We are continuing the series of interviews with leading state government CIOs and CISOs from around the nation. This week, we turn to Washington state and its security priorities and technology plans.
Washington State Chief Information Officer Michael Cockrill, credit: Washington State Government
What’s on the minds of public sector technology leaders in Washington state? Top answers: cybersecurity, data privacy and jobs.
According to a University of Washington at Tacoma website, “Washington state is the number one generator of high tech jobs.” Going further, “The need for cybersecurity leaders will grow exponentially.”
Although a few people in California, Texas or elsewhere may dispute that prestigious high-tech job- generator claim depending on a variety of factors, no one doubts that Washington state is a powerhouse in high-tech, with Microsoft, Amazon and other top tech company headquarters near Seattle.
After my recent interview with Washington state government’s CIO Michael Cockrill and CISO Agnes Kirk, one thing is clear, security and data privacy are at the top of the priority list as they plan to consolidate tech agencies.
According to Cockrill, “Security blots out the sun relative to every other issue. Security and privacy are the only IT topics that are political issues. If I had to guess, I would guess I spend half my discretionary time on security and privacy….”
Introducing Washington Government’s Talented Technology and Security Leaders
Michael Cockrill was appointed chief information officer (CIO) by Gov. Jay Inslee in January 2013. He came with an impressive track record in the public and private sectors, including:
· Founder and Chairman, Atlas Networks
· Associate Partner, Auxin Partners, LLC
· CEO, PhotoRocket
· Entrepreneur in Residence, University of Washington Technology
· Managing Partner, Atlas Accelerator
· Co-Founder, CTO and VP Product, Mixxer
I especially like this LinkedIn profile description of Michael’s personality and approach to management, which came across when I met him in California at the Summit of State Cybersecurity: “Customer obsessed, business driven executive with proven success in the public and private sector. Experienced executive leader who has built world class executive teams, product development teams, support teams, and technical sales teams.”
After you see his answers to my interview questions below, I am sure that you will agree with me that Washington state is fortunate to have a CIO of Michael Cockrill’s caliber.
I have known the Washington state chief information security officer (CISO) Agnes Kirk for about a decade through our work together in the Multi-State Information Sharing & Analysis Center (MS-ISAC). Through the years, she has proven to be an impressive executive security leader in numerous respects.
Back in 2007, when Agnes was the chief cecurity officer (CSO) for the Washington State Department of Information Services, she was named to the top 25 list as a Government Technology magazine “Doer, Dreamer and Driver.”
(As an aside: Notice some of the other names on that 2007 award list. They include: Gov. Janet Napolitano when she was still in Arizona, Gov. Tim Pawlenty of Minnesota, Doug Robinson, executive director of NASCIO, along with several other famous names.)
Agnes was already doing great things eight years ago, such as: “SecureAccess Washington -- a single sign-on gateway for the public to access one or more secured applications from the Internet using one user ID and password.”
Agnes continues to be a respected cybersecurity leader across the nation, who helps in so many ways behind the scenes. She is very smart and on top of cybersecurity threats and enterprise risks, but Agnes also is a humble, fun person who has a winning personality.
On to the Washington State CIO & CISO Interviews:
Dan Lohrmann: Tell us about your scope of responsibilities as CIO in Washington state.
Michael Cockrill, Washington state CIO: Based on a bill that is winding its way through the legislature as we speak, the chief information officer for Washington is being defined to have two major roles covering operations and strategy.
For operations, the CIO has the responsibility to maintain and operate common, enterprisewide, systems that enable agencies to focus on their unique missions. These include:
· Cybersecurity operations and firewall protection
· Infrastructure and utilities
· Enterprise software that every agency relies on
· A catalog of services and programs available to agencies
For strategy, the CIO is responsible for the state’s long-term strategic planning, the creation and maintenance of policy and standards, enterprise portfolio management and large project oversight. This includes:
· Publishing a statewide strategic framework
· Publishing statewide technology policies and collaborating with agencies on updates and additions
· Generating a prioritized list of all funding requests for review by the legislature.
