Long Beach Looks for Next Stage in CISO Evolution

The California city is on the hunt for a new breed of cybersecurity professional: the cyber-risk officer.

by / December 27, 2016
Long Beach CIO Bryan Sastokas David Kidd/Government Technology
Long Beach, Calif., isn’t following in the footsteps of so many other cities when it comes to its cybersecurity strategies. Where many government organizations are hiring a chief information security officer (CISO), Long Beach’s Department of Technology and Innovation is looking for a candidate to fill a different kind of cyberposition: the cyber-risk officer.
 
And the concept isn’t just about changing the name and calling it innovative; this role is about looking ahead and “thinking outside the firewall.” 
 
Since early December, city recruiters have been looking for candidates from a wide cross-section of tech-centric sectors, and with a week left on the job posting, CIO Bryan Sastokas is hoping they’ll find a candidate capable of evolving with the times and technology.
 
“We’re trying different approaches to traditional roles that some IT organizations may have. One of the areas here in our security organization is really the traditional CISO, and where we see a CISO moving forward and what its roles really are in the larger technology picture,” he said. “I’m in the camp, and a firm advocate that, I think some of these traditional roles that we see out there today are drastically changing in order to be very effective.” 
 
Sastokas is hoping to get away from focusing so heavily on policy and people training when it comes to the city’s approach moving forward and more toward tools that will help bolster Long Beach’s network defenses. 
 
While telling an employee not to open suspicious emails or go to unsecured sites is already part of the city’s security strategy, Sastokas said he hopes the new risk role will be able to loop in tools like artificial intelligence (AI) and machine learning to help identify bad actors more quickly. By looking deeper at the patterns in user access, data around attacks and other pertinent markers, he believes Long Beach will be better poised to spot anomalies and shore up traditional cyberprotections like firewalls.
 
“I believe there is going to be a big approach leveraging more of that toolset. What can we do around AI? What can we do around machine learning and behavior patterning? I think those types of tools are going to allow us to be more effective in securing our infrastructure,” Sastokas said.
 
The conversation about how to approach the next iteration of the CISO role emerged after Sastokas left Oakland in June 2015 and started looking at how to better position Long Beach’s IT team to succeed.
 
Rather than creating the city’s Cyber Risk Division in response to a breach, Sastokas said the move toward a forward-looking division was a crucial step in preparing for the technologies and threats coming around the bend. 
 
“It was more of a conversation around where we see the industry or these roles adapting into,” he said. “I don’t mind pushing the envelope in some areas of technology, whether that is in regard to the toolset and the deployment of technology or the adoption of more innovative technology or even just the way we change technology to manage individuals and staff and bring them onboard.”
 
So far Sastokas said a healthy mix of professionals from a wide range of professional backgrounds have applied for the position, but he said he would like to see more women and minorities vying for the city post. The final date to apply for the position is Jan. 4. 
Eyragon Eidam Web Editor

Eyragon Eidam is the Web editor for Government Technology magazine, after previously serving as  assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at eeidam@erepublic.com.