We can learn from front-line government experts who are 'in the arena.' Delaware is raising the bar for the nation in many areas of cybersecurity.
Delaware CIO Jim Sills with CSO Elayne Starkey
A few years back, The Center for Digital Government presented a few select government leaders each year with an “In the Arena Award.” The award recognized IT leaders who “strive for greatness, whose devotion and enthusiasm have earned them a place in the arena.”
You may be wondering: Why did they call the award: “In The Arena?” The original concept came from a famous Theodore Roosevelt speech entitled: “Citizenship in a Republic” delivered in 1910 at the Sorbonne in Paris, France.
"It is not the critic who counts, not the man who points out how the strong man stumbled, or where the doer of deeds could have done better. The credit belongs to the man who is actually in the arena; whose face is marred by the dust and sweat and blood; who strives valiantly; who errs and comes short again and again; who knows the great enthusiasms, the great devotions and spends himself in a worthy course; who at the best knows in the end the triumph of high achievement, and who at worst, if he fails, at least fails while daring greatly; so that his place shall never be with those cold and timid souls who know neither victory or defeat."
Introduction to interviews with Delaware’s CIO and CSO
We are continuing a series of interviews with state and local government CIOs and CSOs from around the country. We started this series two weeks ago in Mississippi. The goal is simple: To listen to their words and learn from their ideas and actions.
Mr. Jim Sills joined Delaware Government with extensive private sector experience. Mr. Sills was the Founder and President of i9Direct, an employee eligibility firm based in Wilmington, DE. Prior to starting his own company in 2007, Mr. Sills was an Executive Vice President of MBNA America Bank (now Bank of America) the largest credit card institution in the world. In this capacity, he served as the Director of Corporate Technology Solutions for the $80 billion US Card Division.
I had the pleasure of speaking with Jim at length at last year’s NASCIO Annual Conference in Philadelphia, and I was very impressed with his vision, energy, knowledge and passion for public service in Delaware. The mobile applications being deployed in Delaware Government are surely a national best practice. Last month, Jim Sills was selected as a 2014 Top 25 Doer, Dreamer and Driver by Government Technology Magazine.
Ms. Elayne Starkey is a widely recognized security professional with extensive leadership experience in cybersecurity. She has been known as a pioneer on technology and cybersecurity topics ranging from employee security awareness programs to state government BYOD and cloud computing programs.
Elayne has a kind, engaging personality with extensive business and technology knowledge – a combination which is rare today. This MS-ISAC spotlight interview from last year with Will Pelgrin provides you with more of her background and personal interests. I have been honored to serve with her as co-founders in the MS-ISAC mentoring program.
Interview with Delaware CIO - Mr. Jim Sills
Dan Lohrmann: Tell us about your scope of responsibilities as CIO of Delaware. How important is information security to Delaware's strategic plans?
Jim Sills: In Delaware, the CIO is also an appointed member of the Governor’s Cabinet and has the formal title of Secretary of the Department of Technology and Information (DTI). The State of Delaware is a large organization with an annual budget of over $3.4B and nearly 15,000 State employees in the executive branch. DTI is responsible for delivering a full range of information and communication technology services to the sixteen (16) departments within the Executive, Judiciary, and Legislative branches and K-12 School Districts, totaling approximately 33,000 employees.
Delaware state government is different than most others because it is uniquely consolidated and centralized. Most state government IT agencies provide oversight for CIO’s and CISO’s located within individual organizations. DTI is solely responsible for Delaware state government’s network and consolidated email system. As such, my primary responsibilities are protection of state data and infrastructure and along with this network awareness, training and outreach on cyber security. Focus areas in our strategic plan include continuous improvement of internal controls and partnering with our vendors and employees to improve their knowledge and awareness of cyber vigilance.
Dan: What keeps you up at night regarding cybersecurity?
Jim: Never before have CIOs had to protect so many devices, apps and hardware, against a relentless and sophisticated cyber criminal network. Today’s hackers and “bad guys” are targeted, well informed and have more tools than ever at their disposal. We are the stewards of our citizens’ most valuable information and what keeps me up at night is how do we keep pace with new and emerging technologies in order to keep the “bad guys” away?
Dan: How has security changed throughout your career? Is it more important today with mobile computing and the cloud security challenges?
Jim: Having spent many years in the banking industry, cybersecurity has always been in the forefront of my thoughts and responsibilities. In the past breaches were more “under the covers,” and today this issue is more important and more visible than ever before. It seems that nearly every day there is another news account of a breach or a scam and for IT leaders and security professionals, this issue never is far from my mind.
While we have better tools and training than we did 15-20 years ago, we also face more public scrutiny. Nearly every state has public notification laws on the books and we have detailed policies for documenting, investigating and resolving breach issues in Delaware. A team approach is the only way to focus on these issues and it’s critical to partner with national vendors, federal partners and local organizations to stay ahead of the curve.
