We are continuing a series of educational interviews with state and local government technology and security leaders around the nation. This week we visit an intriguing local government in the Pacific Northwest part of the country to learn more about its overall mission and how it keeps customer data safe.
Port of Portland CIO Mark Greinke with CISO Theresa Masse
One look at the Port of Portland’s website and my first thought is: WOW!
The stunning pictures, professional design and easy-to-navigate Web portal make this Internet destination seem more like a travel digest or sales brochure for that beautiful part of America.
No doubt, this is not what most people expect or think about in regards to local government technology services and solutions.
My initial reaction: impressive, and good for them! I encourage readers to take five minutes to learn more about this outstanding public entity with a vital mission that does so much more than its name implies.
I also love its motto: Possibility. In every direction.
Check out this YouTube video describing the Port of Portland and the beautiful Pacific Northwest.
Security at the Port of Portland
You may be wondering why I chose the Port of Portland for a local government interview for this cybersecurity leadership series. The initial answer is simple: Theresa Masse -- and her track record of continued success.
I have known Theresa for many years, originally in her previous role as the chief information security officer (CISO) for Oregon state government. Theresa has exceptional professional talent and has long been an active leader and executive board member within the Multi-State Information Sharing & Analysis Center, where she chaired many workgroups and led new cybersecurity efforts. She is respected around the nation as a leader in state and local government cybersecurity space.
For example: Theresa was highlighted a few years ago by Will Pelgrin, who is the leader of the Center for Internet Security. She was also interviewed by StateScoop in this article two years ago regarding her cyberincident planning work.
Theresa moved over to become the Port of Portland CISO a few years back, and she continues to do great work for this impressive organization.
As for its overall technology leadership, Mark Greinke is the Port of Portland chief information officer (CIO). I have never met Mark in person, but I am impressed with his professional profile and his career body of work. We connected via LinkedIn and email, and it was immediately evident that he has a noteworthy background in security leadership. Mark has a long list of accomplishments in the public and private sectors.
Mark has held several senior tech roles for the city of Portland, including chief technology officer and information security manager. Mark joined city government following 11 years with Intel Corp., in Hillsboro, Ore., where he led technology initiatives to move many of Intel's businesses processes from paper to online transactions as well as the automation of Intel's latest chip factories.
On to the Interview with the Port of Portland CIO Mark Greinke
Dan: Tell us about your scope of responsibilities as CIO at the Port of Portland.
Mark Greinke: The Port of Portland is responsible for Portland International Airport, two general aviation airports, four marine terminals and five industrial parks. The port also helps maintain the shipping channel on the Columbia River by managing a seasonal dredging operation.
As CIO, I’m responsible for the strategic and operational leadership of the IT organization supporting the port’s mission through its multiple lines of business.
Dan: How important is security in your job?
Mark: IT security plays an extremely critical role in how we deliver reliable and effective service to the public. We’re dealing with highly sensitive information and systems that if compromised could have devastating life/safety, financial and environmental impacts. Theresa is one of only four members of my leadership team and together we ensure her security program receives the attention it deserves.
Dan: What keeps you up at night regarding cybersecurity?
Mark: I wonder what more can we can be doing to protect our customers and employees and also when I’m going to get the call that we’ve had a significant breach. If I didn’t think we were taking the appropriate steps, I probably wouldn’t be getting any sleep.
Dan: How has security changed throughout your career? Is it more important today with big data, mobile computing and the cloud security challenges?
Mark: Obviously the quantity and variety of threat actors, vectors and targets have each increased exponentially and the pace of change is accelerating. It wasn’t all that long ago when vandals and fraudsters were the primary actors. There just wasn’t the proliferation of connected people and systems as there are today. The growth of the Internet and all the innovations which have followed are making it extremely easy for bad people to do very bad things. The problem is that the Internet you and I rely on got its foundation in the same thing that makes it an inherently insecure method to communicate and transact business – its openness. If a new Internet, built from the ground up with security in mind does not replace the Internet of today, I’m worried the time will come when its utility will begin to diminish.
