In a survey of government chief information officers (CIOs) released back in November 2016, the National Association of State Chief Information Officers (NASCIO) again selected security and risk management as the top priority for state government technology in 2017. This finding is consistent with the digital states survey which also showed cybersecurity as the top priority for government technology leaders for the foreseeable future.
Not surprisingly, this focus on cybersecurity goes back several years in the public and private sectors, but how does this really impact organizations in practical terms? Which online threats worry state government cybersecurity leaders the most? What projects are at the top of the technology and security “to do” list for 2017?
To answer these questions and more, I brought together four of the top government chief information security officers (CISOs) in the nation to discuss what’s hot and what’s not in their corner of cyberspace. Each of these experts have demonstrated track records of security success, and they continue in their roles even after staff reshuffles and technology leadership changes in their respective states.
Also, each of these government leaders has been introduced (and interviewed) in the past in a Lohrmann on Cybersecurity & Infrastructure blog, so I will point you back to that material if you would like to learn more on their career backgrounds and professional expertise.
My virtual CSO roundtable discussion (which actually occurred on the phone and via online discussions and emails) included:
— Mike Roling: Chief Security Officer for the state of Missouri government. For more on his background, Mike and his CIO boss at the time were interviewed by me back in March 2015.
— Agnes Kirk: Chief Information Security Officer for the state of Washington government. For more on her background, Agnes and her state CIO were interviewed by me back in April 2015.
On to the CSO RoundTable Interview to Kick-off 2017:
Dan Lohrmann: As the CISO of your state, what are your three top priorities for calendar year 2017?
Elayne Starkey, Delaware CISO: Good timing, as my team is just wrapping up our strategic planning effort.
Reduce Threat Exposure — we want to spend most of the time here and #3. Root out and plug vulnerabilities; application scanning; maintain a security aware workforce; Enhance Response/Recovery — continue DR, COOP, cyber exercises; practice what we never want to happen! Increase Visibility — add new tools to the toolkit to increase visibility to threats and weaknesses across the network Mike Roling, Missouri CISO: Thanks for the opportunity to participate. Here are the top priority projects in Missouri cybersecurity:
Implement recommended actions within the Missouri Cybersecurity Task Force’s Action Plan a. Consisting of members from every major industry, the Task Force drafted an action plan on how Missouri (not just state gov) can elevate its security posture
— Focus on STEM, raise awareness, leverage existing resources, identify organizational risk
b. The Office of Cyber Security is developing a plan to expand its services and offer them to local government
— Over 90 percent of orgs surveyed said they had an interest in receiving state gov cybersecurity services
2. Deploy security controls and processes within cloud environments
a. We’ve embraced several cloud services including Box and Skyhigh to deliver business processes more securely
b. We’ll be focusing on prepping environments out in AWS and Azure that are protected by our security stack
3. Continued focus on awareness throughout every level of state government
a. Awareness is one of the key pillars of our cybersecurity plan and always will be
b. Enabling a human intrusion prevention system is something to behold
As a side note, a local media outlet ran with our cybersecurity task force action plan here.
Agnes Kirk, State of Washington CISO: Thanks Dan. Always great to reconnect with you and CISO colleagues.
Red team —the application threat vector continues to be lucrative for bad actors. We will be taking a holistic approach with a red team that includes normal pen testing, but also helping agencies remediate vulnerabilities, retesting, training security teams across the state on detecting and defending their network resources Continue to build on our partnerships at the local, regional, state and federal level. We recognize that our partnerships are significant force multipliers. That includes local information sharing, leveraging the MSISAC community of state partners and our federal relationships with DHS, FBI, US Cert, etc. We will be revisiting our legacy third-party partner contracts to ensure they meet the security requirements to protect our constituent data. As with all of our information, we need to continually ensure we maintain the appropriate level of security controls regardless of where the data is housed. Chris Hobbs, Nebraska, CISO: Great to be a part of the conversation. (Side note: Chris joined the call from a skiing vacation in Colorado. Extra thanks go out to him and his family for the time given.)
Update all Nebraska Information Technology Commission (NITC) information security policies. The NITC is the commission responsible for all information security policies applied to Nebraska government state agencies. Our goal is to have the policies and standards revised and organized in a more efficient manner following the NIST framework and guidelines. IT consolidation including security. Risk Assessments — Azure/new data centers. Dan Lohrmann: What one cyberthreat that you saw in 2016 worries you the most about 2017? (Optional extra on this question: Are there any steps you are taking to address this particular cyber risk?)
