We are continuing the series of interviews with top CIOs and CISOs from around the nation regarding the best state and local government cybersecurity strategies. This week, we turn toward the Buckeye State to learn from two respected executive leaders. At a time when the federal government is reeling from a major OPM data breach, this security discussion has never been more important.
Ohio CIO Stu Davis (left) with CISO David Brown credit: Ohio State Government
“As goes Ohio, so goes the nation.” This well-known saying generally relates to political history, since no Republican has ever won the White House without winning Ohio.
But in 2015, there are plenty of other leadership examples coming out of Ohio. In sports, The Ohio State University Buckeyes shocked the nation by winning the college football national championship in January of this year. In basketball, the Cleveland Cavaliers are currently fighting to become world champions in the NBA playoff finals.
In economic terms, Ohio’s steady, albeit slow, growth is a good reflection of the overall situation in the U.S. national economy, according to experts.
And in state government technology and cybersecurity leadership, Ohio CIO Stuart Davis (who prefers to be called Stu) leads the 50 state chief information officers (CIOs) as the current (2014-2015) president of the National Association of State CIOs (NASCIO). Stu became Ohio’s CIO in March 2011, and his exceptional leadership skills quickly became evident.
Over the past four years, Stuart Davis has testified before the U.S. Congress, led numerous NASCIO committees and working groups, championed cloud computing and cybersecurity initiatives and most of all led a major technology infrastructure transformation and centralization in Ohio’s executive branch agencies in state government. For his efforts, he was recognized as a 2013 Doer, Dreamer and Driver (top 25 government leaders in the nation award) by Government Technology magazine.
Stu is a gifted speaker with a good sense of humor and a natural ability to gain consensus and agree upon needed actions with his executive peers around Ohio and the country. As NASCIO president, he is often called upon to represent state CIOs in a variety of online and offline situation, and he leads executive committee sessions and NASCIO priority-setting efforts.
On a personal level, I gained a tremendous amount of respect for Stu and his technology leadership teams during conference calls and face-to-face visits between Michigan and Ohio technology teams from 2011 to 2014. While there is a fun, competitive aspect to cross-border partnerships and meetings (yes, I am talking about Michigan – OSU sports rivalry), there is also a sense of cooperation and learning from each other.
Stu Davis leads discussion at 2013 NASCIO Annual Conference credit: eRepublic, David Kidd
You can visit Ohio’s technology portal here and the state of Ohio’s Privacy and Security Information Center here.
Interview with Ohio CIO Stu Davis
Dan Lohrmann: You have had a very successful career as a technology leader. What is your secret to success?
Ohio CIO Stu Davis: Saying what you mean and meaning what you say … being thoughtful in your decisions and deliberate in your actions. That and relationship building as well as just plain old hard work.
Dan: What is your scope of duties as CIO in Ohio?
Stu: I am responsible for leading, overseeing and directing state agency activities related to IT development and its use to enable the business of the state.
Dan: How has the role as NASCIO president changed your outlook on technology and security?
Stu: NASCIO has been an enormously positive influence on all the efforts we have going on in Ohio. The peer-to-peer relationships and discussions with other CIOs and business partners are priceless. The higher profile of being president brings on its own set of challenges but the impacts of technology and the security are considerable. The presidency provides the bully pulpit to raise awareness about the good things CIOs do for their states and the vigilance necessary to keep our data secure.
Dan: How important is cybersecurity in your daily role?
Stu: It is top of mind on all initiatives. We are pressing hard to have and maintain a consistent cybersecurity posture for the state.
Dan: Any related stories to share?
Stu: We have centralized the cybersecurity functions and reassigned cybersecurity resources to the agencies. This has greatly assisted our ability to react, contain and ensure we have enough hands addressing threats as they come up.
Dan: How has security changed throughout your career?
Stu: We have much better tools and a sharper focus today than ever before. It used to be an afterthought and now cybersecurity is at the table as a strategic partner in the vision and design phases of our initiatives. The attacks we fend off are more frequent and grow in sophistication daily.
Dan: Is it more important today with big data, mobile computing and the cloud security challenges?
Stu: Yes, and beyond that. We are engaging with remote interfaces and other management software purchases that historically would not have been viewed as IT. We are actively pursuing security clauses in all of our procurement documents and contracts.
Dan: In 2015, is cybersecurity given a high priority by your governor?
Stu: The governor clearly understands the importance of cybersecurity. We are actively working with the Multi-State – Information Sharing and Analysis Center (MS-ISAC), Ohio Homeland Security Fusion Center, the Ohio Highway Patrol, Ohio Department of Public Safety, the National Guard, the Ohio Emergency Management Agency and local government to ensure cross-boundary communication, coordination and collaboration. This would not happen without the strong support of Governor Kasich.
Dan: How does cyber get attention with so many competing projects and priorities?
Stu: As I mentioned, it is front and center with all of our IT optimization efforts. It permeates the fabric of the services the state of Ohio provides to all our citizens and businesses.
Video with Stu Davis on Cloud Computing in Ohio Government
Background on Ohio Government CISO David Brown
David Brown became Ohio’s state chief information security officer (CISO) in July 2012, after more than a decade serving in a variety of capacities with Ohio state government. Prior to becoming state CISO, he served as the deputy CISO, CISO for the Ohio Department of Public Safety and data security analyst for the Ohio State Highway Patrol.
As you will see from this interview, David has done an excellent job of bringing together diverse audiences in Ohio state government to tackle new security challenges and emerging threats.
Interview with David Brown
Dan Lohrmann: Tell us about your scope of responsibilities as CISO in Ohio.
