Delaware’s longtime top security official has retired and will be temporarily replaced by the state’s chief information officer, she confirmed to Government Technology.
Elayne Starkey, the state's Department of Technology and Information’s chief security officer of 13 years, retired June 29. A nationwide search for her replacement is underway, but in the interim, CIO James Collins will also serve as acting CSO, she said in an interview.
— Delaware digiKNOW (@DeldigiKNOW) June 29, 2018 Her next move is unclear, the CSO said, but she’ll likely consider opportunities in the fall after going “off the grid” for about 90 days. Starkey, who became CSO in July 2005 according to her LinkedIn profile, joined the state in 1996 as CIO for the Department of Public Safety. Her next state role took her to DTI, where she was chief technology officer for nearly four years, before becoming the agency CSO.
Her length of service, combined with the fact that several major projects had recently finished, were factors in her decision to leave, she said, emphasizing that the public sector left an indelible positive impression.
“I was kind of bitten by the public-sector bug, and it’s hard to explain … but it’s a different level of job satisfaction that you have when you’re out there, in my case, trying to secure our citizens’ data and keep it safe and secure," Starkey said. "It’s hard to measure, but that has given me a great deal of satisfaction over 22 years and that’s why in part I’ve stayed in the public sector and not returned to the private sector.”
Among her accomplishments, Starkey cited helping create an award-winning state cybersecurity website; wrapping Delaware Transit buses with cybersecurity messages through a Verizon partnership; and offering annual cybersecurity training for staff; and Certified Information Systems Security Professional (CISSP) bootcamps for technical security employees.
She also guided the creation of the state’s new Security Operations Center, which went live in 2015. And, though the program is still maturing, it offers enterprise-level visibility into the many thousands of alerts the state receives — and the ability to screen and respond before they rise to the level of incident or breach.
About three weeks ago, the state completed the biggest revision ever to its cloud security terms — a project that had been underway since 2011 and encompassed multiple versions and revisions. The effort, Starkey said, included national and international standards from the Federal Risk and Authorization Management Program (FedRAMP) and the Cloud Security Alliance.
“What our hope is, is it makes it even easier to negotiate contracts with cloud vendors. What the certification does is it puts them on the fast track, if you will. If you come in with those certifications, then the whole vetting process is much simpler,” Starkey said.
Like other states and large corporations, Delaware is continually alert against bad actors, the outgoing CSO said. The state’s new vulnerability disclosure policy laid the groundwork for one related project Starkey said she would have liked to have led, but didn’t: a so-called bug bounty program that might follow the lines of testing Delaware’s cybersecurity defenses through a controlled “white hat hack.”
Elsewhere around the state, however, Starkey said Delaware’s roughly seven-year in-house “phishing” campaign, designed to test staffers’ resistance to questionable emails, has been a resounding success.
"The attackers are getting much more sophisticated and that requires a tighter and stronger defense on our side. But I don’t think Delaware is unique in that. I think it’s pretty standard across the board,” Starkey said.