Imagine this: A cleverly devised email evades your anti-spam filters. It arrives with a malicious link into several thousand state government email inboxes at 2 p.m. on Saturday.

Or, a series of unexpected connections to South America are initiated from inside local government firewalls just after midnight on Sunday.

Or, several large file transfers to Asia containing gigabytes of sensitive data are flagged deep within your system logs at 9 p.m. one evening.

Now some questions: Assuming that your enterprise monitoring systems could learn about these events from key indicators, would the right technical staff be available to take action or start risk mitigation steps? How long would it take? Could your team react in time to stop security breaches from happening?

Our New Normal Is 24/7/365

Cyberattacks keep coming. From spear phishing emails to “drive-by” malware placed on websites to advanced persistent threats, cyberspace never sleeps. Though technology organizations have employed computer operators who work nights and weekends for decades to back up mainframes, manage servers and monitor networks, new security questions are now being asked in governments nationwide.

What can stop this new breed of time-sensitive cyberattacks? Do state and local governments have the skills and expertise (including people, processes and technology) to defend their data, critical infrastructure and systems every day? The bottom line: Does your government need a security operations center (SOC) that operates 24/7/365 to battle cyberattacks?

For a growing number of government executives and cybersecurity leaders, the answer is yes. States like Georgia are connecting their cybercenters with state fusion centers or general network operations. 

What’s Needed in a SOC

What are the essential elements of a 21st-century SOC? While there are many detailed white papers on this topic, it’s essential to outline the mission, objectives, services and responsibilities. I like this mission statement from McAfee: “The SOC is responsible for monitoring, detecting and isolating incidents and the management of the organization’s security products, network devices, end-user devices and systems. This function is performed seven days a week, 24 hours per day. The SOC is the primary location of the staff and the systems dedicated for this function.”

Some services provided by a comprehensive SOC include: status monitoring and incident detection; initial diagnostics and incident isolation; problem correction; computing equipment and endpoint device monitoring; and work with third-party vendors.

Three SOC Implementation Options

The question that faces government teams is how to realign for new cyberattack threats from adversaries that actively seek to penetrate your systems. Should new security capabilities be added to existing mainframe monitoring services or should a new approach be taken?

Three basic options include: building your own SOC with government staff, outsourcing this function, or building a hybrid model with offerings from trusted partners and your team.

First, government enterprises must evaluate whether they have the in-house expertise to build an effective SOC, what types of training might be necessary, and whether they can recruit the right personnel. There are also integrators who can help establish the tools and processes required to maintain SOC operations.

Second, consider companies — like Symantec, McAfee, HP, IBM, AT&T and Unisys — that have been building worldwide SOCs for years across multiple business sectors. Some governments partner with an external company to run these functions. They’re issuing RFPs for a managed SOC service. 

Perhaps the most popular model is a hybrid of government and contractor staff in the SOC. Michigan is following this model as we build new 24/7 cybersecurity capabilities. The Multi-State Information Sharing and Analysis Center, U.S. Computer Emergency Readiness Team and the criminal justice community will also help us in offering security services.

A final thought, regardless of your SOC approach, you can never outsource government’s responsibility to protect citizen data. Public-sector security leaders will be held accountable, no matter which path you chose. My advice: Start thinking about a 24/7/365 SOC.

Dan Lohrmann Dan Lohrmann  |  Contributing Writer

Daniel J. Lohrmann became Michigan's first chief security officer (CSO) and deputy director for cybersecurity and infrastructure protection in October 2011. Lohrmann is leading Michigan's development and implementation of a comprehensive security strategy for all of the state’s resources and infrastructure. His organization is providing Michigan with a single entity charged with the oversight of risk management and security issues associated with Michigan assets, property, systems and networks.

Lohrmann is a globally recognized author and blogger on technology and security topics. His keynote speeches have been heard at worldwide events, such as GovTech in South Africa, IDC Security Roadshow in Moscow, and the RSA Conference in San Francisco. He has been honored with numerous cybersecurity and technology leadership awards, including “CSO of the Year” by SC Magazine and “Public Official of the Year” by Governing magazine.

His Michigan government security team’s mission is to:

  • establish Michigan as a global leader in cyberawareness, training and citizen safety;
  • provide state agencies and their employees with a single entity charged with the oversight of risk management and security issues associated with state of Michigan assets, property, systems and networks;
  • develop and implement a comprehensive security strategy (Michigan Cyber Initiative) for all Michigan resources and infrastructure;
  • improve efficiency within the state’s Department of Technology, Management and Budget; and
  • provide combined focus on emergency management efforts.


He currently represents the National Association of State Chief Information Officers (NASCIO) on the IT Government Coordinating Council that’s led by the U.S. Department of Homeland Security. He also serves as an adviser on TechAmerica's Cloud Commission and the Global Cyber Roundtable.

From January 2009 until October 2011, Lohrmann served as Michigan's chief technology officer and director of infrastructure services administration. He led more than 750 technology staff and contractors in administering functions, such as technical architecture, project management, data center operations, systems integration, customer service (call) center support, PC and server administration, office automation and field services support.

Under Lohrmann’s leadership, Michigan established the award-winning Mi-Cloud data storage and hosting service, and his infrastructure team was recognized by NASCIO and others for best practices and for leading state and local governments in effective technology service delivery.

Earlier in his career, Lohrmann served as the state of Michigan's first chief information security officer (CISO) from May 2002 until January 2009. He directed Michigan's award-winning Office of Enterprise Security for almost seven years.

Lohrmann's first book, Virtual Integrity: Faithfully Navigating the Brave New Web, was published in November 2008.  Lohrmann was also the chairman of the board for 2008-2009 and past president (2006-2007) of the Michigan InfraGard Member's Alliance.

Prior to becoming Michigan's CISO, Lohrmann served as the senior technology executive for e-Michigan, where he published an award-winning academic paper titled The Michigan.gov Story — Reinventing State Government Online. He also served as director of IT and CIO for the Michigan Department of Management and Budget in the late 1990s.

Lohrmann has more than 26 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a U.S./UK military facility.

Lohrmann is a distinguished guest lecturer for Norwich University in the field of information assurance. He also has been a keynote speaker at IT events around the world, including numerous SecureWorld and ITEC conferences in addition to online webinars and podcasts. He has been featured in numerous daily newspapers, radio programs and magazines. Lohrmann writes a bimonthly column for Public CIO magazine on cybersecurity. He's published articles on security, technology management, cross-boundary integration, building e-government applications, cloud computing, virtualization and securing portals.

He holds a master’s degree in computer science from Johns Hopkins University in Baltimore and a bachelor’s degree in computer science from Valparaiso University in Indiana.


NOTE: The columns here are Dan Lohrmann's own views. The opinions expressed do not necessarily represent the state of Michigan's official positions.

Recent Awards:
2011 Technology Leadership Award: InfoWorld
Premier 100 IT Leader for 2010: Computerworld magazine
2009 Top Doers, Dreamers and Drivers: Government Technology magazine
Public Official of the Year: Governing magazine — November 2008
CSO of the Year: SC Magazine — April 2008
Top 25 in Security Industry: Security magazine — December 2007
Compass Award: CSO Magazine — March 2007
Information Security Executive of the Year: Central Award 2006