June 29, 2014    /    by

Perspectives after the Nebraska Cyber Security Conference: Government leaders share insights

A Spartan fan visits Husker Country to learn about cybersecurity in Lincoln.

Brenda Decker and Chris Hobbs

Nebraska CIO Brenda Decker with information security lead Chris Hobbs

When most Americans think of Nebraska, the first things that come to mind are farmers, corn and college football – and for good reasons. Those topics even come together in the University of Nebraska-Lincoln’s official nickname: Cornhuskers.

According to the Husker website, Nebraska has won five national championships and 43 conference titles since the program began in 1890.  But equally as impressive is their NCAA record of 333 consecutive sellouts at Memorial Stadium, which began in 1962.

As a Big Ten football fan who supports the rival Michigan State University (MSU) Spartans, I have developed a fear and respect for Memorial Stadium and Nebraska football over the years. So on my first visit to Lincoln back at the beginning of this month to speak at the 2014 Nebraska Cyber Security Conference, I had to bring my son along and see what enabled such a winning athletic tradition.

Chris Hobbs, Nebraska’s Information Security Officer, graciously arranged tours of Memorial Stadium – as well as other interesting sites in Lincoln such as the Nebraska Capitol Building.

My reaction: Wow! What a stadium tour, and what serious attention to detail. In short, Nebraska really backs their college football team – with most 4th- or 5th-graders even taking these same tours when they visit the state Capitol in Lincoln on field trips.

Dan and Paul in NebraskaDan and Paul Lohrmann at Memorial Stadium

Continuing the CIO/CISO interview series

I am continuing the series discussions with CIOs and CISOs around the country. The goal is simple: to listen and learn from their ideas and actions.

Last time, I interviewed Montana’s CIO and CISO. That dialogue occurred prior to the announcement of the breach at the Montana’s Department of Public Health and Human Services (DPHHS). I wish my colleagues in Montana all the best as they work through this serious cyber incident.

This blog series started in Mississippi back in March, and we continued in April in Delaware and moved next door to Pennsylvania. Next, I headed west to Nevada. Now we head southeast from Big Sky country to the Cornhusker State.  

The Nebraska tradition of government excellence

What I also saw first-hand in early June were the main ingredients that make Nebraska government technology so effective, which is primarily their excellent leaders.

Ms. Brenda Decker, the Nebraska chief information officer since 2005, has been a nationally recognized technology executive for several years. According to the National Association of State CIOs (NASCIO) website, she served as the NASCIO President from 2012 to 2013.

In 2003, Government Technology magazine recognized Brenda nationally as one of the top 25 Doers, Dreamers and Drivers of Information Technology, and in 2007 as one of the “5 Most Influential Women CIOs” Brenda was selected as one of the Premier 100 IT Leaders for 2008 by Computerworld Magazine. In April of 2008, the AIM Institute honored Brenda with the Outstanding Community Service in Technology Award. The National Association of State Chief Information Officers honored Brenda with their 2010 Meritorious Service award in September.

On a personal level, Brenda is humble and very kind, while demonstrating immense capability and a determination to constantly improve. Ms. Decker knows government in Nebraska inside and out, and she leads with a quiet confidence that is refreshing to see. What comes across clearly as you speak with Brenda is that she understands the important issues of our day and that she really cares about technology delivery and improving government services.

In my opinion, Ms. Decker is one of the most thoughtful and capable government technology executives anywhere in the world.

During the trip, I also got to know Chris Hobbs, Nebraska’s very smart and capable Information Security Officer. Chris has a background in state government with the Nebraska Department of Revenue, which provided him the learning and experience to lead Nebraska’s statewide information security efforts. He became the lead information security official in Nebraska in 2012, and he reports to CIO Brenda Decker.

As I got to know Chris and his children during the tours in Lincoln, his family values and fun personality became apparent. I was impressed with how he handled numerous personal interactions all over the city. It became very clear that he has earned the respect and trust that are so essential to running an effective statewide information security program in government.

