Illinois CISO Discusses the State Cybersecurity Strategy

Illinois state government has launched a 2017-2019 cybersecurity strategy that is both bold and ambitious. Here is what state Chief Information Security Officer (CISO) Kirk Lonbom had to say about where the state is now and where it is going regarding government cyberdefense.

by / August 26, 2017
Illinois State Capitol, permission: K. Lonbom

The Illinois Department of Innovation and Technology (DoIT), has responsibility for the information technology functions of agencies under the jurisdiction of the Illinois governor. DoIT’s mission is to empower the state of Illinois through high-value, customer-centric technology by delivering best-in-class innovation to client agencies fostering collaboration and empowering employees to provide better services to residents, businesses and visitors.

DoIT delivers statewide information technology and telecommunication services and innovation to state government agencies, boards and commissions as well as policy and standards development, life cycle investment planning, enterprise solutions, privacy and security management, and leads the nation in smart state initiatives. 

DoIT provides improved, more rapidly available innovative solutions at an industry-efficient price/investment point. This includes but is not limited to:

  • Improved management of the nearly $1B portfolio of IT investments
  • Greater agency oversight of IT services and more transparent rates
  • Greater ability to leverage the state’s economy of scale in purchasing IT
  • A unified IT workforce nearly 1,700 members strong
  • Rapid deployment of new agency solutions based on 75-day sprints
  • Increased use of new shared enterprise applications for common capabilities
  • Increased percentage of citizen and business interactions that are mobile enabled

Kirk Lonbom is the chief information security officer for the state of Illinois, leading a statewide transformative cybersecurity strategy for the newly established Illinois Department of Innovation Technology. Appointed as state CISO in 2015, Lonbom is providing leadership and oversight in the strategic planning, execution and assessment of all statewide information and cybersecurity strategies, policies, procedures and guiding practices to be implemented by all state agencies under the governor. Lonbom began his career as a police officer, ultimately specializing in criminal intelligence focusing on organized criminal groups and terrorism. Lonbom has previously served as assistant deputy director and deputy chief information officer for the Illinois State Police and chief information officer for the Illinois Emergency Management Agency.

About two years ago I was contacted by Kirk Lonbom when he first became Illinois’ cybersecurity leader. He asked me to comment on his personally written internal action plan for the first 100 days in his new role. While I didn’t see any sensitive information regarding incidents or internal cyberchallenges, I saw enough of his initial plan to be impressed. I will even go as far as to say it was the best initial cyberapproach I have seen for a new state or local government CISO in the past three years.

What struck me the most was the research, understanding, and breadth and depth of security knowledge that we discussed. Lonbom brought a wealth of experience with him, but more than that he had clearly done his homework. He knew he was in for a very big challenge. Pulling from what he saw was the best of what state, local and federal governments had to offer, he definitely worked hard.

And now, when I saw recent media coverage, I jumped at the opportunity to interview him about developments over the past two years, and most specifically about the State of Illinois 2017-2019 Cybersecurity Strategy. So here’s my exclusive interview with Illinois CISO Kirk Lonbom.


 Illinois CISO Kirk Lonbom

 

Dan Lohrmann (DL):  You’ve made good progress already during your first two years as CISO in Illinois, what are you most proud of regarding cybersecurity activities in Illinois?

Kirk Lonbom (KL): From a big-picture perspective, we are very proud to have established a culture of cyber-risk ownership with our business leaders. During our first few months of this journey, we spent significant time meeting with state agency directors and other executives regarding the cyberthreat and the potential impact on our ability to deliver critical services to our citizens. We worked hard to ensure our business leaders understood that cybersecurity is a business issue, and not an IT issue. For the state of Illinois, it is a life, health and safety issue; should certain systems fail, there is a true risk of lives being affected. I’m proud to say our executives have a much clearer understanding, and we continue to nurture these relationships. We have had incredible support from the governor as well, so the proverbial "tone from the top" is well-established in Illinois.

On a more day-to-day perspective, we’re proud of the team we’ve built working toward a common vision. The team extends beyond our Division of Information Security and into all areas of our agency. We have established application development groups that focus on secure development, a cross-agency group to develop protective but realistic information security policies and standards, and a team to help guide overall security engineering. We remind our staff of what we are protecting, and that translates into protecting the citizens of the state.

DL: How did this cybersecurity strategy come together? Who was involved and how long did it take to coordinate and get the agreed-upon vision?

KL: The development of the strategy was a pretty comprehensive process. Our initial approach was a straight-forward one-page view of what was then the current state, the desired state (defined as outcomes) and the gaps. We established an Executive Committee for Cybersecurity composed of key state leadership including our Director of Public Safety, Emergency Management Director, the Adjutant General of the National Guard, the Illinois State Police and others. This group served as a steering committee for the strategy, which helped us maintain a focus on the criticality of protecting the most essential business and information of the state.

We were fortunate to have been awarded a Policy Academy for State Cybersecurity by the National Governors Association (NGA), and our focus was on the development of the strategy and cybersecurity governance. The NGA brought us together with other states to share ideas and learn from those before us, and also led strategy meetings with our stakeholders during in-state meetings.

