States increasingly rely on CISOs to take the lead on IT security and keep tech vermin at bay.
The theft in November of a notebook computer from the Army Cadet Command’s headquarters at Fort Monroe, Va., placed the government’s information technology security policies and procedures in the spotlight — yet again. A database file on the computer held personal information about 4,600 high school seniors, applicants for Army ROTC scholarships, and included their Social Security numbers, birth dates, home addresses, phone numbers and parents’ names.
The focus on IT security in government and the many high-profile privacy violations that have taken place in recent months has led to the creation of IT security leadership positions at the city, state and federal levels. Primary among these is the chief information security officer or CISO. These top-level security chiefs have become prevalent — emerging as information assurance policy and strategy leaders.
A Natural Progression
States have faced a number of high profile IT issues over the past 10 years or so. The Year 2000 issue focused attention on the IT aspect of state agency operations. Committees were formed across various agencies and departments to address the crisis that might have developed as a result of computer programs storing the year with only two digits instead of four. Part of Y2K planning was contingency planning to ensure that the most critical services, such as medical, police and fire services, would keep running come Jan. 1, 2000. Many states built elaborate backup systems and developed failover and recovery policies and procedures.
What began as Y2K preparedness turned into disaster preparedness and emergency response after the terrorist attacks on the World Trade Center and the Pentagon on Sept. 11, 2001. City, state and federal governments saw an immediate need to organize IT as a central function so they could manage systems more easily in an emergency. Information security came to the forefront as every aspect of government was examined to find ways to prevent further attacks by securing systems and tracking potentially dangerous individuals.
Emergency preparedness continues to be important for governments in the wake of such disasters as the 2003 blackout and 2005’s Hurricane Katrina. But there’s more to the expanding role of the CISO than emergency preparedness.
Org Chart Positioning
In many states, the chief security official — whether called a chief information security officer or something else — reports to the CIO, according to a survey by the National Association of State CIOs.
Arkansas, Delaware, Iowa, Kansas, Louisiana, Michigan, Texas and Virginia follow this model. This reporting structure, which mirrors the typical private-sector CISO place in the hierarchy, ensures that the CISO is not buried within the IT organization and can rely on the CIO’s authority to impress the importance of security on state agencies.
Other approaches include having the CISO report to an administrative agency or department head, or to the governor or a cabinet member.
In general, state governments, businesses and individual citizens have grown increasingly dependent on technology over the past 15 years. The challenge of protecting state systems and the information that resides on them has grown more complex, as has the challenge of ensuring that businesses and citizens can conduct business securely and reliably over the Internet. Several high-profile information leaks by state and federal government have led to an erosion of citizen trust. Threats such as hackers (both vandals and genuine criminals), viruses, spyware and denial-of-service attacks are real.
“Initiatives such as mobile work, centralization of data centers and VoIP have prominent security components,” says Michigan CISO Dan Lohrmann, who helped coordinate the IT emergency response to the 2003 blackout. All of these factors have led states to create centralized information security functions headed by CISOs.
“The challenge is building security into the entire lifecycle process of everything state agencies do,” Michigan CISO Dan Lohrmann says.
The complexities of state government have created the need for a position with an enterprise view of IT security. The holder of this position, typically given the title of CISO, must make sure that all state agencies meet minimum IT security requirements. In the beginning, state CISOs primarily focused on responding to daily threats, but over the past few years the position has evolved into one of IT security policy leadership. “Initially, one of the biggest challenges was just getting people’s attention; now the challenge is building security into the entire lifecycle process of everything state agencies do,” says Lohrmann.
State CISOs must educate their governors, state agency leaders, legislators and citizens about information security. They also must form and maintain good relationships with homeland security and emergency management officials to ensure that government systems are protected.
Governance and Authority
58% of CISOs say they play a strategic role in their state’s IT planning.
29% of state CISOs report that their role is predominantly policy-oriented.
