecurity is definitely at the top of the list. I don't worry that much about the known threats, it's the unknown vulnerabilities that worry me most. A few years ago, I was having a conversation with our Governor and I told him that one of my concerns was the fact that our security folks operate during normal business hours and most of the bad guys know that and take advantage of the lack of after hour support. I recommended we build a high-performing, automated response capability to address the ever increasing cybersecurity threats. That conversation was really the genesis of our move to centralize information security in a meaningful way.

Dan: How does Nevada include security in projects that involve big data, mobile computing and the cloud computing?

David: One thing I think we have been successful with is getting security involved in all of our projects from the beginning irrespective of their type. I learned that lesson early on in my professional career and believe we have done a pretty good job infusing the security team into all of our projects.

Dan: How does cybersecurity get attention with so many competing projects and other executive priorities?

David: I believe cybersecurity projects are an aberration actually because in the normal world of politics, information technology projects usually end up with a low priority, yielding to service areas that directly affect the voting population. However, one thing I have learned from my State service is that all politicians respond to political threats, and in this case, the loss of data or cybersecurity breaches have had a noticeable impact on elections. Thus, now a days, they get prioritized just a little bit higher because of the damaging effect they can have on elections.

Dan: Any cybersecurity success stories you can share?

David: I think we have a really good story to tell about how we have been able to reduce the number of reported monthly security incidents by as much as 80% implementing these four simple security controls: application whitelisting, least privilege user credentialing, and automating operating system and 3rd party application patching. We have elected to do this through an enterprise Symantec solution and I am really proud of what the security team has done to lower our overall risk profile.

Interview with Nevada CISO

Dan: Tell us about your scope of responsibilities as CISO in Nevada.

Chris: Like David Gustafson, our state CIO, I have statewide responsibility for the Executive Branch that includes the Constitutional Officers. At the core of the state enterprise we have an Office of Information Security with 8 members working primarily on enterprise security systems, monitoring, and incident resolution. At the agency level we have agency Information Security Officers reporting into the enterprise. I have responsibility for state security policy and for incident monitoring and resolution. We have about 17000 state employees. Nevada is unique because of its large geographic area and its large metropolitan areas in the southern part of the state, Las Vegas, and northern part of the state, Reno/ Carson City. We have over 3 million miles of communications infrastructure.

Dan: What’s hot right now regarding your role? Can you share some key projects that you are working on?

Chris: It's not new but we're working on a statewide continuous monitoring (CM) and validation program that includes the state, the counties, and the cities. I'm really excited about the level of collaboration we have at all levels of government and the movement to standardization of infrastructure monitoring. I think that Nevada was the first state to have continuous monitoring mentioned in state law, about 4 years ago, and we've been working diligently to deploy CM statewide ever since. We’re trying to leverage our collaboration to the maximum benefit of the state. Other areas that I am keenly interested in are automation and the quantification of security metrics. With some levels of standardization and monitoring we're beginning to see the security controls and technologies that have the most impact.

Dan: You are a recognized leader in cybersecurity. How has cyber changed during your career? What highlights can you share?

Chris: I think the culture has changed from having to perpetually advocate for cybersecurity to developing strategies for the complex threats we are facing. Six years ago we had to build a strong case for everything we did with a small hope of receiving funding. Now, our challenge is to respond to cybersecurity threats while concurrently building the necessary infrastructure to protect critical citizen data.

In terms of successes I am really proud of the dedicated cyber team we have assembled at the state and their commitment to customer service and business enablement. They work through the technical challenges of cybersecurity and bureaucratic challenges of state government, quietly performing at a high level of professionalism. I'm also proud of the senior leadership of the state, most specifically Governor Sandoval and state CIO David Gustafson, for making cyber a priority. At the state Homeland Security Commission, actively chaired by the Governor, cyber security has become the number one priority on the Commission's annual list.

Dan: What are you doing now regarding end user security awareness? How are you training technical staff?

Chris: During the economic downturn awareness was one of the areas hardest hit including the loss of a position in this area. As a result, we have put together an online training program that integrates with our human resources training.

With respect to technical staff, we map our training to our enterprise initiatives and try to work training into any enterprise buys we do. That allows us to target our training dollars to defined needs.

Dan: How do you address zero day challenges like the recent Microsoft IE vulnerability (before it was patched)?

Chris: We made an active effort to include application whitelisting software in our enterprise buy of Symantec endpoint security and procured Arellia application whitelisting software statewide. We are also invested in server and endpoint hardening software. Defense in depth, communication, and active monitoring also play a key role.

Dan: Thank you both for taking the time to share your insights on cybersecurity with the nation. Nevada, the National Association of State CIOs (NASCIO) and the wider security community are fortunate to have you serving in your roles.

This CIO/CISO interview series will continue with another CIO/CISO interview in two weeks.