Minnesota CIO Carolyn Parnell (right) with CISO Chris Buse (left)
How can state and local governments protect data and respond to sophisticated cyberattacks?
As hackers keep striking public- and private-sector organizations in increasing numbers with sophisticated online threats, governments must constantly adjust their cyberdefense strategies and plans to be effective.
Cyberdefenses that worked successfully last year, or even last month, may not be enough to stop data breaches tomorrow. So what are government security leaders doing now to prepare for the worst – while enabling business improvement and encouraging technology innovation?
Perhaps most important, how can chief information officers (CIOs), chief information security officers (CISOs) and other technology leaders build trust in the enterprise with the never-ending string of data breach news headlines?
Government CIO/CISO Interview Series Continues
To answer these questions, I am continuing a series of interviews with state and local government CIOs, CISOs and other national leaders. Over the past nine months, I have engaged top state and local government cybersecurity leaders in a series of interviews and visits in order to answer these constantly-changing cyber questions.
Previous blogs have reported on government cyber summits in Wisconsin and Nebraska, as well as a CxO workshop in Ohio focusing on culture change. Interviews were held with top technology leaders in Montana, Nevada, Pennsylvania, Delaware and Mississippi.
After I looked back on seventeen years of government service in Michigan, I was encouraged by an eye-opening visit to New York to see the latest developments at the Multi-State Information Sharing & Analysis Center (MS-ISAC).
Now we move on to a state that has been a leader in technology innovation for many years. Minnesota was the first state to utilize Microsoft Exchange Email in the cloud, and Michigan as well as other states followed their cloud-based email example.
Meet Minnesota’s Government Technology Leaders
Carolyn Parnell was appointed as Minnesota’s CIO and Director of the Office of Enterprise Technology (OET) in February 2011 by Gov. Mark Dayton. Ms. Parnell has a great track record in technology, with leadership roles including MnSCU, the fifth-largest system of two- and four-year colleges and universities in the country. She was also director of Information Technology at MN Public Radio/American Public Media, as well as serving as the director of Networks and Data Centers at Fidelity National Information Systems and as the director of Networking and Telecommunications Services at the University of Minnesota.
As CIO in Minnesota over the past three-plus years, she has a long list of accomplishments and awards, such as a GT Top 25 Winner for 2013. Here’s an excerpt: …In June 2011, the Legislature passed a bill to consolidate all IT functionality in the state under Parnell’s office — a consolidation that she says is about one-fifth complete because it’s a massive, multiyear undertaking. “We started with a mandate to pull under one roof all aspects of IT — people, projects, infrastructure, applications — which was scattered among 70-plus organizations,” she said. “This had not been done in the state before.”
Chris Buse became Minnesota’s CISO in June 2007, and he has made a major impact on government operations and cybersecurity policy throughout the nation. He is a leader who has spoken at the RSA Conference in San Francisco and is an Executive Committee member for the MS-ISAC.
I have known Chris for many years, and I must say that his passion and professional excellence are very impressive. He is a committed cyber pro who goes the extra mile to accomplish tasks and take on hard problems. CISOs around the nation turn to Chris for advice and ideas, and I am amazed by what he has accomplished in in Minnesota.
On to the CIO Interview:
Dan Lohrmann: Tell us about your scope of responsibilities as CIO in Minnesota.
Minnesota CIO Carolyn Parnell: I am the state CIO and the commissioner of MN.IT Services. We provide the full range of IT to over 70 agencies, boards and commissions that [constitute] the state’s executive branch. This comes as a result of a 2011 law requiring full consolidation of state IT. Our two-pronged strategy is to provide as much of the common, basic operations and applications on an enterprise basis, and provide the unique business-related application development and management closer to the business, in 30 offices across the agencies we serve. We are in the middle of a multi-year plan to define, create and staff enterprise services to meet the needs of agencies that used to operate independently. Meanwhile, we continue to serve the agencies’ individual needs.
Dan: How important is information security in your recently released strategic plan?
Carolyn: We are two years into our strategic plan and ready for a refresh. Information security is key to all of our strategies and, again, we have a two-pronged approach: ensure that all new services and applications we introduce to the state environment have security standards and capabilities baked in as a part of the foundational architecture; and increase our efforts at vulnerability management, detection and mitigation for the systems we currently have. As part of our strategic plan we are going to be realigning our combined security team into those that will provide common enterprise security services and tools; and those that secure clustered lines of business within the executive branch. This plan mirrors our overall strategy of combining the services that can best be delivered centrally, and allocating staff to those that need to stay closer to the business.
Dan: What keeps you up at night regarding cybersecurity?
Carolyn: The consolidation of IT has made it possible for the first time to take a look at the state’s security profile from a more global perspective, and allows us to realign our resources in ways that would have been impossible before. However, it is clear that the historic investment in security agency-to-agency was extremely uneven, which leaves us in a bit of a pickle when we combine resources. It will take us several years and a commitment from leadership to even the playing field and address security consistently across the enterprise.
Dan: How has security changed throughout your career? Is it more important today with big data, mobile computing and the cloud security challenges?
