Each year, the Center for Digital Government* recognizes the leaders and innovators in government cybersecurity, and this year's winners were selected based on their efforts during the past two to three years to improve cybersecurity; their impact on the local, state and national scenes; their utilization of technology to achieve results; their creativity and initiative to make change; and their demonstrated leadership to drive change.
Organizational awardees of the sixth annual Cybersecurity Leadership and Innovation Awards were selected in four different categories: city government, county government, state government and education. Winners include Louisville, Ky., for its investment in a modernized cybersecurity program; Cook County, Ill., for its collaboration efforts and information-sharing threat intelligence platform; the state of Indiana for its Information Sharing and Analysis Center; and Oklahoma’s Broken Arrow Public Schools for its comprehensive program that helps protect external and internal threats.
Although the organizational recipients each excelled in different cybersecurity specifics, a common thread among them is their tendency to collaborate with various decision-makers to create innovative programs.
The Indiana Information Sharing and Analysis Center (IN-ISAC), for instance, is a multi-agency initiative between the Indiana Office of Technology and Purdue University. The IN-ISAC provides notifications to local governments and schools either through its own work or through developed relations with the private sector. It also has a number of public partnerships.
“Indiana State Police, Homeland Security, the National Guard and our universities — Indiana University, Purdue and Notre Dame — are cybersecurity leaders in their respective fields,” said IN-ISAC Manager Nicholas Sturgeon. “We have a mix of activities and projects that makes Indiana a hot spot for cybersecurity.”
Sturgeon added that instead of getting lost in the barrage of “shiny objects” that create clutter in the cybersecurity field, he advised narrowing the focus to one or two goals.
“It can be a tall mountain to try to address everything,” he said, “so take what you’re good at and become better at it.”
Prior to 2015, cybersecurity in Louisville, Ky., consisted of one person responsible for securing 6,000 city employees and 10,000 or more devices. There was not a sense of collaboration — or a formal security team. After a $1.2 million investment, today’s cybersecurity program includes a new chief information security officer (CISO), full-time employees and contracted specialists, all with experience in program development.
City CISO James Meece said that one piece of advice he offers to other city governments is not to be afraid to mix on-premises solutions with cloud-based products and hosted security services. In Louisville, such diversification allowed up to 70 percent increased efficiencies in security incident and event management logging, and increased the team’s ability to proactively prevent incidents.
“There is no magic bullet for cybersecurity and there aren’t enough hours in the day to do everything you need to,” he said. “Focus on diversifying your filtering, logging and alerting methods across multiple platforms.”
In Cook County, decision-makers may not have found the magic bullet, but the cybersecurity program is supported and adopted from the top down.
“Cybersecurity must be supported and advocated from the president's office,” said county CISO Ricardo Lafosse. “Without leadership support, your program will fail.”
The Cook County Information Security Office is part of the Cook County Department of Homeland Security and Emergency Management (DHSEM), which prevents, protects against, mitigates the effects of, responds to and recovers from all incidents, whether natural or man-made — including cybersecurity. And cyberthreats are treated as more than just a technology issue.
To that end, the office is developing the Cook County Cyber Threat Intelligence Grid platform for more than 130 municipalities within the county. The platform is designed with the intent that cyberthreat intelligence can be shared quickly, and collaborated on and integrated with various cybersecurity technologies.
“The county has made significant enhancements over the past three years to build a nationwide model for local government institutions,” Lafosse said. “We model our program on people, process and technology through risk-based intelligent decisions and automation.”
And the education sector is not immune to digital threats. At Oklahoma's Broken Arrow Public Schools, CIO Brian Daley suggests beginning cybersecurity strategies with executive leadership in order to direct resources toward personnel and effective cybersecurity measures. The district — which includes 20,000 students, 2,200 staff, 34 district buildings across 115 square miles, 8,000 desktops and 5,000 Chromebooks — operates a comprehensive cybersecurity program that includes logging, auditing, GPS tracking, threat detection and mitigation, and alerts to potentially unsafe sites for students.
“When you have 20,000 students already on your network and with some students being more curious than others, you have to find more creative ways of protecting your environment than maybe other organizations do,” Daley said. “You have to be very nimble and have the ability to change quickly with the current or trending threat. This requires different approaches to endpoint security, monitoring, reporting and alerting that happens on a daily basis.”
In addition to the four organizational awards, the Center for Digital Government is awarding four individuals for their leadership efforts in the categories of local government, state government, critical infrastructure and health care.
In Los Angeles County, CISO Robert Pittman guided the county’s cybersecurity program since its inception in the 1990s — a program that adopted a model called Triangle Defense (TD) that is analogous to the Triangle Offense as designed by the National Basketball Association’s legendary Hall of Fame coach Phil Jackson. Pittman said that TD is a model that facilitates and promotes collaboration, communication, coordination and conflict resolution, and that supports IT security policies.
“The county’s information security program … is constantly evolving where numerous technologies are always being [sought out],” he said, “including developing and/or recruiting security talent to assist in promoting a security culture throughout the organization.”
And in Virginia, CISO Mike Watson, who has served the state during three different governors' terms, was instrumental in two national cybersecurity benchmarks: Virginia was the first state to adopt the National Institute of Standards and Technology framework, and also was the first state to organize as an information sharing and analysis organization.
“Virginia is continuously seeking new opportunities to improve our security capabilities,” he said. “We have a strong information security officer program and will continue that effort. We now require agency heads to be accountable for information security and strive to educate state employees, and citizens through tips on our website and in social media, about the importance of being cybersafe.”
Arthur House, chairman of Connecticut Public Utilities Regulatory Authority and the state's Chief Cyber Security Risk Officer, collaborated with the governor and the General Assembly to create a state strategy that resulted in lowering the risk of widespread utility outages.
“Support from the governor and the legislature was very important,” House said. “Consensus among all three Connecticut commissioners played a positive role, and taking an informal, inclusive and respectful approach to working with the utilities was also key.”
Dr. Shafiq Rab, vice president and CIO at Hackensack University Medical Center in New Jersey, has been a leader in hospitals and health systems for more than a decade. He’s currently a part of the national strategy to create secure, standard e-health records via Internet-based open messaging.
The Cybersecurity Leadership and Innovation Awards will be given on Nov. 2 at the FOCUS 16 Security Conference in Las Vegas.
*The Center for Digital Government is the research arm of e.Republic Inc., which also owns Government Technology.