Ralph Johnson had some great conversations with CIOs at the National Association of Counties annual conference in July. But the chief information security officer of King County, Wash., did notice one odd fact: “I was the only CISO at the entire conference,” said Johnson. “A lot of large urban counties on the East Coast seem to have CISOs, but the sense I got was that in the Midwest and Western states, that was not the case.” In talking to the IT chiefs, he learned that the counties that do have a CISO have a very small information security staff.
While the role has been inching its way into local government, the view is very different at the state level. As more state governments have recognized the importance of securing information and assets — and high-profile breaches put them in the public eye — there has been a gradual increase in the number of chief security officers (CSOs) and CISOs over the last decade. Today every state has a CSO, CISO or equivalent, according to security experts, which historically hasn’t been the case.
And while the titles include “security,” the job definition varies widely. Some incorporate privacy and audit functions, for example, while others house those responsibilities elsewhere. The role also can differ depending on whether the state takes a centralized or decentralized approach to cybersecurity. In addition, the reporting structure varies, but experts stress that it’s crucial for security officers to report to a senior-level official.
Dan Lohrmann, who recently stepped down as Michigan’s CSO, was in charge of both information and physical security, including badges, cameras and building security, for the state. “The physical security aspect was a huge learning curve for me, but that was great.” He thinks these responsibilities will inevitably merge. “An ID is an ID is an ID,” he said. “You have a picture ID or a badge, access to certain buildings and not others. You have the same things in cyberspace. You can access certain files and not others. There’s provisioning and de-provisioning. If you get to a certain level of sophistication, it is the next natural step that you have to bring these together.”
Many factors influence whether these two functions would be merged. But it’s clear that the interdependencies between cyber- and physical security must be understood, no matter whether an individual’s role covers both or a government has them listed separately on the org chart.
Government Technology spoke with five CSOs and CISOs at the state and local levels about their roles, greatest challenges and lessons learned on the job.
Jay White director of the Information Security Services Division, Mississippi Department of Information Technology Services
In the position since: 2011
Biggest Challenge: IT in Mississippi is very decentralized. We haven’t gone through a consolidation process. We have responsibility for policy and governance, but the operational aspects of security reside in the agencies. They all pay attention, but the availability of resources differs. There are pros and cons to both environments. Centralization doesn’t resolve all the issues. But the more diverse the technology infrastructure is, the more challenging it is to have one set of policies and guidelines.
Significant developments: Last August we had our first multiagency tabletop exercise, and it was an eye-opening experience for information technology services and the agencies. It gave us an opportunity to train for a cyberincident: How would we communicate? How would we respond?
Forming a relationship with the CIO: I have been fortunate enough to work with a CIO, Craig Orgeron, who started working for the state at roughly the same time I did. I have known him a long time, and we speak on a weekly basis. Craig is president of NASCIO and has given a number of presentations on this topic, so I know he is well aware of cybersecurity issues.
Value of mentors: As part of the Multi-State Information Sharing and Analysis Center’s (MS-ISAC) mentor program, I have been a mentee for two years and will be a mentor this year. In the first year, I was paired up with Michigan CSO Dan Lohrmann and we spoke at least once a month. I enjoyed it while we were doing it, but only afterward did I realize just how much I did learn. For instance, a tabletop exercise process we did in Mississippi developed from a conversation I had with Dan about how important it was in his state.
Lessons learned: You can have the best policy in the world, but if you can’t get groups to collaborate, I don’t know how policy requirements are going to work. Also, the CISO can’t be an expert on everything, because this is such a complex topic. You have to rely on the expertise of people in specific roles and help them find training to stay up to date.
Ralph Johnson, chief information security and privacy officer, King County, Wash.
In the Position Since: 2005
Job responsibilities: Executive leader of King County’s information assurance program. Spearhead and manage initiatives to provide a proactive approach to information security.
Biggest challenges: Things were difficult in the early days because we were trying to introduce a governance model, not just for security, but also for IT as a whole, and we were changing the culture, changing the way IT is done. We always had departmentally focused pockets of IT. For instance, we had the same anti-virus system across county workstations, but some departments would set up their own central management console. Some would manage each workstation individually. There was no overall picture. We combined all of that into a single management console so we could get a picture of endpoint protection across the entire county. Also, some operational functions that in a corporate world would be turned over to information security tend to be handled by operations groups in government. I have oversight of the network team and I am involved with them, but my team doesn’t actually manage them.
Advice for new CISOs and CSOs: Learn your organization’s culture before trying to make changes. Consider organizational culture and focus on risks to the data. Don’t focus on the technology. You can buy lots of boxes with pretty blinking lights that are going to make your data center look really good, but if you can’t incorporate what they do into that environment, because of the culture, you just spent a lot of money for nothing.
Looking Ahead: We have four core initiatives in King County IT to support: mobility, modernization, service maturity and e-government. All four are intermingled, and all have security elements. We are also looking at a multiyear identity and access management project. It would not only allow you to access the information you have permission to, it would also offer automated provisioning and de-provisioning.
