Pennsylvania CIO Tony Encinias (right) with CISO Erik Avakian (left)
For decades, top industry consultants from Deloitte, Unisys, Microsoft and other major technology vendors have come to state governments each year to discuss new programs being deployed around the world within local, state and national governments. Executives share what’s working well, their strategic priorities and areas that need help.
Inevitably, this question comes up: “Where are the best practices? Give me two or three examples of who is doing that (xyz government technology function or business service delivery project) the best.”
In Michigan, we often hear: “Let me tell you what Pennsylvania is doing …”
From identity management to scanning Web applications for vulnerabilities to building a new collaboration portal, Pennsylvania has become a global leader in deploying new technology that benefits government services.
In 2014, that Pennsylvania leadership continues in the area of cybersecurity, and this blog will let you hear the latest executive insights in an interview format with their top government leaders.
We are continuing a series of interviews on the topic of cybersecurity with top state and local government leadership from around the country. I am interviewing Chief Information Officers (CIOs) and Chief Information Security Officers (CISO) from leading state and local governments, because these executives run the programs and set the priorities that get things done to protect sensitive citizen data.
The goal is simple: to listen to the words of CIOs and CISOs and to learn from their ideas and actions. I also hope this series can advance a necessary dialogue and highlight professional qualities in successful leaders.
Meet the Pennsylvania Government Cyber Leaders
Pennsylvania CIO Tony Encinias was appointed as Chief Information Officer for the commonwealth of Pennsylvania by Governor Corbett in December 2012. Mr. Encinias was selected as a 2014 Government Technology Top 25 Winner back in February for his outstanding achievements in state government. Tony comes to his job with a wealth of leadership experience as State Chief Technology Officer (CTO), 20 years as a United States Naval Officer and impressive academic achievements.
I remember first meeting Tony several years ago at a federal cybersecurity event in Washington, D.C. He was the Pennsylvania CTO at the time, and his breadth and depth of technical and professional knowledge immediately impressed me. More than that, I could see that he was a doer (Tony clearly got things done well in government) while displaying a fun sense of humor.
Pennsylvania CISO Erik Avakian, who can be seen in this YouTube video, is a well-respected cybersecurity leader who is sought after by public- and private-sector cyber pros for his opinions and insights. Erik has an amazing wealth of knowledge and expertise. He has too many awards and professional certifications to name, and yet he is very approachable and easy to talk with on any topic. His teams consistently produce outstanding results. Erik is at the top of the list of colleagues I contact to check vendor references, dig deeper on cyber topics or just see how Pennsylvania solves a specific problem.
Here’s the interview:
Dan Lohrmann: Tell us about your scope of responsibilities as CIO of Pennsylvania.
Pennsylvania CIO Tony Encinias: I am responsible for developing and implementing the commonwealth’s overall IT strategy and overseeing all of the Office for Information Technology’s IT functions and operations. These include enterprise contract management, enterprise data center operations, enterprise telecommunications to include unified messaging, application development, enterprise resource planning, the Pennsylvania Justice Network, IT procurement, information security, e-government and enterprise architecture and policies.
Dan: How important is information security to Penn’s strategic plans?
Tony: Security is embedded in the fiber of everything we do from an information technology perspective, from concept to delivery. Security isn’t a function unto itself, but rather a component of every function that we perform. It is also one of the five major goals for agencies to implement as part of the commonwealth’s overall IT strategic plan.
Dan: What keeps you up at night regarding cybersecurity?
Tony: I worry about what I don’t know. We have a very robust information security program in Pennsylvania, in part because we’ve remained focused on we need to do next. But there are so many things beyond our control that we have to be ready to respond to at a moment’s notice. Heartbleed is a perfect example.
Dan: How has security changed throughout your career? Is it more important today with big data, mobile computing and the cloud security challenges?
Tony: The biggest changes I’ve seen are in the sophistication of attacks and the sheer number of them. There’s no question that security is more important today than it was even just five years ago. And the challenges are going to continue to increase with the advent of mobility and the demand for easy access to systems and services.
Dan: Is cybersecurity given a high priority in Penn? How does cyber get attention with so many competing projects and governor priorities?
Tony: We are fortunate to have, in Governor Corbett, a chief executive who understands the critical importance of cybersecurity. His background in law enforcement and as a prosecutor is a big part of that. My boss, the Secretary of Administration, is also a strong advocate. So again, we are very fortunate to have senior leaders in Pennsylvania who “get it.”
Education is key. We meet regularly with department heads and give them “score cards” that show where their agency stands in several areas of cybersecurity. The score card focuses on annual security awareness training metrics, enterprise security assessment metrics to include social engineering, the annual third-party security risk assessment score, Web application security scan score, and PCI scans (if applicable). The scorecard is a really effective way to communicate to agencies how well (or not well) they are doing, and where they need to improve.
