Sep 30 2015

Hands-On Security Tips from State and Local CISOs

We talk with security leaders at our StateTech Cybersecurity Summit to unearth hands-on ways to make protecting data and systems a collaborative effort.

Small, medium, big — no matter the size of the government, threats to data and systems remain a continuous concern for state and local chief information security officers.

A breach, after all, is a when not if event, now that everyone in the organization has a device and most connect to something. More technology helps agencies better serve citizens and mission, but it also increases the potential attack vectors.

“The theory that you can fight everything off, you can’t live that way anymore. Accept the breach. Embrace the breach. It’s going to happen,” says Matthew McCormack, chief technical officer for RSA’s global public sector, who spent 20 years working in federal agencies. “If it hasn’t happened to you, statistically your security people haven’t caught it yet. Because when you look at some of the large breaches, the amount of time the bad guys were in there was significant.”

Even so, CISOs report that convincing city, county and state leaders of the value of cybersecurity investments remains as challenging as ever. Just over 75 percent of CISOs responding to a Deloitte–NASCIO survey last fall reported that their IT security budgets were underfunded.

How can security teams stay ahead of bad guys and hapless employees who mistakenly create IT vulnerabilities? To find out and share a practical perspective, we talked with three CISOs who took part in our recent StateTech Cybersecurity Summit. Collectively, they span all sizes of state and local government. We spoke to Paul Bivian, CISO in Chicago’s Innovation and Technology Department; Ricardo Lafosse, CISO in the Homeland Security and Emergency Management Department for Cook County, Ill.; and August Neverman, CIO and CISO for the Technology Services Department of Brown County, Wis.

STATETECH: What factors affect what threat intelligence can, or cannot, be shared?

Lafosse: It depends on the sensitivity of the data and the source of the data. Is it declassified information that can be shared between government agencies and with our constituents?

Our Homeland Security Department has a situational awareness group that sends out alerts to our municipalities through our Public Safety Consortium. So that’s how we get information out to our local municipalities and our constituents within Cook County.

But it’s also knowing which data, up front, that we can actually share. It’s critical to respect the privacy of the data that you receive before sending it out. For example, if the city of Chicago were to send to me something from its city team, like, “Hey, it looks like we’re getting attacked from these organizations,” I might de-identify the information and send an alert to our internal elected officials noting that the city is seeing this type of attack — like, “We see these IP addresses, or someone’s exploring; there’s a patch here or Tomcat or whatnot.”

I’d give them the high-level information. That’s what’s key. It’s respecting the privacy of the individual information.

It gets trickier when you get third-party feeds that you pay for. There are a lot of export restrictions. Often I can’t send it to another county or even Chicago because I paid for that feed; it can only be used for Cook County. So you have to be aware of those restrictions.

Neverman: We definitely run across the challenge of how to get specific tactical information to the people in the local government who need it in a way that works. That gets back to getting individual agencies subscribing to information feeds in the first place because then I don’t have to worry about getting them the information; they already got it. That’s my big challenge: Getting other agencies that I have no direct control over to subscribe to and receive information feeds.

STATETECH: What tips do you have for how state and local governments can tap into and share threat intelligence?

Bivian: We leverage MS-ISAC (the Multi-State Information Sharing and Analysis Center) from an external security operations perspective. If they see any activity that’s malicious out on the Internet, they try to find out who is impacted, and they will provide that information as long as it’s a government.

Neverman: And you can join MS-ISAC as a local entity — pretty much any government entity can join for free.

Bivian: Also, if you’re not a member of InfraGard yet, I would recommend it. They are a great source of information.

As to MS-ISAC, they have a lot of resources you can tap into. You can become part of focus groups, collaborate and develop standards and practices, or leverage existing information for your environment. You don’t need to reinvent the wheel. You can tap into those resources, and they can provide you templates and information to build on.

Lafosse: We have an information security working group that has a security liaison, often a CIO, for each jurisdiction. We meet on a monthly basis to talk security strategies, clear lines of communication and also build out our security framework as a whole.

Those stakeholders are on a distribution list. As we see events, we send information to them, and it’s a give-and-take relationship. They’ve seen significant value from the data that we’ve been providing.

They also provide us information. For example, if they notice that eight to 10 of their workstations have been infected by CryptoLocker or something, they will give us an indication that we may need to adjust our security controls based on what we’re seeing in this specific department.

Bivian: One of the things we’ve done is we set up the Chicago Regional Cybersecurity Working Group. We include our sister agencies. We meet bimonthly — basically to share information in terms of what we’re each seeing.

STATETECH: How do you build institutional knowledge around cybersecurity within your organizations?

Bivian: Institutional knowledge is always going to be a challenge. It’s just going to depend on how you document information, how you store it and how you disseminate it. It’s difficult in the public sector as well as in the private sector.

I think the public sector might have more of a challenge than the private side. On the private side, you could probably pour more money into it.

I actually came from the private side. This is my first public sector position. And you have a little bit more flexibility, more structure and more resources at your fingertips on the private side than you do in the public sector. One recommendation for building institutional knowledge would be scheduled training sessions to pass the details on.

STATETECH: How do you broaden awareness about the necessity for cybersecurity?

Neverman: Try to be a partner. Because if you’re sitting across the table from them — you know that adversarial relationship — they’re going to shut down. If you’re sitting next to them, helping them solve a problem, that’s a completely different relationship.

It’s just one simple thing. I go to the department heads. I go to the sheriff. I go to the jail. I go to whoever it is. I let them be the boss of the conversation, and that helps. It’s “I’m here for you,” not the other way around.

Bivian: I was talking to another CISO, and she actually had some consultants come in and build out a whole program. They created a mascot and a marketing campaign, and awareness just went from night to day. They had all their employees actively involved. Last year was the first year that we did citywide online training, and it was very well accepted. People want to learn, so if you give them an avenue and some way that’s creative and fun, they’ll like it. Oh, and it has to be easy to use too.

We’re a victim of our own success because now we have a lot of people asking questions — a good problem.

Neverman: One of the things we’re trying to do is target partners. As you probably know, the Target attack was a side door, through the HVAC company. So partners are a big deal, the phishing through the side door kind of angle.

If we’re engaging our partners, it’s really about reducing risk. I’m reducing the risk in the community at the same time. I’m killing a couple birds with one stone because I’m able to get out in the community a little bit, while I’m also reducing the direct risk to the county.

STATETECH: Is it tough to find and keep qualified security techs? What do you do?

Lafosse: There’s a perception that government’s not sexy: We need to get past that.

We deal with a lot of cool technology that most organizations don’t deal with. Who else deals with a jail management system or crazy, weird technologies in squad cars or public records systems? We deal with a lot of unique data. We have a marketing issue, to tell you the truth.

And keeping employees is also very tough unless you keep them engaged, get them new technologies, get them excited about coming to work — “Here, build this crazy Band-Aid thing.” It keeps them busy; it keeps them happy. You need to have that type of stimulation to have good employees.

Challenge your employees. For example, we do weird fun logic games every once in a while, just because we can. Give them odd projects that aren’t the norm. For example, instead of upgrading a system, ask them to create a honeypot and see what they can find. Engage them with different types of technologies and projects that they’re not used to.

Illustrations by Cheryl Chalmers. For tips on how to avoid date loss, head here.