SOURCE: 2006 NASCIO survey
There are concerns that having the CISO report to the CIO may create a conflict of interest because those who manage an organization’s IT also oversee its security. As a result, Colorado and California created CISO positions that don’t report to the CIO. In Colorado, the position is in the governor’s office and reports to the governor’s chief of staff. California’s CISO is part of the state’s department of finance.
Independence is great, but the CIO and CISO must work closely together to create and enforce IT security policy and procedures. The CISO must wield sufficient authority to properly carry out his or her duties to secure the state’s IT function. The CISO must be able to provide guidance regarding IT security strategy at the highest levels of state government. “It is absolutely critical that we have excellent working relationships with contacts in cabinet-level agencies,” says Larry Kettlewell, CISO for Kansas. Also, state governments can show that IT security is a priority by placing the CISO in a high-profile position.
CISO authority varies from state to state, ranging from only a few state agencies to all three branches of government. According to the National Association for the State Chief Information Officers, most states have an enterprisewide CISO who develops and promulgates security policies and procedures for a federated organization. Most state CISOs have authority within the executive branch. Authority over educational institutions, such as K–12 and higher education, also varies by state. For example, Arkansas and Louisiana have CISOs with authority that encompasses higher education.
Some state governments have a council or forum to coordinate security functions among state IT officials. For example, Kettlewell chairs his state’s Security Council, which in turn recommends policies to the state’s IT Executive Council that has members from all branches of government as well as local and law enforcement representatives. “We have a federated IT governance structure and a very collaborative spirit throughout the enterprise,” Kettlewell says.
What's a State CISO to Do
What’s a State CISO to Do? The role of the chief information security officer has evolved over the past few years from a focus on perimeter defense to strategy, policy and business-process enablement.
Requirements under laws such as the Health Insurance Portability and Accountability Act and Sarbanes-Oxley Act emphasize the importance of business processes and how to protect them. This evolution is demonstrated by a 2005 CSO Research Reports survey in which 58 percent of the survey respondents (both public and private chief security officers) indicated that they play a strategic role within their organizations.
The overall trend toward the CISO as a strategist is evident on the state level as many CISOs report shifting their attention from purely operational duties to enterprise policy development within the context of long-term IT security strategy. “I have always been 60 percent operations and 40 percent policy development. I would be very reluctant to be in a policy-only mode because if you’re not in touch with your network or you don’t know the context of what’s happening on a daily basis, then you can’t set forth rules on IT security,” says Kansas CISO Larry Kettlewell.
According to a National Association of State CIOs survey, state CISOs typically handle similar responsibilities. More than two-thirds of survey respondents (41 state CISOs) indicated they have a mix of both policy duties (planning, business strategy, enterprise architecture, policy formulation, budgeting and related activities) and operational duties (network monitoring, perimeter defense, threat analysis and training). Adding this to the other 29 percent of respondents who indicated having primarily policy-related duties creates a clear picture of state CISOs who generally have policy-related duties that are likely to be balanced with operational duties.
State CISOs also develop enterprise security programs and enforce them. And they play a role in drafting and editing cybersecurity regulations and legislative initiatives. Michigan CISO Dan Lohrmann says he “spends a lot of time working with the Department of Homeland Security, the FBI and the criminal justice community on cybercrime issues and the national strategy to secure cyberspace.”
CISOs must develop business cases for continuing investment in IT security and typically rely on return on investment and return on security investment as primary metrics. CISOs are responsible for reviewing state agency IT projects for compliance with security policies. Vulnerability assessments or audits typically fall under their rubric, as does security training and awareness. They also are responsible for risk and incident management and response, as well as IT forensics and investigations. Some state CISOs are responsible for physical security as it relates to securing the state’s IT assets. Many state CISOs also must ensure that an adequate infrastructure is provided for 911 emergency services.
As Lohrmann puts it: “We have a hand in everything.”