State agency chief information officers and information security personnel brought a great deal to the table, but we ensured input from the business as well. I think the end result is a comprehensive, protective and inclusive strategy.  The process further nurtured our relationships, including agency leadership as well as our counterparts across the country.

DL: Who is the audience or who is this written for?

KL: The State of Illinois Cybersecurity Strategy is a public document, and can be reviewed online. The intended audience is wide. First, the strategy ensures our stakeholders know that the governor and our agency are focused on protecting them. These stakeholders include our citizens who entrust us with their personal information, our agencies which provide critical services to our citizens which rely on information technology, and members of our General Assembly, many of whom have shown incredible support toward a cybersecure Illinois.

Our audience also includes the information technology professionals who support the state to ensure we remain focused on cybersecurity across all aspects of information technology service delivery. Our staff who focus on cybersecurity day in and day out also know where we are headed, so there is no confusion regarding our direction. We also believe our audience includes state and national partners, and sends a clear and distinct signal that Illinois is not only focused on a cybersecure Illinois, but a cybersecure nation.

DL: What is the main message(s) you want to get across?

KL: We think one of the strengths of the strategy is its ability to communicate the right message to the right stakeholder. For example, simply by opening the first page, readers can clearly recognize Governor Rauner’s commitment to cybersecurity. The message from Secretary Hardik Bhatt communicates the direction through the identification of our five goals. Through the description of the threat, readers can quickly identify the importance of cybersecurity to them individually. It is so critical that we all recognize that the threat is real, and applies to all of us.

Through the Strategic Vision and Outcomes, our executives and our legislators can quickly see the ‘whys.’ Ensuring focus on outcomes, and not just output, is a key to any successful strategy. For those who want to know ‘what are you going to do about it?’ the Goals, Objectives and Action Plans make it abundantly clear what is important, and at a high-level, just how we are going to make it happen.

DL: With so many actions, what two to three items are your highest priorities for Illinois cybersecurity?

KL: During our first year, our critical initiatives were establishing programs that are sustainable and scalable across our enterprise. We have oversight and direction for cybersecurity across 63 agencies, boards and commissions comprised of approximately 50,000 employees and countless lines of business, ranging from public safety to financial to health care. It is crucial that we establish the foundational programs that provide for continual improvement and risk reduction.

Our three key focus items are;

  • A Cyber-Risk Management Framework and process to enable the ongoing assessment of risk. Information security is all about reducing risk to an acceptable level, and absent assessment of risk, security investments will be inefficient and ad hoc. Dollars are not unlimited, and we must focus on the highest risks. We are executing with that framework and risk assessment methodology now.
  • Establishing a Cyber Resiliency Program to ensure we can both protect and recover from adverse cyber-events. We have developed and are executing a robust program that focuses first on the business through business impact assessments and the development of resiliency, contingency and disaster recovery plans. We must assume that bad things will happen, so a focus on resiliency is critical. The Cyber Resiliency Program is now in the execution stage, and we are involving agency executives from start to finish to ensure they understand and guide the protection of their critical functions.
  • Our Security Operations Center (SOC) is now in operation, and we are already reducing the impacts of cyberattacks through proactive monitoring and rapid response. We are continuing to mature the SOC and ramping up resources. We are focusing on automation wherever possible, and utilizing technologies to detect threats, effectively manage incidents and even integrate threat intelligence into the process through mouse-clicks, and not lengthy and ineffective manual research.

DL: You list five goals with ambitious objectives and action plans in each area. Is this too aggressive? Is it doable by Jan. 1, 2020?

It is aggressive. The strategy identifies where we need to go based on our current state of capability, maturity and the threat landscape. We are already checking many of the boxes, and have initiatives in-progress which address all the goals. Action plans have been prioritized, but clearly, we have a lot of work to do.

I am somewhat of a driven person, and often impatient, as we know the cyberthreat is real and continuing to become more complex. I often have to remind myself that information and cyber ecurity is a journey, not a destination. There is no perfect security. While we will all strive for perfection, we must recognize that our focus needs to be on continual improvement and ongoing risk reduction.

Will we finish everything in the strategy by Jan. 1, 2020? I think we will have completed many initiatives and improvements driven by the action plans. But we don’t consider the strategy to be a "one-and-done" document. It’s our first of many versions that will guide us toward a more cybersecure Illinois.

DL: Is there anything else you want to tell readers?

KL: I would like to ensure that credit due is given to those who really made this happen. From the governor through the secretary to our business executives, agency chief information officers and information security and other IT staff, the strategy is their work. We have had tremendous support from the National Association of State Chief Information Officers (NASCIO), the National Governors Association (NGA), the chief information security officers from other states across the nation and very importantly, the dedicated staff of the DoIT Division of Information Security. They did this. I’m just lucky to be able to write about it.

DL: I want to thank Kirk for taking the time to answer my questions.

I urge readers to take a look at what Illinois is doing, both with cybersecurity and in many other technology and innovation areas highlighted at their website. Their leadership team, starting with State CIO Hardik Bhatt, is very impressive. Most of all, I see Illinois aggressively moving forward in areas ranging from legacy systems to cutting-edge Internet of Things (IoT) applications.