Security in Profile: The Leaders Keeping Government Safe
Five state and local chief information security officers reveal how they came to government IT work, the essential traits of an effective CISO and what they’re doing to shore up cyberdefenses in unprecedented times.
Ransomware attacks. Malware attacks. Phishing attacks. DDoS attacks. While cybersecurity has long been a top priority for government IT leaders, the last two years in particular have made clear that a concerted effort to protect government data is paramount.
With an ever-growing need to protect information assets and secure infrastructure, the role of the chief information security officer has never been more critical to the ongoing effectiveness of government agencies and departments.
Government Technology spoke with five such state and local government CISOs. Here, they share their cybersecurity backgrounds and insights on the field.
Shirley Erp, Austin, TexasWhen Shirley Erp joined Austin as its security chief, she did so with a desire to protect and serve. “As for my current position of CISO for the city of Austin, this provides yet another opportunity to serve my community and motivates me to do my best at protecting the city against cyberthreats, securing confidential information and adding value by further maturing the city’s cybersecurity program,” she said.
Erp’s path into technology and cybersecurity was influenced by her father, who was in security intelligence for the U.S. Air Force. This, combined with her aptitude for math and science, led to the pursuit of her first degree in computer science. After graduating, Erp started her career as a mainframe systems programmer and gravitated toward computer networks. “Later, when organizations started to adopt the Internet for business transactions,” said Erp, “I had both the background and innate interest which allowed me to progress my career in cybersecurity.”
Having CISO experience in both the public and private sectors, she is well-poised to compare the two. “The role of the CISO is similar in that you must be both a business and technology leader,” Erp explained. “The difference for the public sector is it takes more time for change with legislative oversight, governance approvals, limited funding and budget cycles, as well as selection justifications and implementation coordination.”
Erp has only been with Austin since June 2020, but she has been doing something she enjoys: leading change to improve organizational security through priorities. One such project is the creation of an information security road map to further mature Austin’s cybersecurity program and capacities. “The road map,” Erp said, “will help guide the way for continuous improvement with planning initiatives that utilize the city of Austin’s established processes and budget cycles.”
While Erp enjoys serving her community, she’s well aware of the risks and challenges that come with digitization. “Attacks are getting more sophisticated, organizations are transforming to multi-cloud architectures, and the workforce is transitioning to remote work and bring-your-own-device — all of these things bring new challenges to the forefront,” Erp said. She believes that security must transform its protection of data as IT is transforming to meet tomorrow’s business needs.
Transformation to meet threats requires good CISO leadership. The ideal cybersecurity leader, according to Erp, “is a critical thinker who embraces the strategic vision, goals and objectives of the organization and builds relationships across the entity for improving security while balancing the business needs and customer service.”
Executives should not, however, only look to CISOs to improve security. “Security is not just a technology issue,” Erp said. “It is everyone’s responsibility, and it should be integrated into the organization’s culture and governance structure.”
Shannon Lawson, PhoenixShannon Lawson’s career began after college when he enlisted in the U.S. Navy, where he specialized in cryptology, which he says introduced him to “information and warfare.”
From there, he took on a variety of jobs with the Navy and National Security Agency, becoming a generalist in technology. He then left for the private sector, but after a few years returned to the Navy.
Years later, he became the inaugural CISO for Alaska. “I wanted a change from what I was doing and to be more hands-on, directly controlling an organization’s security program,” Lawson said.
In 2019, when his time with Alaska ended, Lawson transitioned to local work, taking on the role of Phoenix CISO. “Phoenix is the fifth-largest city, serving 1.7 million residents,” he said. “And we provide a wide variety of critical services to them. Water, for example, is a critical service.”
He views this role as a unique opportunity “because you have real issues that have to be solved right now,” Lawson explained. “What I like most is the wide variety of challenges. Here at the city, my team is really doing transformational change.” He credits city leadership for their ability to get things done.
Still, being a government CISO is not without its challenges. “The private sector,” he said, “is really good at eliminating liabilities and keeping assets that drive success. Culture, in the public sector, can be a liability.”
Lawson, however, has seen success in promoting a culture of security awareness in Phoenix. “For National Cybersecurity Awareness Month, approximately 15,000 employees completed training in 30 days,” he said.
For those interested in government cybersecurity leadership, Lawson notes the importance of a well-rounded background. First, “you need a resume that combines formal education and direct experience, as CISOs have now been accepted in the board room.” Next, formal certifications are key. “Not a lot,” Lawson cautioned, “but something to show you have passed a minimum standard of knowledge for a particular domain in security.” Finally, Lawson explained that “soft skills are just as important as hard skills.”
“Being CISO is a privilege, but it’s a long road there,” he said. “Plan properly. Be prepared to drink from a fire hose at the deep end of an empty pool. Communicate and enjoy the ride.”
David Allen, GeorgiaDavid Allen commissioned into the U.S. Army in 1995 after college. Upon completing his assignment, he returned to his home state of Georgia and worked in IT and project management roles for several years before joining the Georgia National Guard full time for nearly a decade.
During this time, Allen progressed professionally and held a few roles within the organization, including deputy chief information officer and a dual role of CIO and chief of cybersecurity.
Allen’s leadership experience in the Guard’s dual role specifically prepared him for his current cybersecurity position. “I was able to work on cybersecurity efforts at the federal and state level, to include collaboration with my current organization. As a Guardsman, it also provided me the opportunity to learn crisis management skills that have benefited me greatly during incident response efforts,” he said.
