As CISO of Pennsylvania, Erik Avakian sets the state’s enterprise security standards and policies while aligning with current best practices. He was named to the job in 2010, and today is developing strategies around recent nationwide initiatives that seek to improve security for all states. Avakian recently discussed how these initiatives are influencing work in Pennsylvania during this “very exciting time for security.”
Can you describe your approach to security?
The president’s executive order really [got things rolling with] the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, which was announced in February. Along with that, the National Governors Association (NGA) recently announced a call to action for states for security. We’re aligning with the framework and the NGA’s call to action, and implementing certain things. So we’re taking a snapshot of where we are from a maturity standpoint, and saying here’s how we align and here’s how we’re going to further mature what we’re doing. We’re looking at implementing things like enterprise governance, risk and compliance platforms to get a risk model and scorecard electronically of where agencies are from a risk standpoint. We’re going to put that up on a dashboard so our governor and all the IT staff can see how each agency ranks from a security standpoint and how agencies can improve.
Does working with the National Guard fall into any of your initiatives?
We’re looking to partner with them, and we’ve had some internal meetings. What we see the guard eventually getting the capability for is to conduct risk assessments at the various agencies, which aligns with the NGA’s call to action because one of the things they talk about is risk assessment.
Have you already started identifying the security environment in state agencies?
We’re doing that now but because of the manpower associated with that, a lot of the agencies are getting third-party risk assessments. We also have a self-assessment requirement for each agency and recently completed the National Cyber Security Review that went out to all the states. We had all our agencies fill out that survey to give us a baseline from a self-assessment perspective. Going forward we want to get the guard or a third party to do real assessments to score against where they assess themselves.
How are these nationwide initiatives changing the scope of cybersecurity?
I am trying to align with all of those initiatives from the fundamentals — the strategic plan, the NIST framework, the NGA call to action and what NASCIO is looking to do — and put those things in place to build momentum. One of the great things with the NIST framework is it puts everybody on the same path of what to do for cyber and that’s really going to build momentum for all the states to further mature where they are.