The best in all fields lead by example. And winners of the 2014 Cybersecurity Leadership and Innovation Awards marked those in state and local government and education who have, in recent years, driven forward cybersecurity efforts in their own communities, and also led American government at large. The Center for Digital Government, the research arm of Government Technology's parent company, e.Republic Inc., recognized the best public-sector cybersecurity professionals in the nation at the FOCUS 14 Security Conference in Las Vegas on Oct. 28.
Among those recognized for excellence were Maryland Gov. Martin O’Malley, the Commonwealth of Pennsylvania’s Enterprise Information Security Office, the city of Dallas, Florida International University, Stanley Jorocki of the Phoenix Children’s Hospital, and Joe Panora of the California Department of Corrections and Rehabilitation.
“This year’s winners demonstrate they are serious about cybersecurity defense by putting into place systems, practices and policies that detect and mitigate vulnerabilities, keeping information safe for citizens," said Center for Digital Government Executive Director Todd Sander, who congratulated award recipients for succeeding in the face of a growing cybersecurity threat landscape.
O’Malley, who received the Cybersecurity Leadership and Innovation Lifetime Achievement Award, has led his state to cybersecurity greatness, namely for implementing the National Governors Association’s “Call for Action” for cybersecurity in state government, appointing the state’s first director of cybersecurity, launching a program requiring every Maryland state agency to execute an annual vulnerability assessment, working regularly with the National Guard, and collaborating with partners like the Multi-State Information Sharing and Analysis Center (MS-ISAC) to boost situational awareness.
He has served as co-lead for the National Governors Association (NGA)’s Resource Center for State Cybersecurity since October 2012, and in 2010, he was the recipient of the National Association of State Chief Information Officers (NASCIO) National Technology Champion Award. In 2009, Governing magazine named O’Malley as one of eight "Public Officials of the Year" for his data-driven approach to policy and administration, and in 2003 O’Malley was named one of Government Technology magazine’s Top 25 Doers, Dreamers and Drivers.
In the state government category, the Commonwealth of Pennsylvania Enterprise Information Security Office was recognized for the continued operation of its Commonwealth Application Certification and Accreditation (CA2) Process, which facilitates an annual cost savings of $38 million.
Pennsylvania CIO Tony Encinias brought the idea from the federal government; he spent 21 years with the U.S. Department of Defense before joining state government.
“It’s very fundamental what we’re doing,” he said. “It’s not rocket science. We didn’t reinvent the wheel here. We took best practices of organizations that are doing good things, and this is something that can be repeatable, that other states can do very, very cheaply. It does not cost hardly any money to do this. We did an open-source system for – I don’t know – less than $1,000.”
Cybersecurity always has been and always will be a top priority for him, Encinias said. “Like I’ve always told everyone else, you can have the best services in the world, the best infrastructure, the best network, but if you don’t have security wrapped around that, it doesn’t do any good," he said, "because we are in charge of critical, sensitive data, and the taxpayers are entrusting us with that data and we’ve got to do everything to ensure that we’re protecting that data the best we can."
The CA2 process protects state networks by passing every application through a series of scans before they go live, Chief Information Security Officer Erik Avakian explained. “The source code is scanned, the host server or architecture where it resides is also scanned, and then, before any of these scans, the actual architecture of what they’re trying to do is reviewed,” Avakian said. “So it’s really a risk management process, and each phase of the process reduces risk. … I think we’re one of the only states that does a comprehensive review like we’re doing.”
In the county government category, creators of Michigan's Cyber Security Assessment for Everyone (CySAFE) tool were recognized. Led by officials in Oakland County, other participants in the tool’s creation included officials in Livingston, Monroe, Washtenaw, Wayne, and at the state of Michigan.
“What we started talking about was ‘cybersecurity is everybody’s problem,’” said Oakland County CIO Phil Bertolini. “But yet, not everybody understands what they have or what they need, so what we wanted to do was create an assessment that takes care of three things.”
CySAFE first takes inventory of what an organization has, allowing the user to self-assess their resources based on standardized frameworks like those outlined by the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST). Next, the tool provides a prioritized list of what needs to be done. Last, the tool provides links to online resources so users can finish their list.
Built in Microsoft Excel, CySAFE provides a free and simple tool that everyone can use, Bertolini said. “If you think about cybersecurity, one of the main reasons governments don’t know what they have to do or have what they need to do is because it’s very difficult to understand,” he said. “What we did with the CySAFE tool was we broke it down into understandable terms, we got it to a basic level saying, ‘These are the things you need to be at a basic level of security for each of these controls; now go ahead, look at what you have and get the answers you need to move forward.’”
Building the tool was a group effort, Bertolini said, adding that he's honored that the Center for Digital Government saw the need for an awards program in cybersecurity -- and saw that this type of tool is what governments need. "We’re just happy that it was just worthy enough to receive an award,” he said.
In the city government category, Dallas, Texas, was recognized for securing the private health information of its citizens. The Dallas Communications and Information Technology group purchased 70 ruggedized laptops for 850 first responders and equipped them with security features to protect citizen information in the event of loss or theft. The group also developed standard operating procedures for events and trained users, which led to a reduced risk of Health Insurance Portability and Accountability (HIPAA) fines, while protecting citizen health information.
In the education category, Florida International University (FIU) was recognized for its commitment to greater data security, namely for implementing McAfee ePolicy Orchestrator (ePO) to centralize security management and launching a bring your own device (BYOD) program that handles 30,000 devices daily. FIU is also one of the first public universities in the U.S. to offer graduate and undergraduate programs with a cybersecurity concentration.
Two Cybersecurity Leadership/Innovators Awards also were presented.
One was given to Stanley Jorocki, director of information technology security at the Phoenix Children’s Hospital (PCH) for launching a disaster recovery and business continuity planning program at PCH, implementing a new Internet gateway protection system, and designing and building the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Another Cybersecurity Leadership/Innovators Award was presented to Joe Panora, CIO at the California Department of Corrections and Rehabilitation and director of Enterprise Information Services. In recent years, Panora has overseen a project portfolio valued at more than $800 million. Projects led by Panora include a new enterprise resource planning system, and the Strategic Offender Management System, a centralized offender database and management system that saves $4 million annually. Panora was named as a Government Technology Top 25 Doer, Dreamer and Driver in 2013.
2014 marked the fourth annual iteration of the Cybersecurity Leadership and Innovation Awards.