Will Pelgrin started the MS-ISAC more than a decade ago, and he is a leading voice in government cyberdefense. Tomorrow is his last day with the Center for Internet Security, and I caught up with him and new CEO Jane Lute to discuss the past, the present and the future of global cybersecurity -- especially within governments.
William F. Pelgrin Credit: Center for Internet Security
Will Pelgrin is stepping down as the president and CEO of the Center for Internet Security. He is also retiring from his role as the national leader and chair of the Multi-State Information Sharing & Analysis Center (MS-ISAC). The decision was announced in a press release issued by the Center for Internet Security (CIS):
William F. Pelgrin will be retiring on May 31st. Mr. Pelgrin’s outstanding career spanned nearly four decades and was largely dedicated to advancing the state of cybersecurity across the world. During the past five years at the helm of CIS, he has been the catalyst for expanding the role of the CIS into a highly valued cybersecurity resource for public- and private-sector entities both nationally and internationally.
The CIS board of directors has appointed Jane Holl Lute, former Deputy Secretary of the U.S. Department of Homeland Security (DHS) as CEO….
Brig. Gen. Steven J. Spano (ret.) has been named President and Chief Operating Officer of CIS….
Will’s Immense Positive Impact within the State Government Cybersecurity Community
How can I possibly describe Will Pelgrin and his immense positive impact and legacy within state and local government cybersecurity? (Hint: I can’t, but I will still try my best in this blog and interview.)
Will is a unique thought leader who stands alone for his ability to get things done and organize government solutions that make a difference for good in cyberspace. Will is an amazing communicator and coordinator of action both inside and outside the D.C. Beltway. He brought together all 50 states and U.S. territories to form the MS-ISAC and make it the coordinating body for state and local cybersecurity – long before cybersecurity was a national priority. His vision and planning later enabled the MS-ISAC to merge with the CIS – which he also led. Later, he worked with Jane Lute to merge CIS with the Council on CyberSecurity.
I have personally known Will for more than a decade, and I am honored to call him a friend as well as a highly respected colleague. While I was Michigan CISO and CSO, I would regularly call Will directly and seek advice, threat information and recommended next steps on incidents or talks with public- and private-sector leaders. As a former member of the MS-ISAC Executive Committee, I saw first-hand how Will proactively strengthened and grew MS-ISAC cyberdefense capabilities that helped federal, state and local governments.
Of course, there were some differences of opinion and strong personalities that flared-up across the country at times, and yet, Will calmly led state teams through CYBERSTORM exercises, October Cybersecurity Awareness Months, Annual MS-ISAC meetings and much more. He excelled in challenging online security circumstances.
When important messages needed to be delivered to state and local governments on cybersecurity from the U.S. Department of Homeland Security, Will was always the main messenger.
Will’s influence and abilities quickly became well-known, and he also led the coalition of ISACs working on critical infrastructure protection, which is called the National Council of ISACs, on numerous occasions. Oftentimes, the MS-ISAC technology, processes and procedures were viewed as cybersecurity best practices for the community’s public and private sectors' actions. Lately, Will has been helping countries all over the world with their incident response and cyberdefense capabilities.
Will Pelgrin’s departure from the MS-ISAC is a very big deal. For those of you who have not been following information security within state and local governments since Sept. 11, 2001, I hope this interview helps to explain why. I am confident that he will continue to be a force in global cybersecurity, no matter where he goes next.
While I don’t know Jane Lute nearly as well, I do know that she brings a wealth of experience and global relationships to her new role as CEO of CIS. I certainly wish her and Brig. Gen. Steven J. Spano (ret.) the best of success in their crucial missions and new roles.
Now on to the interviews.
Interview Between Dan Lohrmann and Will Pelgrin
Dan Lohrmann: You have had an amazing career in government, what were one or two highlights of your government service in New York? Any stories to share?
Will Pelgrin: I have had so many amazing moments throughout my career in New York state government and had the privilege of serving in five administrations. The Internet and ecommerce revolution occurring in the late '90s and post-Y2K was exciting … we were charting into new territory, and actually still are every day! Authoring the Electronic Value Transfer Act and landmark Electronic Signature and Records Act legislation in the late 1990s was definitely a highlight.