Ohio CISO David Brown: I am responsible for the implementation of security policies and procedures across the executive branch of state government. We are centralizing information security services within Ohio, so my office provides security architecture, risk management, security compliance, vulnerability assessments and penetration tests, security engineering, cyber intelligence and threat monitoring, incident response and forensics, and overall security management functions. The state’s chief privacy officer also reports to me. I also chair the Ohio Homeland Security Cyber Security Working Group. We are also responsible for regularly reviewing and making recommendations for the improvement of cybersecurity throughout the state as a whole, and to assist with the state’s efforts to grow the cybersecurity industry within Ohio.
Dan: How do you stay ahead of the ever-changing cyberthreat environment (personally and as a team)?
David: My team works closely with Ohio Homeland Security, Ohio Highway Patrol/Public Safety, Ohio Emergency Management Agency, Ohio National Guard as well as U.S. Homeland Security, and the Multi-State Information Sharing and Analysis Center to both provide cyber intelligence about the threats that we see affecting state government and to analyze cyber intelligence received from these sources, our business partners, and other organizations throughout the state. Our office and the Ohio National Guard will each be embedding a security analyst in the state fusion center later this year to provide cyber intelligence analysis and real-time coordination on threats we see, and we will continue to have other staff members interact with the fusion center very frequently to bolster that capability. Information sharing is key.
I also spend time reading research reports and talking with my public- and private-sector peers. Based on all of this information, we modify our security strategy accordingly. Our state is committed to implementing the 20 Critical Security Controls, which are periodically adjusted based on current threats.
Dan: What’s hot right now regarding your role? Where are you spending your time and what keeps you up at night?
David: I spend a lot of time ensuring our consolidation efforts stay on track. This is a massive undertaking. Security used to be handled by each agency in a siloed fashion, resulting in some agencies having strong security programs and others struggling to succeed. We are changing all of that. We are creating new enterprise security policies to ensure uniform implementation of the state’s security framework.
We also have five major security projects in progress to standardize and centrally manage endpoint protection solutions, add additional intrusion prevention capabilities, implement an enterprise SIEM, institute vulnerability scanning across the enterprise, and install Web application firewalls. With consolidation of security services under way, we are already seeing significant improvement in our security posture, increased visibility on threats and more capability to respond to those threats as an enterprise. We are also in the process of centralizing security personnel. To provide these services, we have increased our office staff from about 10 people to 30 in the past two years, and we will be adding another 20 in the next biennium.
As to what keeps me up at night, I am concerned with the growing sophistication of the threats that we see and the persistence of those threats. State and local governments face threats not only from individual hackers and hacktivist groups, but also from well organized cybercrime organizations and nation-states that have substantial resources to perform sophisticated attacks.
Dan: How has security evolved over the past decade? What’s different (and the same) today, as compared to say 2005?
David: I believe the number of threats and the sophistication of those threats has increased dramatically, but we also are seeing more information sharing taking place about these threats than ever before. It seems that a day does not go by now without us receiving a security advisory from our intelligence partners.
Cybersecurity is also getting a lot more attention and consideration than it has in the past from a business perspective. You can hardly go a day without hearing about a data breach occurring somewhere in the United States, and affected organizations are seeing significant business impacts. Both private- and public-sector entities and our citizens are becoming more aware of the need for greater security. Certainly, within state government, there has been a tremendous increase in our cybersecurity efforts. The Office of Information Security and Privacy did not even exist 10 years ago, but today, it is an integral part of our information technology programs. Cyber insurance is now a common topic for consideration, which was not the case just a few years ago.
Cloud computing and BYOD are becoming commonplace today but were not nearly that pervasive 10 years ago. Organizations have to do their homework and ensure security controls are instituted for these environments. Security needs to be an enabler for the business, not a roadblock, and security practitioners need to be creative in finding solutions to these challenges.
Dan: Do you have enough talent in the cybersecurity area? How are you attracting and keeping cybertalent?
David: Acquiring talent has been a challenge in two ways. It is difficult to hire people who have significant experience and qualifications. The competition for these resources is very strong, and they are getting paid considerably more in the private sector. We are overcoming that with a concerted effort to hire state personnel and train them for the new roles in our office, and we have had good success.
We utilize the career research and guidance put out by the National Initiative for Cybersecurity Careers and Studies to formulate job descriptions and determine the necessary knowledge, skills and abilities for each position. We are now incorporating college interns into our program to supplement state staff so that they gain experience and possibly have a career path with the state if they choose. To retain personnel, we put an emphasis on continuous training to help our staff stay sharp on the skills that we need to defend against the threats.
Each year, our security personnel receive at least one security course on a particular focus area, such as incident response, penetration testing, and application security, for example. These courses typically take 30-40 hours each to complete. That, coupled with the new technology we are introducing and the transformational work we are doing has helped keep their commitment. We have an outstanding team of people on staff and in the state agencies.
Dan: Is there anything else you’d like to share about your cybersecurity program and upcoming projects?
David: I just wanted to say that I have been very thankful to work with Stu. As the state CIO, he understands cybersecurity, he fully supports these efforts, and has been a great help to me. I believe such support is vital to the success of a security program. As to new projects, we are now beginning meetings in conjunction with the Ohio Emergency Management Agency, Ohio National Guard, State Highway Patrol/Public Safety and Ohio Homeland Security to develop a state cyberdisruption plan to address potential impacts from a cyberattack on any critical infrastructure within Ohio.
Dan: I’d like to thank Stu and David for taking the time for this interview.
This interview series with state and local government technology and cybersecurity leaders will continue with another interview later this summer.