Elevating cybersecurity leadership: Perspectives from Montana's CIO and CISO
A look at cyber in "Big Sky Country."
Montana CIO Ron Baldwin with CISO Lynne Pizzini
Back in the first week of May 2014, I ran into the Ron Baldwin at the National Association of State CIOs (NASCIO) mid-year Fly-in. Ron is Montana’s Chief Information Officer (CIO), and we started talking about what’s happening in “Big Sky Country” regarding cybersecurity.
The simple answer is a lot.
One thing that Mr. Baldwin noticed shortly after becoming CIO in January 2013 was that hackers were clearly targeting Montana’s networks, and the role of cybersecurity needed to be enhanced. Ron told me that he needed a cybersecurity leader reporting directly to him. The new Montana CIO quickly recognized that he had the right leader in Lynne Pizzini.
“Lynne was doing great work, but she was too buried in the organization to have the needed impact. I decided to create an enterprise-wide Chief Information Security Officer (CISO) role, and Lynne was clearly the right person to take on this important challenge.”
The Cyber Leaders Interview Series Continues
We are continuing our series of interviews with CIOs and CISOs from around the USA. The topic is: “What’s really happening regarding cybersecurity?”
The goal is simple: to listen to their words and learn from their ideas and actions. I also hope this series can advance a necessary dialogue. Note: In most cases, state government CISOs or CSOs reports to their state CIO.
This blog series started in Mississippi back in March, and we continued in April in Delaware and moved next door to Pennsylvania.
Last time, we headed west to Nevada, and now we head north to one of the most beautiful and least populated parts of America.
Meet Montana Government’s Cyber Leaders
Mr. Ron Baldwin was appointed by Montana Governor Steve Bullock in January 2013, after an extensive career in the public and private sectors. Mr. Baldwin previously served as CIO for Montana’s Department of Public Health and Human Services (DPHHS) since February 2009.
According to Montana’s official government portal:
“He is a professional project manager who has overseen multi-million dollar budgets and has experience working with the legislative and executive branches of state government and with federal programs. Ron has degrees in Computer Science and Biology/Chemistry. In addition, he holds a Project Management Professional (PMP) certification.
Ron and his wife, Jean, have a son, Jeffrey. For activities outside his regular job, Ron is an adjunct professor at Carroll College in Helena where he teaches project management. His interests include camping, hiking, piano, and classical music, which he locally supports as a member of the Helena Symphony Board.”
Despite the fact that Lynne Pizzini only became the Montana CISO in 2013, she has been a well-known cyber leader and Executive Committee Member within the Multi-State Information Sharing & Analysis Center (MS-ISAC) for several years. She has participated in national cybersecurity working groups and has spoken at technology and security conferences around the nation.
On a personal level, Lynne is a delight to work with. She is smart and persistent, yet soft-spoken and unassuming. Colleagues from around the nation who work with Lynne say she is a respected, confident cyber pro who can be relied on to deliver. Through the years, I am have been very impressed with Lynne’s approach to national collaboration and solving cybersecurity problems.
When Ron Baldwin described how and why he selected Lynne to be Montana’s first CISO, I immediately thought: good move.
Interview with Montana CIO Ron Baldwin
Dan: Tell us about your scope of responsibilities as CIO of Montana. How important is information security to your strategic plans?
Ron Baldwin : The duties of the CIO of the state of Montana include: responsibilities related to information technology on a statewide basis, being the chief policy advisor on statewide information technology issues, and planning and program responsibilities for information technology for state government. Information security is a part of these duties, and is included in all areas of planning and program development. One of my first acts as the State CIO was to create the Chief Information Security Officer position within the state information technology organization.
Dan: What keeps you up at night regarding cybersecurity?
Ron: Even after doing all of the due diligence that has been accomplished in Montana regarding the development of the information security program, there is still the possibility of a data breach that could affect thousands of citizens. Malicious activities are getting more and more sophisticated and it is becoming extremely difficult to ensure the security of confidential information.
Dan: How does Montana include security in projects that involve big data, mobile computing and cloud computing?