Creating the state’s first cybersecurity office, and serving as its first CSO is another highlight. It’s all about making a positive difference, and, with the tremendous work that was done — and is still being done — by the dedicated employees, we built a strong foundation for New York state’s cybersecurity readiness and response.
Another significant moment in my state career that stands out is 9/11. While this was obviously a horrific tragedy, the way that the state agencies and employees pulled together to help in the response and recovery truly made me honored to be a New Yorker.
Dan: What led you to become the founder of the MS-ISAC? When and how did it begin?
Will: I founded the MS-ISAC in late 2002, while I was the CSO of NYS because I saw a need for collaboration and sharing across states to better prevent, detect, respond and recover from cyberincidents. This kind of information sharing had been happening at the physical security levels for a long time, but there was no coordinated information sharing and response between state and local governments.
It started with just a small contingent of states, and we held our first meeting in NYC in January 2003 to officially launch the MS-ISAC. I didn’t want to get hung up on legal agreements of what and how to share — it was all about collaborating, sharing what you felt comfortable with, and helping your colleagues across the nation, as we were all struggling with the same cyberchallenges.
The MS-ISAC continued to grow to include all 50 states, D.C., all 50 state capitals, U.S. territories and tribal entities, and hundreds of local governments across the country. The MS-ISAC is officially designated by DHS as a key cyber-resource for the nation’s SLTT [state, local, tribal and territorial] governments.
The MS-ISAC members are truly such a passionate and dedicated group — all working together for a common purpose, to help each other detect, defend, respond and recover. It was great having you as a member when you were with the state of Michigan. You exemplified what the MS-ISAC is all about: collaboration, commitment and positive action.
The MS-ISAC reached a critical point that required its organizational structure to change; it needed to be institutionalized into a nonprofit — outside of any one governmental entity — in order to meet the ever-increasing challenges facing SLTT governments and to better reflect its expanded scope and responsibilities.
So, in late 2010, with the support of the White House and the U.S. Department of Homeland Security, the MS-ISAC transitioned into a not-for-profit status under the auspices of the Center for Internet Security, a nonprofit organization with an established reputation for providing cybersecurity resources to the public and private sectors.
The transition of the MS-ISAC provided us the sustainability and flexibility to meet the needs of the MS-ISAC and its SLTT members, and support DHS in its national cybersecurity mission.
The creation of a not-for-profit structure was recommended by the Center for Strategic and International Studies’ Commission report to President Obama. This report recognized the need for a nongovernmental structure to support government and the private sector if we are to meet the cyberchallenges of the 21st century.
Dan: What has changed the most in the security industry and within the MS-ISAC and CIS over the past decade?
Will: The sheer volume of threats and attacks is mind-boggling. We now handle approximately 2 trillion logs a year through our 24/7 operations center. Cybercrime evolved from mischievous hackers defacing websites for fun, into a multi-million dollar business. We see very organized and sophisticated actors, cyber-espionage and nation-state attacks … the threat landscape continues to evolve constantly.
Our ever-growing reliance on technology, and the interconnectivity of so much of our daily lives has also been a huge change. The way we protect our assets has changed too; the explosion of mobile devices and the Internet of Things have made the potential attack surface that much larger.
I am pleased that our collective awareness about cybersecurity has improved over the years. We still have a long way to go, but we’ve made some significant progress in our readiness and response.
Dan: What do you see as the biggest challenge going forward?
Will: The changing nature of cyberthreats continues to be a challenge. New attack vectors and malicious actors appear every day.
Funding to support SLTT governments in their cybersecurity efforts also continues to be a challenge.
Addressing the cybersecurity workforce needs is another significant hurdle that we have to overcome.
Dan: What accomplishment(s) are you the most proud of in your career?
Will: Well, I’ve always been honored by the recognition that Government Technology has given me! But, I would say being a founder of the MS-ISAC is a huge accomplishment. It’s grown to be a trusted resource for SLTT governments and DHS, and has made an impact on the industry overall. This is a program within CIS that will continue to improve and expand over time, even without my influence, which makes me proud.
I have had the opportunity to participate in numerous national and international efforts. It was an honor to be appointed as a commission member of the Center for Strategic and International Studies (CSIS) Commission on Cyber Security to brief the 44th president of the United States on critical cybersecurity issues.