In addition to the major functions of my role, my office plays several ancillary roles and/or advisory roles. Below are a few examples;
· I am a general technology adviser to the governor’s office for matters of policy with detailed technical components. For example, I chaired the governor’s committee to harmonize Washington’s regulation on the use of unmanned aerial vehicles (drones).
· The CIO is the designated point of contact with the federal government for FirstNet.
· The CIO is the chair of the State Interoperability Emergency Council, the body responsible for coordinating radio interoperability across state entities.
Dan: You have had a very successful career in the public and private sectors – including roles as CEO, partner, co-founder and more. What is your secret to success?
Michael: My "secrets" of success aren’t that secret – they’re a set of time-tested behaviors and actions that are proven to make most anyone or any group more successful. Here are my top five:
1. Hire great people and empower them to do a great job.
2. Follow the money – while it is not about the money for money’s sake, money in government is the enabler. You can’t empower your people if they don’t have enough budget to make forward progress.
3. Focus on creating order from chaos. This almost always can be done if you can draw the right picture. I literally mean that – a picture that creates a common framework for discussion is a critical success factor for any order-making process.
4. Don’t solve other people’s problems. Require that they solve their own problems. My personal belief is that it is not the executive's role to answer questions about the business. It’s the executive’s role to define the criteria the business should use to answer questions.
5. Culture eats strategy for breakfast. In a great culture, no one says "that’s not my job." In fact, the opposite is true. If more people are empowered to do more things to further the well-articulated goals of the business, that will take your organization much farther than even the finest-crafted strategy document.
Dan: How important is security in your job?
Michael: Security blots out the sun relative to every other issue. Security and privacy are the only IT topics that are political issues. If I had to guess, I would guess I spend half my discretionary time on security and privacy.
Dan: What keeps you up at night regarding cybersecurity?
Michael: The disconnect between the expectations of our citizens and the authorizing environment – and anyone’s ability to deliver that level of service. We can’t tell citizens or lawmakers that their data is not safe, but we can’t tell them they have nothing to worry about either.
Dan: How has security changed throughout your career? Is it more important today with big data, mobile computing and the cloud security challenges?
Michael: The downside of a breach is worse than it has ever been. The number and makeup of advisories is richer and more varied than it has ever been.
The consumerization of IT along with the proliferation of communication channels represent values that are diametrically opposed to good cyber hygiene. For example, good security is predicated on great access control. That is in conflict with the open government we all strive for where everyone has access to everything.
Dan: In 2015, is cybersecurity given a high priority by your governor? How does cyber get attention with so many competing projects and priorities?
Michael: Realistically, security and privacy are the only issues that get any real priority from the governor’s office. I agree with the prioritization. A data breach would make it hard for the governor to be re-elected. There is really nothing else in the IT world that rises to that level.
Governor Inslee takes cybersecurity very seriously because he understands that it is an economic issue, not a technical one. The distribution of our systems, the disruption of critical infrastructure, these are issues that cause disruption to the continuity of commerce.
Governor Inslee understands that we live in a four-day economy. If the bad guys closed down the port of Seattle or our transportation infrastructure was disrupted along the I-5 Corridor, greater Seattle would start to see gas shortages in a matter of hours, we would see food shortages the next day, and four days after a catastrophic event, we would be looking at empty shelves at Costco and no coffee at Starbucks.
Washington State Chief Information Security Officer Agnes Kirk, credit: Agnes Kirk
Interview with Washington State CISO Agnes Kirk
Dan: Tell us about your scope of responsibilities as CISO for Washington state.
Agnes: A primary responsibility is to promote security awareness across levels of government, our business partners and constituents. This includes advising agency management and members of our legislature on security-related decisions. We publish monthly newsletters, security tips, resources and tweets to raise awareness among state agencies, local government and Washington businesses. A priority of mine is to coordinate and promote close relationships with other state, federal and private-sector partners.
Another key responsibility is to help state government deliver services securely to our citizens and businesses. This is a team effort between my security staff and security staff in the 100+ state agencies, boards and commissions. My responsibilities include security policy development, network security, Web filtering services, vulnerability management services, internal certificate authority, domain naming services and remote access services. My security team developed and operates a secure single sign-on portal for government–to-business and government-to-citizen online services. Today, 2.2 million citizens and businesses securely access Washington’s online government services from anywhere, anytime.