Part 2: Interview with Pennsylvania CISO Erik Avakian
Dan: Tell us about your scope of responsibilities as CISO in Pennsylvania
Erik: I lead the Enterprise Information Security Office and am responsible for the overall IT security oversight for security governance, risk and compliance across all state agencies under the governor’s jurisdiction. My office drives overall security governance and strategy, develops and enforces our IT security policies, and ensures our layers of protection are up to date and fortified to prevent the bad guys from getting in. We handle all cyber-related investigations and respond to cyber incidents if and when they occur. We also drive the security awareness program, provide training to agencies and conduct outreach and information sharing with our agencies, our Fusion Center and work closely with third-party entities like the MS-ISAC, US CERT, DHS, and the FBI.
Dan: What’s hot right now regarding your role? Where are you spending your time to protect your state government?
Erik: Well, the NIST Security Framework and NGA’s Call to Action are two areas that we’re really focusing on and I’m a real supporter for both because they’re achievable and focused on doing the right things. So alignment with these two initiatives is key to helping us further mature our security posture. And so this year were enhancing our governance model and putting new things in place like eGRC and DLP across the enterprise. The eGRC piece is huge because it’s going to provide that dynamic enterprise “risk score” and view of security and IT risk across the enterprise – agency by agency. It’s going to provide the avenue to seamlessly tie cyber to business risk across all state agencies, providing dynamic visibility into compliance metrics to IT leaders, with an overarching view up to the governor’s cabinet level.
Dan: You have been known as an innovator and leader in the area of cybersecurity. What are you doing now regarding end user security awareness? How are you training technical staff?
Erik: We have annual security awareness training like most states, but as we all know that’s never enough. It’s really all about changing the culture and mindset – it’s a 365-day-a year endeavor. We’ve rolled out social engineering testing services across all state agencies to help us assess our risk and bolster our end user posture on an ongoing basis. And this year, were expanding our overall security awareness program by providing on-demand, focused security awareness training for specific user groups like our application developers, IT administrators, and mobile device users across the commonwealth. So we’re taking a more focused and targeted training approach for those specific groups. And for the security teams and technical staff, we’ve partnered with several agencies to provide training classes on-site in areas such as forensics and incident response.
Dan: Do you have enough talent in the cybersecurity area? How are you attracting and keeping cyber talent?
Erik: We’ve got an extremely talented security team here in PA and since I took over the role of CISO in early 2010, the core team has remained 100% intact and we’ve actually added a few more stars to the lineup. And we’ve got tremendous executive support from the Governor’s Office, our Secretary and CIO who all know how important having a great security team is. Keeping talent is easy in my view if you understand what they’re passions are and let them grow and work in those areas. It’s my job to make that happen.
I think a security team is sort of like a baseball team: Everyone has their unique position on the field that they excel at. Maybe someone excels at forensics while another is great at writing policies, while another person is really into application code scanning. I say let them roll with their talents. It’s my job to give them the tools and space they need to succeed and become security stars.
But finding new talent? That can be a challenge these days. We’ve been working with local universities, many of which have fantastic security programs. We also use the internship program as a way to find and attract new talent. It’s a great way for students to come in, get their feet wet with enterprise security technology and really hone their skills.
Dan: What are you doing to remediate the Heartbleed bug?
Erik: Heartbleed is getting a lot of attention these days, that’s for sure. With any vulnerability of this sort, we take a risk-based approach – find out what systems are vulnerable or potentially impacted, develop a remediation plan and take action. Rapid communication and reporting are critical. We were able to get out in front of Heartbleed really quickly.
Dan: Where are you with Windows XP migration?
Erik: We started alerting agencies over a year ago about the EOL date for Windows XP and continued to communicate with them regularly about it. We also laid down some concrete ground rules for any agencies that either couldn’t upgrade in time or needed to keep XP systems going. We basically gave them the choices: upgrade to a supported OS by the EOL date, purchase extended support from Microsoft, or disconnect any remaining XP machines from the Internet and segregate them off the network. At the end of the day, we migrated over 56,000 PCs to Windows 7, and put another 250 on extended support.
Dan: Is there anything else you’d like to share about your cybersecurity programs?
Tony: We’ve got a great security program here and folks who are passionate about keeping the commonwealth secure and our citizen’s data safe from the bad guys.
Dan: Thank you both for taking the time to share your insights on cybersecurity with the nation. Pennsylvania, the National Association of State CIOs (NASCIO) and the wider security community are fortunate to have you in the roles that you are in. I believe that Pennsylvania is doing excellent work and we can all learn a lot from following your examples.
This CIO/CISO interview series will continue in May 2014 – and we will move out west.