Elayne Starkey: Delaware’s IT centralization program resulted in the inheritance of many applications written by others, so many years ago. We now have a renewed focus on application security scanning for both new and legacy apps.
Mike Roling: The Mirai botnet definitely got my attention last year after it successfully took down Dyn and impacted many popular Web services. I foresee insecure IoT devices, the core of the Mirai botnet, being used a lot more in 2017 to carry out DDoS attacks.
We’ve taken steps to mitigate DDoS attacks by leveraging cloud based anti-DDoS solutions. However, Mirai garnered the attention of even the biggest anti-DDoS players out there. 2017 will be an interesting year.
Agnes Kirk: The sophistication and frequency of phishing emails attempting to download ransomware. It’s a problem that affects organizations of all sizes and sectors. Government isn’t exempt. Without the advanced threat detection tools we have in place, our story would be very different. This issue is not going away.
Chris Hobbs: APT / phishing – We continue to see many phishing campaigns attacking our staff.
Dan Lohrmann: How has your CISO role evolved over the past few years in your state? Also, how do you see things changing further over the coming few years as we head toward 2020?
Elayne Starkey: I am spending more and more of my time “in the cloud,” whether it is vetting cloud T&Cs with SaaS vendors or mapping our plan to move to IaaS. Cloud, Cloud, Cloud!
(Side note: Back in 2011 when I was Michigan CSO, Elayne and I appeared on a CIO Talk Radio podcast on securing cloud computing. It is an interesting comparison with where we are today. Overall, some progress, and some setbacks.)
Mike Roling: My team’s role has changed in many ways, here are a few:
Risk reduction focus Become the department of “yes.” More human and process focused. Public safety is now front and center with IoT and OT. Agnes Kirk: The chief information security officer position has evolved into a much higher-profile job in recent years, both in terms of news media coverage and from a public policy standpoint. As security has moved from a technology issue to a business/boardroom issue the CISO must understand the mission of their organization and how to support it. Our role has moved from being viewed as the barrier to being the enabler. We must enable the mission, reduce organizational risk, protect reputation and reduce cost.
The constant barrage of stories about public- and private-sector breaches exposing personal information, and the high-profile hacks of email accounts has led to increased awareness of cyberthreats. Our role is increasingly one of educator — at all levels.
I expect our state, and others, will continue to enhance safeguards to protect personal information stored on state networks and take additional steps to protect critical infrastructure and ensure the continuity of commerce.
Chris Hobbs: The CISO role for Nebraska is moving more toward policy based functions and collaboration with agencies and third parties. The CISO is moving away from operations roles and streamlining the job obligations associated with the role. Coordination of security efforts across all stakeholders is key.
Dan Lohrmann: My sincere thanks to Elayne, Mike, Agnes and Chris for taking the time to answer these questions. I continue to be amazed by their ongoing leadership through tough times in cyberspace at the state government level.
Wrap-up & Final Thoughts
You may wonder: What is missing from the CISO action lists, in my opinion?
First, these are leading states have very mature security programs that have been working cybersecurity priorities for years, so you wouldn’t expect to see every top agenda item every year.
That being said, I asked them if their states were thinking of implementing coordinated vulnerability management programs (or “bug bounties”) in 2017?
All four of them were very interested and thought this item was definitely on the list. However, bug bounties were not in the top three current priorities for any of them. (They were all conducting research and gathering data on bug bounties.) Further, Elayne said she was fascinated with the recent “Hack the Pentagon” DoD program, and she was discussing the topic with state and federal military officials.
Also, they each were well aware that cyberincidents and unplanned security events can quickly become a top priority. There is always the “we don’t know what we don’t know” factor in their roles.
Each of them expressed a mixture of optimism and pessimism, and there is no doubt that 2017 is shaping up to be another eventful year for cybersecurity pros and global online disruption. The bad guys never sleep — and no group understands this better than CISOs on the front lines of government tech.
We should all be thankful that state government cybersecurity leaders like Elayne, Mike, Chris and Agnes (and other CISOs and security pros in governments around the world) are on the job.