It was a privilege for me to participate in the North Atlantic Treaty Organization (NATO) Advanced Research Workshop to identify and assess best practices for incident detection and response. This was a multi-disciplinary team of experts from 17 countries and three international institutions working together to identify solutions. The result was the book Best Practices for Computer Network Defense: Incident Detection and Response, authored by the Workgroup participants.
Dan: Tell us what you plan to do next? How do you expect to spend your time?
Will: I’m excited to continue my relationship with CIS as a board member following my retirement. Although I won’t be part of the day-to-day functions as I am now, this role will allow me to remain close to CIS and see its continued growth and success.
Dan: Is there anything else that you would like to add?
Will: Overall, the highlights for me have been the opportunity to work with great bosses, colleagues and employees. I have worked with some amazing people and have had strong mentors who really made an impact in my life.
Interview Between Dan Lohrmann and Incoming Center for Internet Security CEO Jane Lute
Dan Lohrmann: You have had an amazing career in government; what were one or two highlights of your government service? Any stories to share?
Jane Lute: My service in the Army represents my first deep personal appreciation for public service — in particular, as signal officer of the Berlin Brigade during the Cold War, as commander of the Signal Company at Arlington Hall Station, and my deployment during Desert Storm. As a UN peacekeeper too, I had the extraordinary experience to see both the best and the worst humanity has to offer. Later, as deputy secretary of Homeland Security, especially having been in New York on 9/11, I had the opportunity to work with the country’s finest professionals to help prevent terrorism, strengthen national resilience in the face of disasters and ensure the cybersecurity of the nation’s critical infrastructure. It was amazing to work alongside some of the brightest and passionate leaders all driven by the same goals.
Dan: What led you to become a founder of the Council on CyberSecurity? Why did it make sense to merge with CIS?
Jane: We started the council to help identify, validate, promote and sustain best practice in cybersecurity. The game-changer for all of us in cybersecurity will be widespread adoption of basic cyberhygiene as a minimum standard of due care. We steward the Critical Security Controls for this purpose — not as the only things to do, but as the most important things to do first for sound cybersecurity. CIS and CCS had been collaborating closely for more than a year on a number of different programs and initiatives, including with the National Governors Association's Homeland Security Advisors Council on the national Cyber Hygiene Campaign.
William Pelgrin and I recognized that both organizations had very similar missions and values, were focused on inclusiveness, transparency and ethics, so integration was a natural next step to building a stronger platform for widespread public access to best practice in cybersecurity.
Dan: What excites you the most about the opportunities ahead as the CEO and leader within CIS?
Jane: I am excited to be part of an effort to lead the global community to secure our connected world. With the combination of our programs, like CIS’ Security Benchmarks and the Critical Security Controls, our amazingly talented staff, and committed partnerships — we want to change the way the world approaches cybersecurity.
Dan: What do you see as the biggest challenges for state and local governments in cybersecurity as we move forward?
Jane: No single enterprise or government at any level can do all that needs doing to protect themselves in cyberspace — and all that needs doing can’t be done alone. State and local governments, just as with small and medium-sized businesses, must orient their cybersecurity practices to begin with basic hygiene — the Critical Security Controls are a proven place to start. State and local governments, in particular, are challenged to find the money and find the talent to stay current as they move more heavily to consolidate operations and mobile platforms and cloud services. CIS will deepen its support to state and local governments, for example, by engaging with them to stand up Information Sharing and Analysis Organizations (ISAOs). Widespread success is good for everyone, and we are in this for the long haul.
I want to thank Will Pelgrin and Jane Lute for their willingness to be interviewed and for their tremendous leadership in this protecting government entities from cyberattacks.
CIS is a tremendously important organization to our nation that is now working with the National Network of Fusion Centers as well as state and local governments to stop cybercrime and defend our critical infrastructures against cyberattacks and other threats.
In addition, CIS is an increasingly important organization regarding international cybersecurity efforts and as well as private-sector coordination with the government and nonprofit communities.
Our nation owes the debt of gratitude to Mr. William F. Pelgrin for his outstanding efforts in starting the MS-ISAC and for his years of leadership over the Center for Internet Security. Feel free to leave your thoughts and stories about Will below.
An era in state and local government cyber is ending, and a new season has begun. I wish the new CIS leadership the best of success.