I also learned that the 2014 event was the 9th annual Nebraska Cyber Security Conference, and Chris did an excellent job of coordinating the public and private sectors to put together the overall program.

(Side note: States that have never held a similar security event need to strongly consider holding a Cyber Summit in 2015. The public/private engagement alone is worth the effort, and the training provided for staff throughout business and technical areas sets the tone for changing cultures to be cyber-aware of the latest trends, risks and threats.)

Interview with the Nebraska CIO

Dan Lohrmann (DL): Tell us about your scope of responsibilities as CIO of Nebraska. How important is information security to your strategic plans?

Brenda Decker (BD): The CIO for the state of Nebraska is appointed by the sovernor and serves on the governor’s cabinet.  I have had the great fortune of serving as Governor Heineman’s CIO for the past 9 ½ years.  In Nebraska the CIO – working with the Nebraska Information Technology Commission – is responsible for information technology management, use and strategic planning for the entire enterprise. 

Information security plays an integral role in Nebraska’s strategic plan. The Nebraska Information Technology Commission has identified eight strategic initiatives in our statewide technology plan that require an enterprise approach and the cooperation of multiple entities for their success.  One of those initiatives is security and business resumption. The objective of this specific initiative is to define and clarify policies, standards and guidelines, and responsibilities related to the security of the state’s information technology resources. 


DL: What keeps you up at night regarding cybersecurity?

BD: The one area I have always worried about is the human element of cybersecurity.  Do our employees know how to protect their information, what should be protected and what puts that info at risk? This is the one area that I do lose sleep over. The rate of turnover in government means that training needs to be a continual process. The current commercialization of technology has also added to this concern. Individuals use personal cloud accounts for their personal information and having those types of resources puts that type of technology at their fingertips for storing state information as well. The potential for state-protected information to be stored in an employee-owned cloud service definitely makes me nervous.


DL: How does Nebraska include security in projects that involve big data, mobile computing and cloud computing?

BD: Nebraska adopted a State Information Security Policy that spells out a uniform set of security safeguards for agencies that create, use or maintain information systems for the state of Nebraska. We have a Security Workgroup that meets regularly to review our standards and guidelines, recommend changes and monitor exposure. We have worked hard to treat projects and their security-related issues on the classification of the data that will be used.  For example, rather than create separate security policies for cloud computing, we have security policies related to the data that will be stored in the cloud. 


DL: How does cybersecurity get attention with so many competing projects and Governor priorities?

BD: Our philosophy is to “bake in” cybersecurity as we evaluate projects proposed. I would be hard pressed to think of a project priority of the governor that does not have a cybersecurity element.  Whether we are talking public safety systems, health and human services systems, or education systems, they all have a security element relative to the protection of data.  However, I don’t think you will ever find a CIO that claims they have all the funding they could wish for related to the topic of cybersecurity!

 

Video on security with Mr. Chris Hobbs – Information Security Officer for Nebraska Government

This video answers key questions regarding information security in Nebraska in a different format. It also provides some excellent advice from Chris on how to safeguard government data – whatever your role is regarding IT security.

I’d like to thank Brenda and Chris for inviting me to come to Lincoln, Nebraska, to participate as a keynote speaker at their annual Cyber Security Conference. Next year will be their 10th annual cyber conference event, and I understand that it may be even bigger and better than 2014.

Wrapping-up CIO/CISO series on cybersecurity 

I planned to end the CIO/CISO interviews for 2014 after Nebraska. However, several states have asked how they can also participate. (One government official urged me to include more large states.)

I will leave the door partially open for more interviews in the future. If your state is interested, please feel free to contact me through LinkedIn.

I also plan to do a summary blog on what I have learned so far in the interview series. In that wrap-up blog on the interview series, I will also take a look at the current and potential future roles of CIOs and CISOs in government cybersecurity. Expect to that blog in late July 2014. 

As always, thanks for reading and sharing.