State cybersecurity officials have an ever more visible job to do, with an increasing amount of attention focused on shoring up the vulnerabilities that jeopardize citizen information and government systems. Far outlasting the tenure of the average chief information security officer, Missouri CISO Michael Roling has been on the front lines of the conversation since he assumed his current role in 2009. The state is working on getting ahead of what Roling calls the “growing attack surface” represented by diversified IT infrastructure. Missouri is looking at expanding its cyber-response capabilities into an around-the-clock operation — a prospect that also has him considering managed services to augment in-house employees. We talked to Roling about how he makes sure his staff, and the state workforce in general, is prepared for today’s threats.
1 // How would you describe the current threat landscape?
The threat landscape has changed so much in the last five years, from the explosion of the Internet of Things to the adoption of the cloud. In addition, our end users are becoming more targeted by our adversaries. They understand the potential weakest link in any government is going to be that end user, so they’ve been going after them extremely hard
with sophisticated phishing attacks.
2 // What does your internal cybersecurity training program look like?
We run a monthly internal awareness program, about 15 to 20 minutes long, and each lesson covers a different topic. We have seen heightened awareness throughout our enterprise because of this program. One of our best intrusion detection systems has become our end user because we know whatever they’re seeing has made it through our advanced security stack. We’ve made a lot of great investments over the years, but still, the most advanced will make it to the end user, and we’re able to take action on that because of all the awareness that we’ve been doing.
3 // What is Missouri’s approach to filling cybersecurity positions?
We’ve had zero percent turnover in the last seven years, and I attribute that to the team environment that we’ve created. I’ll admit that being in government, we can’t compete with the private sector. That is a
big obstacle for anyone in my position. We institute job rotation, which I think helps. It helps with burnout; it helps with quickly onboarding new employees. That has been a key factor in keeping our retention as high as it is.
4 // How will you recruit new cybersecurity talent when turnovers do start to happen?
As we expand our team and bring on new staff, I do weight internal employees higher than external. They understand the organization. They understand who to quickly communicate with, so that onboarding process is much quicker. We do hire externally, but I look internally first. Do they come with a cybersecurity background? Not necessarily. … Our end-user support team that handles tech support issues daily, they tend to have all of the key traits I’m looking for. They’ve become great communicators, and their ability to troubleshoot is high, especially the ones who are more experienced. Those same troubleshooting skills can cross directly over to cybersecurity in many ways.