The best in government cybersecurity were recognized at the Center for Digital Government's fifth annual Cybersecurity Leadership and Innovation Awards, presented on Oct. 27 during the FOCUS 15 Security Conference in Las Vegas.
Winners -- chosen in four organization categories for their progressive cybersecurity strategies -- were the state of Colorado for Secure Colorado, the state's first strategic cyber plan; Maricopa County, Ariz., for its cyber security performance measurements; the city of Los Angeles, Calif., for its Integrated Security Operations Center; and Boston Medical Center for the Security Risk and Compliance Program, which saves $1.3 million annually.
Winners were selected for their achievements during the past two to three years as they pertain to the advancement of cybersecurity. Demonstrations of leadership, innovation and creativity were valued highly by the judges' scoring criteria.
In addition to organization awards, three individuals were awarded for their achievements in leadership and innovation.
Susan Blanton, senior director of Production Control at Dignity Health, was recognized for her decades-long career of support team leadership, ensuring business and technology owners understand and manage security tools that solve crucial challenges.
Ricardo Lafosse, chief information security officer for Cook County, Ill., was recognized for developing the county's first Information Security Office and managing the funding to secure a massive span of critical infrastructure. Lafosse also built relationships with partner agencies and vendors and attained executive support, creating a collaborative environment that allowed the county's current cyber efforts to thrive.
Kirk Davis, director of information security services at Vidant Health, was recognized for overseeing staff that encrypted more than 2,000 devices across two hospitals in just 24 hours. Davis also ensures the security of innovative devices like the Da Vinci Surgical System, an artery cauterizing device, while maintaining constant network connections that ensure the medical staff can do their job, which is to promote health and save lives.
The government organizations that do cybersecurity best share a common factor, which is that they closely monitor and measure their ability to secure against threats so that they may continue to improve their technology and processes.
Maricopa County, Ariz., does this, and that's how it managed to reach where it is today. The county maintains performance measures for its cybersecurity processes that allow management to make intelligent decisions and allocate resources to those pieces of the organization that need it most.
An organization needs to understand the threats it faces before building technologies and processes that work, said Michael Echols, Maricopa County's chief information security officer.
"What I've seen a lot of places is that people will say that 'we don't have any threats' and it's because they don't have the capability to detect the threats," he said. "So you have to engage vendors for that and understand what solutions are available. And then test the solutions and make sure they're doing what the vendor says, but more importantly, now that you have that capability, you have to track the performance of it."
According to security firm CyTech Services, more than 93 percent of breaches are detected by organizations external to the one being attacked. But, Echols said, even getting the technology needed to secure the organization requires cooperation and support from stakeholders, and that's most easily accomplished through the relay of concrete facts.
"When you're looking for exposures, you want to make sure that you're articulating what the exposures are to the business stakeholders," he said. "So you're not just identifying a bunch of vulnerabilities and pulling up tickets, but you actually engage a department and say, 'Hey, this is what the exposure level looks like for your department based on the types of services that you offer.'"
When Echols wants to impress upon an agency the threats they face, he quantifies it. He counts the services they offer that support county initiatives, draws associations between those services and county applications, and connects those applications to county infrastructure. Then he can rank the exposure level an agency faces and explain to what degree they're exposed and how they might fix it. He said he also looks for sensitive data records, and does some multiplication to demonstrate to the agency how many millions of dollars they stand to lose if those sensitive records are exposed.
"It gets them involved in the process, because when they see those types of things, the risk is understood," Echols said. "That's what's missing in the security industry."
Colorado's first strategic cyber plan, Secure Colorado, was implemented in 2013, and has reduced malware infestations through risk measurement and monitoring by more than 75 percent, the equivalent of $830,000 in cost avoidance and savings.
The state has tools across all 17 executive branch agencies, said Deborah Blyth, Colorado's chief information security officer, which enables her office to monitor and rank each agency against a standardized index.
"We are able to report the level of risk to our agencies on a monthly basis and we can show them how they stack up against other agencies, how many audit findings they have outstanding," Blyth said, adding that before Secure Colorado, the state had varying measurement processes across agencies, which made it nearly impossible to make a fair assessment of how each agency stood relative to the others.
To organizations looking to improve their cybersecurity operations, Blyth recommended picking a framework that is proven to reduce risk.
"For the state of Colorado, we picked the 20 critical controls for effective cyber defense, which we felt like was a framework that really helped us to hit those highest, most effective controls to prevent data breaches," she said. "And then because we picked a framework, we can now measure ourselves at how well we're doing at implementing that framework."
Blyth also recommended taking a long-term approach to cybersecurity, because it's not a task that's ever finished.
"Security is not a six-month project or a 12-month project or even a three-year project; you have to create for yourself a multiyear strategy for how you are going to continuously evolve and mature your security program," she said. "Being able to establish what the multi-year roadmap looks like is why we've been able to be successful in getting the support, the executive buy-in, we needed, as well as getting the funding we needed, because we were able to outline a clear picture of what it was we were trying to do and how we were going to get there."
The city of Los Angeles was recognized for its Integrated Security Operations Center (ISOC), a first step toward the city's goal of cybersecurity omniscience. The facility includes a security operations and incident management system, a status dashboard and alert indicator with real-time attacks. The center provides a starting point for regional collaboration, and is a platform for further cyber defense projects to come months and years in the future.
Putting together the ISOC was challenging, said city chief information security officer Timothy Lee, because there are so many stakeholders and departments involved.
"How do you come up with a solution that your stakeholders will feed all their security logs to your ISOC? Collaboration is the key factor in this project," he said. "From the beginning -- design, brainstorming -- you want to have these stakeholders involved from the design phase, and then make sure you're addressing their concerns, their needs before you roll out the actual project plan. That's what we did."
Winning an award like this means a lot to the city, Lee said, and it affords them an opportunity to share what they've learned.
"I went to a lot of events and shared about this project and so many organizations are interested," he said. "The main thing is they all realize that to do the integrated SOC, cybersecurity collaboration and threat intelligence sharing is very important now."