IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Pounding the Information Security Beat

New York takes the security lead with the first state and municipal information-security officers.

New York takes the security lead with the first state and municipal information-security officers.

By John Marcotte | Technology Editor

It took New York states freshly-minted Information Security Officer Laura Iwan just two months on the job before she felt the love. Unfortunately, it was the ILOVEYOU virus.

"We have a discussion list for all ISOs [Information Security Officers]in state agencies. We routinely post things that we think are of interest that they should be aware of. As soon as we got word about the Love Bug, we broadcast the word out to the agencies -- but it was already too late," she said ruefully.

Iwan, a lifetime civil servant with 12 years experience in information security, didnt single-handedly stop the Love Bug virus in its tracks. But her office provided a centralized source for the distribution of information, and after her baptism by fire she has plans to improve how the state handles the next security hole that crops up. After the virus hit, Microsoft released a security patch for Outlook. "[Our agencies] were all in competition with the rest of the world trying to download these patches as soon as they became available," she said. The congestion delayed the implementation of the fix. Next time, Iwan plans to download a copy of the patch and distribute it via the statewide intranet.

Information security officers are an old idea in the private sector, but New York is the first state to create the position. "Security has always been a focus for the office, since we were a taskforce," said Will Pelgrin, executive deputy commissioner of the Office for Technology (OFT). "As we decided to move forward, we decided that a
statewide approach with a statewide security officer made sense." "Security is becoming a much higher priority," Tom Duffy, deputy director of administration of the OFT, said. "With Y2K behind us, we are starting to focus more on security, as I assume all public and private institutions should be doing."

One public institution that focused on security even earlier than the state is New York City. It has been more than a year since NYC created its own information security officer, a first for any major city.

"We meet with [the city] regularly to talk about common issues or joint initiatives," Duffy said. "Theyre developing a security office also, [but taking] sort of a different approach than ours."

The Naked City

The difference in approach could be attributed to a difference in organization. Iwans office is organized under the state Office for Technology, an IT management office. The chief information security officer for the city, R.A. Vernon, works for the Department of
Investigations, a law enforcement agency.

"The approach that the state is using is the approach that has been used historically," Vernon said. "Information security has for the most part always fallen under an IT director or CIO. It wasnt until three or four years ago that the private sector started to look at the position a little bit differently."

"Its not good enough to just develop standards and set them out there," he said. "You really have to take time to educate and re-educate your population, so that they have a true appreciation for the things youre asking them to do."

Vernon came from the private sector, where he was information security officer for several banks and large corporations. Although he feels the challenges facing the private and public sectors are similar, Vernon admits that he was not quite prepared for dealing with governmental
bureaucracy. "Its been a culture shock," he said dryly.

But he adapted quickly and has been instrumental in expanding and redefining the role of an information security officer.

"The position in the minds of the individuals that were trying to push this thing forward was stated as the Internet Security Officer or something like that. So it was very Internet focused, " he said. "The city is moving rapidly to becoming an e-government. They had concerns with being on the Internet, so that was the slant they put on it."

Inside Jobs

"Once I got in, I had to go through a process of educating everybody that the Internet is a small piece of a bigger pie," Vernon continued. "Information security has a broader spectrum. People have always used this clich
With more than 20 years of experience covering state and local government, Tod previously was the editor of Public CIO, e.Republic’s award-winning publication for information technology executives in the public sector. He is now a senior editor for Government Technology and a columnist at Governing magazine.