In a survey of government chief information officers (CIOs) released back in November 2016, the National Association of State Chief Information Officers (NASCIO) again selected security and risk management as the top priority for state government technology in 2017. This finding is consistent with the digital states survey which also showed cybersecurity as the top priority for government technology leaders for the foreseeable future.
Not surprisingly, this focus on cybersecurity goes back several years in the public and private sectors, but how does this really impact organizations in practical terms? Which online threats worry state government cybersecurity leaders the most? What projects are at the top of the technology and security “to do” list for 2017?
To answer these questions and more, I brought together four of the top government chief information security officers (CISOs) in the nation to discuss what’s hot and what’s not in their corner of cyberspace. Each of these experts have demonstrated track records of security success, and they continue in their roles even after staff reshuffles and technology leadership changes in their respective states.
Also, each of these government leaders has been introduced (and interviewed) in the past in a Lohrmann on Cybersecurity & Infrastructure blog, so I will point you back to that material if you would like to learn more on their career backgrounds and professional expertise.
My virtual CSO roundtable discussion (which actually occurred on the phone and via online discussions and emails) included:
— Mike Roling: Chief Security Officer for the state of Missouri government. For more on his background, Mike and his CIO boss at the time were interviewed by me back in March 2015.
— Agnes Kirk: Chief Information Security Officer for the state of Washington government. For more on her background, Agnes and her state CIO were interviewed by me back in April 2015.
On to the CSO RoundTable Interview to Kick-off 2017:
Dan Lohrmann: As the CISO of your state, what are your three top priorities for calendar year 2017?
Elayne Starkey, Delaware CISO: Good timing, as my team is just wrapping up our strategic planning effort.
— Focus on STEM, raise awareness, leverage existing resources, identify organizational risk
b. The Office of Cyber Security is developing a plan to expand its services and offer them to local government
— Over 90 percent of orgs surveyed said they had an interest in receiving state gov cybersecurity services
2. Deploy security controls and processes within cloud environments
a. We’ve embraced several cloud services including Box and Skyhigh to deliver business processes more securely
b. We’ll be focusing on prepping environments out in AWS and Azure that are protected by our security stack
3. Continued focus on awareness throughout every level of state government
a. Awareness is one of the key pillars of our cybersecurity plan and always will be
b. Enabling a human intrusion prevention system is something to behold
As a side note, a local media outlet ran with our cybersecurity task force action plan here.
Agnes Kirk, State of Washington CISO: Thanks Dan. Always great to reconnect with you and CISO colleagues.
Elayne Starkey: Delaware’s IT centralization program resulted in the inheritance of many applications written by others, so many years ago. We now have a renewed focus on application security scanning for both new and legacy apps.
Mike Roling: The Mirai botnet definitely got my attention last year after it successfully took down Dyn and impacted many popular Web services. I foresee insecure IoT devices, the core of the Mirai botnet, being used a lot more in 2017 to carry out DDoS attacks.
We’ve taken steps to mitigate DDoS attacks by leveraging cloud based anti-DDoS solutions. However, Mirai garnered the attention of even the biggest anti-DDoS players out there. 2017 will be an interesting year.
Agnes Kirk: The sophistication and frequency of phishing emails attempting to download ransomware. It’s a problem that affects organizations of all sizes and sectors. Government isn’t exempt. Without the advanced threat detection tools we have in place, our story would be very different. This issue is not going away.
Chris Hobbs: APT / phishing – We continue to see many phishing campaigns attacking our staff.
Dan Lohrmann: How has your CISO role evolved over the past few years in your state? Also, how do you see things changing further over the coming few years as we head toward 2020?
Elayne Starkey: I am spending more and more of my time “in the cloud,” whether it is vetting cloud T&Cs with SaaS vendors or mapping our plan to move to IaaS. Cloud, Cloud, Cloud!
(Side note: Back in 2011 when I was Michigan CSO, Elayne and I appeared on a CIO Talk Radio podcast on securing cloud computing. It is an interesting comparison with where we are today. Overall, some progress, and some setbacks.)
Mike Roling: My team’s role has changed in many ways, here are a few:
- Risk reduction focus
- Become the department of “yes.”
- More human and process focused.
- Public safety is now front and center with IoT and OT.
The constant barrage of stories about public- and private-sector breaches exposing personal information, and the high-profile hacks of email accounts has led to increased awareness of cyberthreats. Our role is increasingly one of educator — at all levels.
I expect our state, and others, will continue to enhance safeguards to protect personal information stored on state networks and take additional steps to protect critical infrastructure and ensure the continuity of commerce.
Chris Hobbs: The CISO role for Nebraska is moving more toward policy based functions and collaboration with agencies and third parties. The CISO is moving away from operations roles and streamlining the job obligations associated with the role. Coordination of security efforts across all stakeholders is key.
Dan Lohrmann: My sincere thanks to Elayne, Mike, Agnes and Chris for taking the time to answer these questions. I continue to be amazed by their ongoing leadership through tough times in cyberspace at the state government level.
Wrap-up & Final Thoughts
You may wonder: What is missing from the CISO action lists, in my opinion?
First, these are leading states have very mature security programs that have been working cybersecurity priorities for years, so you wouldn’t expect to see every top agenda item every year.
That being said, I asked them if their states were thinking of implementing coordinated vulnerability management programs (or “bug bounties”) in 2017?
All four of them were very interested and thought this item was definitely on the list. However, bug bounties were not in the top three current priorities for any of them. (They were all conducting research and gathering data on bug bounties.) Further, Elayne said she was fascinated with the recent “Hack the Pentagon” DoD program, and she was discussing the topic with state and federal military officials.
Also, they each were well aware that cyberincidents and unplanned security events can quickly become a top priority. There is always the “we don’t know what we don’t know” factor in their roles.
Each of them expressed a mixture of optimism and pessimism, and there is no doubt that 2017 is shaping up to be another eventful year for cybersecurity pros and global online disruption. The bad guys never sleep — and no group understands this better than CISOs on the front lines of government tech.
We should all be thankful that state government cybersecurity leaders like Elayne, Mike, Chris and Agnes (and other CISOs and security pros in governments around the world) are on the job.