Security is important, but most new companies don't have or can't afford a dedicated security expert, and that's how HOCO CISO was born.
In Howard County, Md., a new program is unique enough that it’s drawing attention from as far as Germany.
Launched by the Howard Tech Council, under the Howard County Economic Development Authority and in alignment with local tech incubator Innovation Catalyst, the county's new chief information security officer in residence program (called HoCo CISO) gives more than 300 member organizations the opportunity to receive security consulting advice and resources. And those German researchers? They're studying the program in search of new cybersecurity innovations.
Launching a program like this, which is based at the Maryland Center for Entrepreneurship, makes perfect sense in the Old Line State, said Patrick Wynn, executive director of the Howard Tech Council. Maryland has many IT security firms to draw from, and small- and medium-sized organizations that are members of the Howard Tech Council and the Innovation Catalyst don’t usually have dedicated security officers. But because IT security has become such an important factor today, these organizations need good security intelligence to protect what they have built from scratch.
Over the next six months, the program will continually add new features, Wynn said. Right now, the program mainly consists of a basic website with an email address that vetted organizations can use to request IT security consulting sessions. That Web presence will be developed in coming months to include a searchable knowledge base of commonly asked questions, and a more sophisticated ticketing system than what they use now, he said. They will also launch a monthly blog and begin participating in the Howard Council e-newsletter, and begin physical office hours in March, where the companies that need help can meet in person to discuss their security questions.
”What we’re looking to do is create an opportunity for these innovators to align with chief information security, privacy and risk professionals so when they’re developing their product, they can be cognizant of some of the pitfalls and challenges and exploitations that may occur that can risk the success of the organization,” Wynn said, adding that many of these companies aren’t aware that these challenges and threats exist in some cases, so education will also play a role in this new program.
“The Howard Tech Council is built on a foundation of four principles of engage, collaborate, learn and lead,” Wynn explained. “And what we’re doing here is allowing collaboration between information security professionals and the young innovative, entrepreneurial ecosystem in Howard County. What an incubator traditionally does for its residents, we’re taking some of the benefit of that and also exposing companies to those benefits that may be beyond the incubation stage. This is one of the deepest, richest, asset-laden populations in the entire country, and we’re exploiting that. And we think we can exploit that to the benefit of others that typically would not have the wherewithal to have this assistance without a program like this.”
One of the big lessons of the dot-com boom was that companies need people who know how to effectively manage and run them if they are to be successful, said Jason Taule, chief security officer and chief privacy officer at Maryland-based FEI systems. Taule played a central role in launching the new program.
“There are incubator programs all over the country,” Taule said. “Their goal is to stimulate economic development, to foster people with great ideas and innovations, and help them move along the startup curve. Many of them have chief executive officers in residence. We had the idea that they probably have just as much of a need for a chief security officer in residence.”
It doesn’t matter how big or small a company is, he said – every organization has some level of risk and exposure to IT threats. When it comes to many of these small companies that are just getting started, their intellectual property is everything, and they could lose everything if their data were to be stolen, he explained.
“In my career path, I’ve been through seven different acquisitions,” Taule explained. “When they acquired us, as soon as that press release hit the wire, literally within seconds, the volume, sophistication and frequency of attacks on the network of the smaller company, before we had gotten folded in, went through the roof.”
That is just one thing that these small companies need to be aware of, he said, and the HoCo CISO program will provide their member companies with that information when they ask for it. In fact, some members of the Howard Tech Council are IT security firms, so in cases where they can help the companies in the incubator, the HoCo CISO program will serve as a sort of broker to connect the two organizations so they can help one another.
Companies in Maryland in particular have many legal and security requirements because one way or another, everyone works for the government in Maryland, Taule said. Whether it’s meeting HIPAA or FISMA standards or understanding security training requirements, there are a lot of things these young companies need to know about, he said, adding that they saw a great need for this type of assistance, so they made it happen.
IT security is like the local dialect in Maryland, Taule explained. “The reason that this is working here is that we have so many three-letter agencies in this market,” he said. “Everybody here speaks it.”