We recently expanded our Security Operations Center (SOC), which is our nerve center for enterprise information sharing, monitoring and incident response. The SOC takes a proactive approach to mitigate security incidents before they happen, and to minimize damage before business operations become compromised. They provide real-time expertise to help agencies mitigate and recover from an incident, big or small. This team also conducts forensic investigations and security assessments for state agencies.
Dan: You have a very successful, highly respected career as a government CISO, how do you stay ahead of the ever-changing cyberthreat environment (personally and as a team)?
Agnes: I am not sure anyone can say they “stay ahead” of the ever-changing threat environment. I think most security professionals, including myself, are constantly assessing the changing landscape and determining how best to position our organizations, to not only respond to threats, but to proactively anticipate emerging threats.
I have a great team that continuously researches types and methods of attacks, and partners with our peers in both the public and private sector to share actionable information. We leverage important and valuable partnerships with major corporations in the state, the Multi-State Information Sharing and Analysis Center (MS-ISAC), Department of Homeland Security, Washington State Fusion Center, FBI, and Emergency Management Division of the Military Department.
Dan: What’s hot right now regarding your role? Where are you spending your time?
Agnes: I am most excited about the increase in voluntary partnerships that are emerging to share security information for the greater good. We are aligning our efforts with our federal partners, creating cross-sector security training and awareness partnerships, and leveraging technical expertise offered by the MS-ISAC, DHS and US-CERT to continually strengthen how we protect the information entrusted to us by our citizens.
Another focus is determining how we can use predictive analytics as a proactive tool. We are leveraging technology and threat intelligence data sharing at machine speeds to automate our defenses. The increasing sophistication of attacks whether they come from hacktivists, cybercriminals, nation states or disgruntled employees necessitates this innovation.
Dan: How has security evolved over the past two decades? What’s different (and the same) today, as compared to say 1995 or 2005?
Agnes: The security organization has grown from passive procedure development to technologist to business partner. The continued threat of attacks is a societal issue facing all industries and requires a shift in thinking.
By necessity, security has become as important as the IT services themselves and is a major plank in the IT strategies of large organizations. Security is now the conduit through which we deliver IT services because without security in today’s world, there is no trust. The reason is the likelihood and impact of loss from attack has risen dramatically. The thinking has moved from what “might happen” to what “will happen” if you don’t act. Security is now on the short list of what has to be managed well for any organization to survive.
As a result, it has risen to become a public policy issue, getting the attention of legislatures and CEOs alike.
Complicating security today are the “always connected” expectations of the public, whether it be to interact with their government or to purchase tickets for a sporting event online. Anytime/anywhere.
Dan: Do you have enough talent in the cybersecurity area? How are you attracting and keeping cyber talent?
We struggle along with our private-sector partners to attract and maintain enough security talent with the right skill set. It is no secret that there is a shortage of trained security professionals. We experience long recruitment times because it is challenging to compete with the compensation offered by private companies here in the Northwest. What we do offer is the opportunity to learn many different technologies, develop and implement creative solutions to real problems and be part of a highly skilled, motivated team that is making a difference for the citizens of our state every day. Fortunately our state offers good employee benefits. These don’t level the playing field, but they help somewhat with recruitment.
Dan: Is there anything else you’d like to share about your cybersecurity program and upcoming projects?
Agnes: We are on the verge of launching some exciting new programs. Training is a big one. We will be kicking off a training program for application developers that teach secure coding methods when developing online services. They will learn secure coding best practices and will test against secure coding standards before publishing.
We will also begin creating a highly secure, light touch portable environment for mobile employees.
It’s great to be part of a state where increasing the security of our state is a partnership with the governor, legislature and state CIO.
Washington state has been a recognized leader in government services for decades. I have little doubt that their current government technology leadership not only “gets it” when it comes to cybersecurity and privacy, they will continue be innovative leaders in the nation into the future.
My thanks go out to Michael and Agnes for participating in this deeper look into Washington state government security plans and government priorities.