Carolyn: There is no question that the digital-first realities of today’s government and the trends we see in our future require all states to redouble their security efforts to keep pace with the technologies being introduced as must-haves for our agencies and our citizens. On the other side, the security threats to the state continue to grow. Our challenge is to meet both the business needs and the security threats with security services equal to the challenge.
Dan: As we head into 2015, is cybersecurity given a high priority in Minnesota? How does cyber get attention with so many competing projects and governor priorities?
Carolyn: Risk management is never anybody’s favorite topic, particularly in a political environment. But the daily media coverage of what can go wrong if security is compromised has helped people think about it more than they might otherwise. My biggest challenge is to build good partnerships with my fellow commissioners and with state leadership because I truly believe that security and risk management are a shared responsibility between business and IT. The consequences of poor management or insufficient security investment impede state government’s front-line ability to serve citizens, particularly in time of need and crisis. We need to address the risks together. Ultimately, the investment is their decision and I want to be sure that the decision they make is one we can live with as a state.
Minnesota CISO Interview
Dan: Tell us about your scope of responsibilities as CISO in Minnesota.
Minnesota CISO Chris Buse: As the chief information security officer for the state of Minnesota and assistant commissioner of MN.IT Services, I’m responsible for designing and implementing the enterprise security architecture for state government. This includes all proactive, reactive and corrective security services. I also oversee enterprise architecture, strategic IT procurement and geospatial services, which collectively we define as our “leadership services”.
Dan: What’s hot right now regarding your role? Where are you spending your time to protect your state government?
Chris: When I view information security services across state and local governments, it is clear to me that we are at a Donnybrook moment. Government security programs are outgunned and simply have not been positioned or funded properly to succeed. With IT consolidation, Minnesota has a golden opportunity to get IT security right, and that has been my major focus for the past two years. The time has come to figure out how to deliver many security services in our portfolio enterprisewide, leveraging our state’s economy of scale. I refer to that as horizontal consolidation. Recognizing that some security services require “boots on the ground” knowledge, we also are working on a plan to deliver other security services to clusters of agencies. I refer to this part of our plan as vertical consolidation, which involves delivering consistent security across six lines of business: health, economy, safety, environment, education and general government.
As we consolidate IT services, such as managed hosting, my role over leadership services gives me a unique opportunity to both simplify and more appropriately secure IT. We are moving from an era where Minnesota agencies did everything everywhere, to a new area where we are focusing on a common set of architectural standards. This gives our state more leverage to deal with vendors and it results in a simpler IT environment that is more defensible. Our goal is clear: design and implement an entire portfolio of IT services that have security built in by default. Given today's sophisticated threats, this strategy is vital because there will never be enough money on the table to secure government IT that still operates in silos.
Dan: You have been known as a leader in the area of cybersecurity. You also released some innovative new plans. Can you tell us about that?
Chris: Our new plan for information security focuses on both horizontal and vertical consolidation. The plan outlines specific deliverables for each security service and describes how those deliverables will be fulfilled by the new central and line-of-business security teams. The plan also describes the tools in our arsenal that will be made available to security staff and a list of priority services that we hope to implement first.
Our plan emphasizes that no service can be completely centralized or completely assigned to a line of business security team. For example, we have a security monitoring service that will manage a set of technologies to help our state achieve situational awareness and identify anomalies that require further investigation. Though this is a service that will be primarily centralized, line-of-business security teams will be responsible for identifying and helping implement application-specific use cases. Conversely, for services that are delivered primarily at the line of business level, the plan recognizes that those services will benefit by having a consistent methodology and centrally supported tools.
We presented our IT Security Consolidation plan to government security leaders at the MS-ISAC Annual meeting and provided some government security leaders with copies.
Dan: Do you have enough talent in the cybersecurity area? How are you attracting and keeping cyber talent?
Chris: I am extremely proud of the talent that we have on our team. However, we are always on the lookout for more people with cybersecurity skills. In a very competitive market like Minneapolis/St. Paul, it is difficult to compete for talent on salary alone. However, we can create our own sweet spot by working with local colleges and universities to develop a talent pipeline. We also need to do a better job touting the merits of working for government, because we do both IT and information security on a very big scale. I wholeheartedly believe that state government is a fantastic place to pursue a career in information security and feel that strong sense of satisfaction that comes from keeping citizens safe. Working for government is truly a feel good job.
Dan: Is there anything else you’d like to share about your cybersecurity program?
Chris: I feel blessed to be one of the leaders of our state IT agency, MN.IT Services. We are a progressive organization with strong leadership, and we are not afraid of change. Through both IT and IT security consolidation, I believe that we are taking bold steps that are necessary to create a better future for our government and the citizens that we serve. There is little doubt in my mind that the future will be what we make it.
Dan: My thanks go out to Carolyn and Chris for taking time for this interview. Minnesota is leading the way in many areas of government security. My congratulations for your excellent efforts!
This series will continue in the coming weeks with another set of government leadership interviews as well as feedback from my recent visit to Baltimore for the CyberMaryland Conference 2014.
As an fyi - Detroit, Michigan, is the site of an upcoming International Summit on Cybersecurity on Nov. 17.