Dan: As we head into 2015, is cybersecurity given a high priority at the Port of Portland? How does cyber get attention with so many competing projects and priorities?
Mark: I know every news report of a high-profile breach sends a chill up the spines of our executive leaders. They’re certainly asking me the right questions and becoming more interested in this stuff. Our Legal and Risk teams are reaching out to us now and asking how they can help. This hasn’t always been the case. We’ve implemented governance to guide our InfoSec program and drive accountability throughout the organization. I’m convinced cybersecurity is given a high priority at the Port but admit it’s difficult to say it’s ever enough.
Dan: Thanks for sharing your perspectives on security, Mark.
Just for fun, and a good cause, take a look at this video of Bill Wyatt, Executive Director at the Port of Portland, when he accepted the ALS ice bucket challenge last year.
The Interview with the Port of Portland CISO Theresa Masse
Dan Lohrmann: Tell us about your scope of responsibilities as CISO at the Port of Portland.
Theresa Masse: I am responsible for information security (strategic planning, consulting, information security awareness, policies, incident response, security architecture planning, assessments/audits, remediation tracking, and compliance) plus software license and copyright compliance.
Dan: What’s hot right now regarding your role? Where are you spending your time to protect your diverse local government resources?
Theresa: The focus is twofold – Payment Card Industry (PCI) compliance is a priority with our annual audit on the horizon. We also just completed an info security assessment conducted by a third-party consultant that will help focus our efforts on key priority areas for our strategic planning.
Dan: You have been known as a leader in the area of cybersecurity at the state level in Oregon. How has the transition been to local government? Can you tell us about similarities and differences?
Theresa: It has been an interesting transition. As CISO for the state of Oregon, I had enterprise responsibility for information security that entailed working and collaborating with numerous agencies in diverse lines of business along with the challenge of keeping the ever-changing Legislature and Senate reps updated on the importance of supporting and funding information security initiatives. I also worked closely with national organizations, such as MS-ISAC, and, of course, the Department of Homeland Security. At the Port of Portland, the scope is much smaller and more focused, there isn’t the same level of politics, and the mission is clear (much like a single state agency). However, the challenges from an information security perspective are still there. I also have maintained close connections with MS-ISAC and my state CISO colleagues, and continue to be the Oregon rep on the national level for the State, Local, Tribal and Territorial Government Coordinating Council (SLTTGCC).
Dan: Do you have enough talent in the cybersecurity area? How are you attracting and keeping cybertalent?
Theresa: This is an ongoing challenge as the demand is increasing and the pool of talent isn’t growing. I’m fortunate to be on the advisory committee for a local community college that has a cybersecurity program, so I have the opportunity for input at the local level. In the public sector, we have additional challenges, the hiring process is often more prolonged and we can’t offer the same level of compensation and all the great perks such as stock options and profit sharing. Public employees are under much more public scrutiny. Also, in smaller organizations, the opportunity for advancement is more limited. However, at the port, we have extremely talented staff, projects are interesting and challenging, and we have a great working environment. Overall, the turnover is fairly low, so we are fortunate.
Dan: Is there anything else you’d like to share about your cybersecurity program?
Theresa: I’ve been impressed with the level of interest in information security at the port and the commitment to "do the right thing." Certainly the ongoing media stories about breaches are a great catalyst. Although our port (airport and marine) is not the largest on the West Coast, we are growing and certainly are critical infrastructure (as we have the only major airport/marine in Oregon.) Although there is always plenty to do, I think we are making good progress and I value the collaborative approach and incredibly talented folks I have the privilege to work with every day.
Dan: My thanks go out to Mark and Theresa for participating in this interview series. I find it fascinating and also informative to understand the viewpoints from a diverse group of organizations and leaders, and the Port of Portland offers essential services that also bring a different perspective to this discussion.
This interview series will continue in April 2015 with another mix of interviews with state and local government technology and cybersecurity leaders from across the U.S.A.