California Security Chief Aims to Secure Social Networks, Teleworkers

CISO Mark Weatherford prepares strategic security plan for California.

by / August 31, 2009

In 2008, Mark Weatherford became California's chief information security officer (CISO). He directs the state's Office of Information Security, which is responsible for ensuring the confidentiality and security of state government computer systems and information. Before going to California, Weatherford served as CISO of Colorado.

What's at the top of your priority list?
The biggest thing I'm working on right now is a strategic plan that will lay out where we're going to take the state in the next five years. I'm aligning that very closely with [state CIO Teri Takai's] strategic plan, which she released earlier this year. We're also creating a new complement of state enterprise security policies. State agency CIOs tell me that's what would help them the most - consistent policies that let them know the direction the state is heading and what's expected of them.

How are you dealing with use of social networks by state employees?
Most of the issue is going to come down to how employees take advantage of social networks and how they do it in a way that doesn't compromise the state in any fashion. I think it's very important that California leads the way in some of these things. We're going to jump out in front of this and get something in place that allows state employees to use social networks. It's going to be my job to figure out how we can safely and securely implement these technologies in state agencies because in a couple of years we're not going to have this discussion anymore. This is going to happen. We just need to make sure we're doing it properly.


Video: California CISO Mark Weatherford discusses social networks and other security challenges.

How will you ensure security for remote workers?
The state is taking a two-pronged approach. There is the human resources component of teleworking, which is not really my bailiwick, but there are also the security controls. You need the proper security controls and security devices in place to make sure you're doing telework appropriately. We've been working on that. We're in the final stages of vetting a security standard for telework.

Can you improve security by demanding more secure products from vendors?
We're discussing that right now. We're talking with Microsoft about creating a California standard desktop configuration, so when we then go out to our PC providers, we just tell them what operating system load we want. We would get a hardened operating system right out of the box, so of the hundreds of different variables available on an operating system, it will come locked down and hardened.