It hasn’t taken long for Jonathan Trull to make his mark as chief information security officer of Colorado. Since coming aboard late last year, Trull has identified Colorado’s cyber defense problems, written a strategic plan to address them, and fostered a collaborative environment to help change the culture on how IT security issues are viewed by state government leaders. The approach is a change of pace for the state. Formerly an auditor with the Colorado State Auditor's Office, Trull evaluated Colorado’s IT systems and saw first-hand that some officials were concerned with documenting security gaps rather than taking steps to alleviate them. Some of those security holes were discovered a few years ago, when the state underwent a penetration test of its network. The results weren’t good, and they were confirmed by Trull in further evaluation last year.“There were big barn doors left open,” said Alan Paller, director of research for the SANS Institute, a research organization focused on IT security. “And they were left open because his predecessors had spent all their money on writing reports.” That should no longer be the case with Trull in charge. “I really felt like my security team was spending 80 percent of their time on compliance issues and about 20 percent on really pushing out hard, hands-on technical security tasks and functions,” said Trull, pictured at left. “My goal for the strategic plan [is] to really flip that.” By June, Trull and his team hope to complete the first five of 20 critical security controls outlined by the SANS Institute’s Center for Strategic & International Studies (CSIS). The first steps include comprehensive inventories on authorized and unauthorized devices and software, security configurations, continuous vulnerability assessment and remediation, and malware defenses. By focusing on hardening systems and low-hanging fruit, Trull believes many potential security risks will be mitigated with relatively minor effort and without significant expense.
Meeting of the Minds
Trull’s plan wasn’t developed in a vacuum. When he took on the CISO job, one of the first things he did was form the Colorado Information Security Advisory Board. Consisting of “20-to-30” IT security experts in both the public and private sectors, the group flew into Colorado on Nov. 29, 2012, to discuss cybersecurity best practices.
With a variety of ideas on the table, Trull narrowed the focus down to a simple question: With a limited budget, what are five things I can do quickly that will result in the greatest reduction of risk?
Rick Dakin, CEO of Coalfire, and independent IT audit and compliance firm, was one of the attendees at the Nov. 29 meeting. He called it a “spirited discussion,” where Trull and his team acknowledged that the state’s IT system had serious vulnerabilities it must tackle.
The consensus was to adopt the SANS Institute’s CSIS controls and optimize Colorado’s security environment before doing anything else.
Paller, another member of the Colorado Information Security Advisory Board, called Trull’s decision a “180-degree turn” from what Colorado had been doing previously. Paller said many other IT organizations spend almost their entire budgets on writing reports about security that don’t make anyone better off.
He added that Trull is in a great position to get results with a hands-on philosophy.
“They’re quick wins with the within the first four,” Paller said of the CSIS controls Colorado is implementing. “Each of the controls has multiple steps in it. Some that are real easy, some that are harder. He’s doing some of the very specific ones that have the highest impact.”
Doing an inventory of all devices on Colorado’s network is one of those first steps. Identifying what state-issued computers and smartphones that access the state’s computing grid shouldn’t be hard. But it’s not as simple as it sounds.
Colorado is also in the midst of developing a BYOD policy, which may up the difficulty level quite a bit with an influx of personal tablets and other devices that aren’t as secure. Trull said the goal is this: If a device comes on the state’s grid that is not managed by the IT team, he wants it identified and quarantined off the network or managed within 48 hours.
“Our goal is to do this without stopping innovation and I think that we can -- and we have to do it without preventing people from doing their work,” Trull added.
Paller and Dakin were both in agreement that the greatest challenge in front of Trull is changing the mindset of decision-makers that cyber threats are real and need to be taken seriously.
Dakin felt that whether it is state government, a hospital, bank, or major corporation, unless the organization has a “near death experience” where their systems go down hard, the disbelief in cyber attacks will continue.
“Tackling patch management, system configuration, vulnerability detection and monitoring will raise the awareness of the disbelieving,” Dakin said. “So it’s almost like this program’s going to be effective in spite of the lack of total support and buy-in for how serious the threat is.”