Clickability tracking pixel

Illinois State Treasurer’s Office Streamlines Operations and Improves Security

The cybersecurity skills gap and legacy systems often leave governments struggling to keep ahead of the shifting cybersecurity landscape. By looking “outside the box,” and finding the right approach for its environment, one state agency was able to improve its security posture and meet evolving cyber threats.

by Fortinet / November 6, 2020
Shutterstock/Billion Photos

Joseph Daniels, Chief Information Officer (CIO) for the Illinois State Treasurer, is responsible for protecting $32 billion in assets. However, as a relatively small state agency, the office of the Illinois State Treasurer has to do this in spite of staffing constraints that can complicate the pursuit of best practices. Their entire IT team has 22 staff members, and only 4 of them have cybersecurity responsibilities. And yet, the Illinois State Treasurer has the same level of data-protection responsibilities as a commercial bank. According to Daniels, “We do not have the human capital to have as robust a cybersecurity team as large private-sector financial institutions can afford.” Which means they have to do more with less.

But more challenging than staffing limitations was the agency’s legacy security environment. When Daniels arrived two years ago, legacy security devices in place were “convoluted and hard to use,” requiring a lot of troubleshooting. And with a required external security audit looming, the team not only needed to streamline management also strengthen security. “The cyber threat landscape changes every day,” Daniels says. “If you are not following best business practices and utilizing a layered approach to security, it is hard to combat advanced threats.” The agency had been standardized on a set of firewalls and other security solutions for decades, but those products were expensive and difficult to manage. Daniels felt that they needed to make a change.

The Illinois State Treasurer was already using a FortiGate appliance for virtual private network (VPN) functionality. When Daniels learned that it was also a fully functioning next-generation firewall (NGFW), he decided to conduct a trial. His team embarked on a proof of concept with a FortiGate NGFW and immediately liked its ease of use, including consolidated user interfaces and single-pane-of-glass visibility. Within a few weeks of launching the NGFW proof of concept, Daniels had removed a significant portion of his existing cybersecurity architecture and replaced it with Fortinet solutions.

The Power of a Security Fabric Approach

One of the things that Daniels and his team liked was the Fortinet Security Fabric. Fortinet security tools, such as FortiGate NGFWs and the FortiSandbox solution, are designed to interoperate as a single, integrated system. As a result of the Fortinet Security Fabric’s simplified management and integrated solutions framework, the State Treasurer’s office was finally able to begin addressing a nagging backlog of security issues. For example, they used FortiSandbox to perform a deep analysis of the more than 2,500 different applications in place at the agency—many of which had not been assessed for potential threats in several years—revealing several applications that needed to be removed.

The Treasurer’s Office also rolled out FortiWeb, a web application firewall (WAF), to protect a cloud deployment in Microsoft Azure, and FortiGate Cloud, a Software-as-a-Service (SaaS) solution that provides cloud-based management of FortiGate NGFWs. As a result, they began receiving weekly cyber threat assessment reports that provided a comprehensive overview of their environment.

These solutions not only provide greater visibility into their network, but also allow them to do things like isolate network traffic to a particular endpoint or application, something their legacy firewalls could not do. The Fortinet infrastructure also consolidates information about threat detection and response networkwide, which is essential for securing sensitive data such as account or routing numbers and connections with external financial institutions.

Passing the Compliance Audit

Daniels’ team recently underwent their first information security audit, which occurs every two to five years. Working with Fortinet, they prepared by rewriting their policies and procedures to follow the guidelines of the National Institute of Standards and Technology (NIST) and Microsoft’s Security and Compliance Framework. And during the audit, the weekly security reports provided by FortiGate Cloud became a critical resource. They provided Daniels with the hard data necessary to answer auditors’ questions and demonstrate compliance with required security controls. As a result, the audit passed without issue.

But that was not the end. Daniels believes in continuously improving his organization’s security to meet evolving cyber threats. Since the audit, he has purchased FortiAnalyzer and is working to take advantage of its improved visibility and security analytics. “FortiAnalyzer provides a much deeper dive into our network, so I am actually looking forward to the next audit. We will be much better prepared.”

Setting the Bar Across the State

These strategies and solutions implemented by the Illinois State Treasurer’s office have now set the bar for other state government agencies. Daniels participates in weekly calls with external agencies, where they share information about the security challenges that they are facing and how they are addressing them. According to Daniels, “Without the partnership with Fortinet, we would not have been able to shed light for partner agencies—very similar to our own—on the importance of looking outside the box for the way they do security.”

Ready to learn more? Read the full case study article for Illinois State Treasurer’s Office today: “Illinois State Treasurer’s Office Sets an Example for State Agency Cybersecurity.”

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.

This content is made possible by our sponsors; it is not written by and does not necessarily reflect the views of e.Republic’s editorial staff.

E.REPUBLIC Platforms & Programs