Ron: All projects have a security element and involve someone from our security team to review and approve project security plans throughout the system development life cycle. Montana’s statute requires any major project with identified funding have a project plan that is reviewed and approved by the Office of the CIO.
Dan: How does cybersecurity get attention with so many competing projects and Governor priorities?
Ron: As the CIO for the state of Montana, it is my responsibility to identify key projects and programs and highlight them to the Governor’s Office. The Information Security program is one of the items that I discuss with the Governor’s Chief of Staff on a monthly basis. We have also used outside entities such as the Department of Homeland Security to provide briefings to the state’s Homeland Security Advisor, the Governor and his staff.
Dan: Any cybersecurity success stories you can share?
Ron: Because of the importance of information security to Montana’s Governor, we have launched a statewide information security training program that is required to be completed by all executive branch employees. This training has been very beneficial and we have had positive feedback from our state agencies.
Montana’s Risk Management program has been successful in incorporating Cyber Security Insurance into its liability insurance program. This effort has been awarded on a national level and is being used as examples for other government cyber insurance programs.
Interview with Montana CISO Lynne Pizzini
Dan: Tell us about your scope of responsibilities as CISO. I understand that your CIO promoted you and the CISO role recently. Can you describe how that has impacted what you do?
Lynne: In April 2013, Ron Baldwin promoted me to be the first CISO for the state of Montana. Before this time, my role focused on supporting security for our enterprise systems such as email, Active Directory, the network, our enterprise data centers, etc. With the new role, my responsibilities have increased to include assisting agencies with their security programs, implementing an enterprise security training program, and expanding and updating enterprise security policy. Ron is a great supporter of security and has expanded the state’s program to provide enhanced protections for state systems.
Dan: What’s hot right now regarding your role? Can you share some key projects that you are working on?
Lynne: During our last legislative session, the Legislature supported and passed the Data Protection Initiative. This initiative supports three major projects which are being completed at the same time. The first project is the implementation of an enterprise Access Control and Verification system (also known as Identity Management) that all state entities will be using. This project will attach all state identity stores and solidify the sharing of information through role-based access. The second project is the incorporation of two-factor authentication into our access control system. This will support the enterprise project described as the first project. The third and final project is the completion of an Enterprise Risk Assessment. The state is contracting with a third party to identify gaps in systems and mitigation recommendations. Funding for mitigation will be requested in the next legislative session that begins in January 2015.
Dan: How has cybersecurity changed during your career? What highlights can you share?
Lynne: I began my career in 1997 as the firewall administrator and anti-virus support person. We had no other cyber security personnel. Today, I supervise 10 staff that support operational security and our security auditing and training functions. In the beginning, it was about technology, now it is human related.
Dan: How do you address zero day challenges like the recent Microsoft IE vulnerability (before it was patched)?
Lynne: The state of Montana has an established vulnerability management program. For zero day activities, we notify our customers immediately with protection recommendations. Best practices can protect from many zero day threats such as limited user rights. We try to incorporate these into our systems.
Dan: Is there anything else you’d like to share about your cybersecurity programs? Are there any cyber best practices that we you can share?
Lynne: Three things are important to have a successful cyber security program. The first is relationships. It is important that the CISO develop and maintain relationships with staff, leaders, customers, organizations, etc. I think that 80% of my time is spent on communicating so that relationships are developed and maintained properly.
The second is training and awareness. This is very, very important. We try to make our program fun and we give great prizes at events! (Lynne speaks about security at every opportunity provided and even has been known to do some event “crashing” just to let everyone know that its “all about security.”)
The last item is aligning the cyber security program with a designated framework. Montana has chosen to align its program with the National Institute of Standards and Technology (NIST). This has made incorporation of federal programs and security requirements an easy process. The recently released Cyber Security Framework by the federal government will be used to update the Montana program and will help to solidify and support the use of common practices by Montana agencies to assist in securing Montana as an enterprise.
Dan: Thank you Ron and Lynne for sharing your experiences and insights on cybersecurity from Montana state government. Your examples are very relevant for us all, especially for states with smaller populations who need to elevate their security programs.
This series will conclude in June with one more government CIO/CISO leadership interview on cybersecurity.