“From our vantage point, what we learned, strategically, it’s a people process issue,” said Anthony O’Neill, Massachusetts chief information security officer and chief risk officer, in its Executive Office of Technology Services and Security. In an interview, he outlined his strategy to raise cybersecurity awareness and effectiveness across state agencies.
“I think if you’re going to take a whole-state approach, like we have to cybersecurity and risk management, it starts with the people, as front of mind,” O’Neill said. “And you have to develop and build that trust, and earn it, and I think that goes a long way in trying to carry out your goals and objectives.”
In 2017, Massachusetts changed state law, enabling the consolidation of technology, service delivery and security. The Executive Office of Technology Services and Security is a cabinet-level office, able to troubleshoot and interact easily with other cabinet-level executive offices like Health and Human Services, Elementary and Secondary Education, and Energy and Environmental Affairs — each of which have within them a number of agencies.
Government Technology
“So that’s how we got a lot of stakeholder buy-in,” the CISO said. "Everybody wants to be part of the outcome. And so, as we started to implement … we started to see just great cross-functional collaboration.”
The success is real. Vulnerabilities viewed as high — those that are “known exploitable vulnerabilities” — have been reduced nearly 50 percent in the past year, O’Neill said.
“These are the ones that they’re known to be exploitable in the wild, and maybe they’ve been around for a long time, and maybe they bubble up to the point of what we would consider a critical vulnerability,” he explained.
Reducing vulnerabilities also requires knowing what devices and systems are out there. O’Neill’s team conducted a thorough asset identification to understand the extent of their holdings.
Getting support and buy-in from other senior leadership officials “is certainly a priority,” said Troy Schneider, executive vice president and general manager for Billington CyberSecurity.
“Getting CIOs and CISOs ‘a seat at the table’ and ‘making cyber a team sport’ have been focal points for years,” Schneider said via email. Beyond these structural changes, he noted, are other safeguards like “identity management zero-trust architecture, standardized security frameworks and certainly asset identification.”
Cybersecurity is not solely a state concern, but one that confronts county and local governments as well. O’Neill helped to form the Massachusetts Municipal CISO Council which, again, focuses on building working relationships among officials charged with safeguarding public systems and data.
“The thought process there is to bring the local leaders together in the risk and security space, so that can also establish a peer-to-peer network,” the CISO said, explaining, the aim was to create a structure with reduced barriers to communication.
“Because oftentimes a local government or municipality may not necessarily know where to go,” O’Neill said. “Maybe they call the federal government. Maybe they don’t. Maybe they call the Massachusetts State Police. But we want our security and operations center to be on the front of mind so that they can also receive notice of an incident, and help provide any type of remediation resources necessary.”
