Ricardo Lafosse, the inaugural chief information security officer of Cook County, Ill., will reprise his role in the private sector after nearly four-and-a-half years at the nation’s second largest county.

Lafosse, who created for Cook County what he told Government Technology was the first Information Security Ordinance “that we know of” at a state or local agency, will join Chicago-headquartered investment research and management company Morningstar Inc. on Monday, Sept. 11 as its CISO. 

He gave three-and-a-half weeks notice in August and his last day as Cook County CISO will be Sept. 8, Lafosse said.

The CISO said working for Cook County has been a tremendous opportunity to build a program from scratch for a large organization — coordinating large cybersecurity initiatives quickly and building stakeholder relationships.

Among his key accomplishments were authoring the county’s 2014 Information Security Ordinance, which enhanced accountability for agencies across the enterprise; re-architecting the county’s entire cybersecurity endpoint infrastructure; and developing its first threat intelligence program to support local municipalities.

Along the way, Lafosse noted, the county gained national recognition as a thought leader in cybersecurity.

The Center for Digital Government, a national research and advisory institute on information technology policies and best practices in state and local government and a division of Government Technology's parent company, e.Republic, recognized Lafosse as an innovation leader in 2015.

In 2016, the Center recognized the Cook County Department of Homeland Security and Emergency Management, Information Security Office for developing its threat intelligence platform to assist smaller jurisdictions.

Lafosse emphasized that he didn’t merely work to improve cybersecurity and IT best practices, but collaborated closely with agency heads to change Cook County culture.

“When I first started at the county, there were no cybersecurity programs. It was ad hoc efforts from various, different organizations. My first year, year-and-a-half was relationship building and really integrating myself within each Cook County business so I would have that stakeholder support when I really kickstarted my program,” said Lafosse, who had been manager of information security at the Rehabilitation Institute of Chicago for more than a year before joining the county.

Getting to know agency officials educated him on their cybersecurity needs and helped him demonstrate how taking a stronger security posture could help their work.

“My cybersecurity programs are a lot more effective because I’ve made that cultural change,” Lafosse added.

He described himself as a huge advocate of data-driven security, of identifying an agency’s “crown jewels” of data, classifying their criticality, location and access points; and said he’d transformed the CISO role at the county to one that is “co-mingled” with agencies, with the board, and with IT.

His No. 1 piece of advice for Cook County’s next CISO was to be fluid — that security isn’t “cookie-cutter”; and, as demonstrated by ransomware, “what you believe is correct in one day, two days from now can be completely different.”

Lafosse emphasized that a CISO should never accept risk, but rather, make agency heads aware and accepting of risks they may create through their own cybersecurity postures. He also advised the county’s next CISO to hone diplomacy and relationship-building skills, and to “know your industry.”

By being educated, he said, a CISO can pivot easily, speaking to engineers as fluently as board members and tuning the message accordingly.

It’s likely, Lafosse said, that Cook County’s next CISO may face operational efficiency challenges given the county’s size and scope — encompassing 1,635 square miles and serving more than 5.2 million residents.

Keeping its culture in the right place and putting cybersecurity first and foremost is “absolutely critical,” he noted.

“Most CISOs experience very similar issues or roadblocks, just with different people in a different environment,” Lafosse said. “If you understand and believe in cybersecurity and understand how the business functions, any CISO can be successful as long as they have the support, knowledge and desire to push cybersecurity forward."