Now CISO for the state, Allen reflected on his shift to state government from the military: “My whole career has been in service to my country, so it was a natural transition upon my military retirement,” he said. “I looked for an opportunity to continue to serve and found it at [the Georgia Technology Authority].”
Having some familiarity with GTA from his previous work, Allen took on the role with excitement in 2019, which remains over one year later.
However, Allen’s enthusiasm hasn’t clouded his ability to see the challenges of the CISO role. With an increasing number of cyberattacks and a mobile workforce due to COVID-19, he notes one significant challenge that CISOs are dealing with in this climate: “modifying the new normal, with things like working from home, and new technology to bring in so employees can safely operate.” This includes, Allen says, examining security in general.
Allen also acknowledges that to address recruitment and retention challenges, a leader should have an open mind when seeking cybersecurity talent. It will take different strengths and different backgrounds, Allen explains, to fill available vacancies.
Such challenges indeed require effective CISO oversight. The ideal leader, according to Allen, should be strategic and operational; should have an appreciation for and an understanding of technology; and should be willing to gain new skills.
In all, since joining the state, he has seen progress on all fronts when it comes to cybersecurity priorities and initiatives, including workforce training and development and capabilities for incident response. “I’m really excited about where we’re trending in all things technology,” Allen said.
Stephanie Smith, Mecklenburg County, N.C.When Stephanie Smith started her career years ago, she was aware of a gender gap that remains today: Women make up a small percentage of the U.S. technology and cybersecurity workforce — and an even smaller percentage hold leadership roles.
Smith was not deterred, however, from excelling in this male-dominated field. “It was a goal of mine, when I started 20 years ago, to get to that place of leadership,” she said. Over the years, Smith indeed reached that place through roles at various public and private organizations, including CIO at a North Carolina heath-care organization, and now CISO for Mecklenburg County, N.C.
“When the opportunity presented itself to serve Mecklenburg County, I was excited,” she said. “It’s a big role with a lot of responsibility, but the benefit of doing something meaningful is big for me.”
As county CISO, where she serves approximately 1 million residents, Smith has a responsibility to educate others, particularly fellow employees, about technology and security. “For me personally, it’s not just about the latest and greatest technology. It’s about helping people change their mindset about technology and using it securely,” she said. She also credits the team she’s built, who share her “passion for public service and technology.”
A top priority for Smith and her team has been transitioning employees to remote work effectively and securely due to COVID-19. She said they “purchased new equipment to be mobile, trained new employees and put technology in place to monitor and respond.”
The shift to remote work has been a priority amid the pandemic, but Smith remains attentive to other cybersecurity risks and challenges, like user behavior and education, regulatory compliance, business emails and phishing, and ransomware attacks. Local governments, she said, are particularly being targeted by ransomware demands, and “must step up to keep up.”
If Smith had to characterize the ideal cybersecurity leader in government, it would be someone who is passionate about service. “For the government specifically,” she said, “I think you have to have a passion for giving back to the community.” According to Smith, the ideal leader also has a strong background in compliance and an understanding of why rules and regulations matter in keeping data secure.
Moving forward, Smith would like to see more women in the field. “I encourage more females to take a look at cybersecurity, and those in STEM programs to continue their passion.”
Andy Hanks, MontanaWhen Andy Hanks decided to find a position that would allow him to make a meaningful impact using his technical, security and business experience, he did not have his sights set on the public sector. That said, he has no regrets. “I was not specifically looking for a job in state government, but when I saw the state of Montana CISO job, I knew it was exactly what I wanted to do,” he said.
Hanks, who started programming at 13 years old, began as a mainframe programmer at IBM after earning a computer science degree. In this role, he worked in technology on the Y2K program. But as he constantly saw “security from multiple domain perspectives and leadership levels,” he wanted to transition. After hearing from a hiring manager about cybersecurity, its complexity and its growing importance, he made the move — and advanced professionally.
What attracted Hanks to his current role was the state’s mission: “to protect citizen’s data.”
“As a state employee,” Hanks said, “my customer is my family, my friends and my neighbors. I only need to look around at the people I see in the restaurants, bars and parks to be reminded of the importance of our mission.”
While he enjoys the meaningful contribution he makes to his state and its citizens, he remains knowledgeable about present and future challenges that can affect it. “Cybercriminals ransoming our citizens’ data, nation-states attacking our elections, unfunded mandates stretching tight budgets and emerging technology outpacing our ability to protect,” he said. However, the biggest threat, he explains, is the lack of talent. “The United States currently has a shortage of 500,000 cybersecurity workers,” Hanks noted. “Educating and hiring the next generation of cybersecurity workers should be a priority at the local, state and national levels.”
It is a top priority for Hanks and his team. “In Montana, we are focused on multiple initiatives to retain and recruit highly skilled cybersecurity staff, to increase diversity so we can match the diverse perspectives of our attackers and approach complex problems from multiple viewpoints, to build a workforce talent pipeline by partnering with K-12, college and university education institutions, the military, and the nonsecurity workforce looking to retrain into cybersecurity.”
Altogether, public-sector CISOs must have a background of expertise and experience to handle such challenges. “CISOs don’t need to be experts in business and security and technology,” Hanks said. “They just need to be experts in balancing the perspectives of all three.”