Dan: Is cybersecurity given a high priority in Delaware? How does cyber get attention with so many competing projects and Governor Priorities?
Jim: We are fortunate to have a cyber-savvy Governor and Congressional delegation who are knowledgeable and aware that our network infrastructure is every bit as important to protect as our transportation and utility systems. Like Michigan, we are proud of our reputation for being a leader among states when it comes to cyber education, awareness and outreach, far beyond the realm of state government itself. Our CSO Elayne Starkey is an avid cyber safety ambassador and her enthusiasm has created partnerships with our educational institutions, local governments, our business leaders and nationally recognized cyber education and training programs.
Ninety-eight percent of our Executive branch employees have successfully completed annual online cyber safety training. We continue to grow the nationally-recognized Delaware Security Awareness and Training Program by adding new training offerings for state employees and finding creative ways to improve our security posture and strengthen the weakest link — our PEOPLE. Promoting awareness of cyber security risks increases our ability to defend ourselves and protect state data and infrastructure.
DTI shares our staff’s knowledge and expertise in the area of cyber safety and awareness. Starting small several years ago, with a few activities to mark national Cyber Security Awareness month in October, DTI now has a robust public outreach program, not only for state employees, but for students from elementary school through college, senior citizens via lifelong learning programs, and Delaware’s citizens at large. We are one of only six states to host a Governor’s Cyber Aces Championship which concluded on March 29th with three young cyber sleuths splitting $10,000 in scholarship money. These are just a few of the ways we extend our cyber security awareness beyond the realm of government only.
Interview with Delaware CSO - Ms. Elayne Starkey
Dan: Tell us about your scope of responsibilities as CSO in Delaware.
Elayne Starkey: Well the short simple answer is, “Prevent Breaches!” I am responsible for executing the governance plan for Delaware’s enterprise-wide Information Security and Business Continuity Program. I lead the effort in Delaware to make cybersecurity everyone’s responsibility, by fostering a climate of ownership for the confidentiality, integrity, and availability of our information assets.
Dan: What’s hot right now regarding your role? Where are you spending your time to protect your state government?
Elayne: The next major event that my team is preparing for is our 5th annual statewide Cyber Conference. This is a day-long education workshop which will bring together state and local governments, law enforcement, military, higher education, healthcare, and other critical infrastructure providers. I invite any of your readers to join us on May 6! Register here.
The other area that has seen an uptick in activity is Cloud Computing. Delaware has embraced the Cloud model as a credible alternative to traditional IT delivery models. We are seeing benefits including cost savings, enhanced scalability, agility, and rapid delivery. However, it also reduces control and introduces new risks that need to be managed. The decision to turn over data to a third party is not one we take lightly, which is the reason we developed a specific set of “Cloud and Offsite Hosting Terms and Conditions”. This has been used extensively as part of our business case vetting and has become a useful tool to dialogue with the vendor.
Dan: You have been known as an innovator and leader in the area of security awareness and training for your staff. You even wrapped a bus with security messages (see picture below). What are you doing now regarding security awareness? How are you training technical staff?
Elayne: Cyber Awareness, Education, and Training has been the cornerstone of Delaware’s program since its inception. Our campaign is active throughout the year with newsletters, training sessions, and lunch ‘n learn workshops. In October, as part of National Cybersecurity Awareness Month, we ratchet up the program by adding many more education and awareness opportunities, employee scavenger hunts, TV and radio advertising, and yes, even wrapping Delaware Transit buses with eye-popping cybersecurity messages. This literally becomes a moving billboard, carrying the Internet Safety message to 50,000 motorists each day. And every year we offer an upbeat multi-media presentation on Internet Safety to Delaware elementary schools. Thanks to an army of volunteers from my Department, other state agencies, Dover Air Force Base, and Verizon, we have reached over 25,000 fourth graders over the last 7 years.
Dan: Do you have enough talent in the cybersecurity area? How are you attracting and keeping cyber talent?
Elayne: This is definitely a challenge, and we are doing a number of things to attract and nurture the next generation of cybersecurity professionals. Together with the Council on Cybersecurity and SANS Institute, we are planning our 5th annual summer US Cyber Challenge, a week-long, intensive camp filled with specialized security training. Governor Markell has proposed building a collaborative research and learning network that leverages the public sector, academia, and the private sector. Ultimately, this will help build a skilled cyber workforce that will serve as a pipeline both for the State of Delaware and our businesses, and a hub for cyber innovation.
Dan: My thanks go out to Jim Sills and Elayne Starkey, two outstanding technology and cybersecurity leaders, for their participation in this interview series. Delaware Government, NASCIO and the MS-ISAC are fortunate to have them in these important technology and cyber leadership positions.
This series will continue in a few weeks with a look across the border from Delaware to see how cybersecurity challenges are being addressed in Pennsylvania.