IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Former Washington CISO Joins Private Side of Government Cyber

Last week, Vinod Brahmapuram joined IT company Lumen as senior director of security focused on SLED markets. He recently caught up with GovTech about top cybersecurity concerns facing agencies.

Vinod Brahmapuram.jpg
Vinod Brahmapuram
Courtesy of Lumen
Former Washington CISO Vinod Brahmapuram announced a new role at IT company Lumen, after leaving the Evergreen State in March.

Brahmapuram’s move into the private sector follows 21 years in state government, working for New Hampshire and South Carolina before Washington, according to his LinkedIn.

Last week marked Brahmapuram’s first days as Lumen’s senior director of security, where he will focus on the state and local government and higher education markets, he told Government Technology.

“Having served in three different states, it was a tremendous, tremendous learning experience for me —understanding the business of government, understanding the challenges that frequently start coming in that space,” he said. “I can use that experience to really position the solutions that are highly needed in those sectors to get better from a security standpoint … and to improve community outcomes.”

Brahmapuram said he sees three key concerns in public agencies: coping with talent shortages, managing ramped-up demand for digital services and dealing with rapidly increasing cybersecurity threats.

As a former CISO, Brahmapuram is well aware of the cyber risks public agencies and private firms can face. The Washington Attorney General’s Office (AGO) released its 2021 Data Breach Report during Brahmapuram’s tenure as state CISO, which detailed record-breaking numbers of cybersecurity incidents. Public and private organizations reported 280 data breaches to the AGO in 2021 — a 500 percent increase over the 60 reported in 2020. The AGO also found that cyber attacks were behind 87.5 percent of the breaches.

These figures didn’t capture every breach in the state, only those with enough impact to warrant reporting. Organizations must inform the AG of breaches affecting more than 500 residents’ personal information and if the perpetrators acquired means to decrypt the data, the data in question wasn’t secured in the first place or the breach was likely to put individuals at “risk of harm,” per the AG’s report.

Companies and governments across the globe have placed greater attention on cybersecurity, but Brahmapuram says he is concerned it still isn’t enough of a priority at some organizations.

“I am not really sure if everyone is now taking cybersecurity at the same priority level that [they] need to,” Brahmapuram said. “People do say that it's important; people do say that it is a priority. But is it to that level? Because we still have some challenges when we are making a business case for investments.”

Among state governments, legacy software also often compounds the cybersecurity issue, imposing risks if the software is no longer supported or patched, Brahmapuram said. Talent shortages make fixing this limitation more challenging, as there are then fewer people able to help with modernization.

High demand for digital services adds to government cybersecurity needs because agencies must be able to protect any resident data used in enabling the services, he said.

And agencies are still grappling with the new security landscape introduced by shifts to remote work, which see them rely on networks and devices outside of the state’s control. This situation leads to a need to reassess security strategies and a push for adopting zero-trust security.

As agencies try to upgrade their cyber postures, they should keep in mind that they don't need to change everything at once, Brahmapuram said.

With the shift to zero trust, organizations should take a measured approach. That starts by mapping out their existing setups and processes, then looking at what parts they want to maintain and what parts they want to “incrementally change” to bring them closer to achieving a zero-trust architecture. Partners can help them think through those kinds of decisions, he said.

“People mistake zero trust for a ‘complete blow off [of] your existing structure, start from a clean slate.’” Brahmapuram said. “That's not what it is. It's a journey.”
Jule Pattison-Gordon is a staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.