Five state and local chief information security officers reveal how they came to government IT work, the essential traits of an effective CISO and what they’re doing to shore up cyberdefenses in unprecedented times.
When Shirley Erp joined Austin as its security chief, she did so with a desire to protect and serve. “As for my current position of CISO for the city of Austin, this provides yet another opportunity to serve my community and motivates me to do my best at protecting the city against cyberthreats, securing confidential information and adding value by further maturing the city’s cybersecurity program,” she said.
Erp’s path into technology and cybersecurity was influenced by her father, who was in security intelligence for the U.S. Air Force. This, combined with her aptitude for math and science, led to the pursuit of her first degree in computer science. After graduating, Erp started her career as a mainframe systems programmer and gravitated toward computer networks. “Later, when organizations started to adopt the Internet for business transactions,” said Erp, “I had both the background and innate interest which allowed me to progress my career in cybersecurity.”
Having CISO experience in both the public and private sectors, she is well-poised to compare the two. “The role of the CISO is similar in that you must be both a business and technology leader,” Erp explained. “The difference for the public sector is it takes more time for change with legislative oversight, governance approvals, limited funding and budget cycles, as well as selection justifications and implementation coordination.”
Erp has only been with Austin since June 2020, but she has been doing something she enjoys: leading change to improve organizational security through priorities. One such project is the creation of an information security road map to further mature Austin’s cybersecurity program and capacities. “The road map,” Erp said, “will help guide the way for continuous improvement with planning initiatives that utilize the city of Austin’s established processes and budget cycles.”
While Erp enjoys serving her community, she’s well aware of the risks and challenges that come with digitization. “Attacks are getting more sophisticated, organizations are transforming to multi-cloud architectures, and the workforce is transitioning to remote work and bring-your-own-device — all of these things bring new challenges to the forefront,” Erp said. She believes that security must transform its protection of data as IT is transforming to meet tomorrow’s business needs.
Transformation to meet threats requires good CISO leadership. The ideal cybersecurity leader, according to Erp, “is a critical thinker who embraces the strategic vision, goals and objectives of the organization and builds relationships across the entity for improving security while balancing the business needs and customer service.”
Executives should not, however, only look to CISOs to improve security. “Security is not just a technology issue,” Erp said. “It is everyone’s responsibility, and it should be integrated into the organization’s culture and governance structure.”