Agnes Kirk, CISO, Washington
Job description: I have a dual role of being the state CISO and also having responsibility for delivering enterprise security services. My team doesn’t manage the networks, but we have established a Security Operations Center, which handles logging, monitoring and analytics, as well as alerting and incidence response statewide. I also have operational responsibility for firewalls, remote access, gateways, Web filtering, etc. I have a close relationship with the state CIO, whose office is the policymaking arm of state government for IT. I work with him on developing strategy for the state in terms of security policies and standards and implementation strategies. I also represent the state at Department of Homeland Security, MS-ISAC and other national forums. I do a lot of public-private collaboration.
Biggest challenge: Staying ahead of emerging mobile technologies. Everything is accessible now all the time. Because there are so many options available one click away, including collaboration sites and social media, it is a challenge for organizations to know where all their data is to be sure it’s being protected appropriately. The convenience of the services makes it hard for employees and citizens to remember the responsibility that hasn’t changed. You can’t assume that you can treat somebody else’s data the way you would treat your own. People are just trying to do their jobs, and they are picking the most convenient way. We are trying to keep track of that. It is an ongoing conversation I have with my private-sector counterparts.
What about the idea of merging physical and information security responsibilities into a CSO role? It is a possibility, but I don’t think it is imminent. It isn’t that it would be wrong to merge it, but I don’t think it would be critical. We work very closely with the folks who handle physical security.
Do you see the need for a chief data officer or privacy officer for the state? I don’t think it would be a bad thing. We have just started looking at it, and we need to have a lot more discussion about it. Every agency has a privacy officer and public disclosure officer, sometimes one and the same. I see some benefits, but I also see the value of having it in the agency so that they understand the agency’s business.
Elayne Starkey, CISO, Delaware
In the Position Since: 2006
Security responsibilities: At the time the CSO position was created, it was intended to encompass not just information security, but also physical security at our department. Since that time, we have reorganized a couple of times and physical security is no longer part of my purview. But I have strong partnerships with law enforcement and emergency management agencies. It is a critical part of my position to be well connected to those folks.
Major accomplishment: The cornerstone of Delaware’s program is education and outreach. All executive branch employees go through an information security refresher training every year. We have a 99 percent completion rate. We are very proud of that number; it took a lot of hard work and a lot of prodding to make it happen. We count ourselves fortunate that we are one of a few states in the nation that requires every new employee who gets an email account to go through that training in the first 30 days.
Biggest challenge: One of the biggest things we have done is to empower departmental information security officers. There was a time when being an information security officer meant approving a few forms and resetting some passwords now and then. The threat environment has changed in such a major way that we have asked them to do much more. But I am not a fan of asking them to do more without training to go with that. We have subsidized boot camps to help them prepare to take Certified Information Systems Security Professional tests. Then when they achieve it, we make a big deal of it and get the governor involved. It is an incredible motivator, we’ve found, that their ultimate boss cares about this.
Suggestion for local government: Every two years, we issue scorecards to all internal customers, even the smallest agencies, for them to do a self-assessment on their security posture. The hope is that the score keeps improving. If not, it is a vehicle to take to management to explain in a non-techy way the basics of why security is important and the risk of not investing. There are a lot of metrics-driven business leaders, and you can get a competition going among agencies. I don’t see why that approach wouldn’t work on the local level too.
Advice to new security officers: People think technical qualifications are important, and you do need to continue to hone technical skills, but I think you should place a huge emphasis on relationship building. The job is less about technical details and more about managing risk and describing risk in a way that a nontechnical person can understand.
Patsy Boozer, CISO, San Antonio, Texas
Changes put in place: I started in April 2012 and added physical security to my responsibilities in June of that year, although we didn’t change the title to CSO. The city had a security understanding, but it needed to be broadened and fine-tuned. When I arrived there were 11 administrative security directives, and that is just too many for people to get their hands around. So I refreshed them and cut the number of directives to five.
Setting a new strategic direction: I saw that the internal auditor used the FISCAM (Federal Information System Controls Audit Manual), so it made sense to me to use the National Institute of Standards and Technology SP 800-53 standard because that maps to the same controls. Of course, then you have to look at it from a cost-benefit perspective and see what type of data you are trying to protect. The main types of data the city deals with involve criminal justice and HIPAA (Health Insurance Portability and Accountability Act). We have 14 departments that fall under HIPAA, and we had to make sure the sensitive personally identifiable information was being handled correctly. We also had to look at the payment card industry, because all cities are starting to accept credit cards. I needed to start with a data-centric focus and look at all the requirements of those different mandated security policies and see where I can find commonality. We focused on the Council on CyberSecurity’s Top 20 Critical Security Controls, and we have made significant progress on all 20 controls and mapped it so we are coming into compliance with all the mandatory requirements.
Something unique about your city: San Antonio is the seventh-largest city in the country, and it is also dubbed Cyber City USA. We have several military bases, and the city by its culture is very cyber-driven. I meet with other security directors and CISOs at a monthly meeting called the Security Leadership Forum. We talk about how we can be of help to each other and share lessons learned.
Lessons learned: One challenge is that a governmental organization can be so large and diverse that it essentially has all these vertical industries such as criminal justice and health care embedded within it. The key is to find a horizontal approach that works across all those areas. If you just look at it one vertical at a time, others are likely to get left behind.