Cybersecurity is what IT professionals in state and local government think about over breakfast, lunch and dinner these days. Think that sounds like an exaggeration? For 2017 — and the two previous years — security has been named as the number one policy and technology priority from the National Association of State Chief Information Officers (NASCIO).
At the 2016 NASCIO conference in Orlando in September, the organization unveiled its state cybersecurity report, produced in partnership with Deloitte. As part of its assessment on the condition of cybersecurity inside state and local government agencies, the report notes a major achievement in cybersecurity leadership:
For the first time, all respondents report having an enterprise-level CISO position. The CISO role itself has become more consistent in terms of responsibilities and span of oversight. CISOs are also focusing their energies more on what they can control.
Given this milestone, we thought it would be worthwhile to highlight a few notable chief information security officers in state and local government. There are many CISOs across our cities, counties and states doing incredibly challenging work, but here are five to get you started.
Who is he? Stanton Gatewood has served as CISO for the state of Georgia since February.
What’s his previous experience? Gatewood is a cybersecurity professional with more than 15 years of CISO experience, having served in that capacity for institutions such as the University of Southern California, the University of Georgia and the University System of Georgia. His cybersecurity career spans more than 33 years in the military and public/private sectors.
What is one of his goals as a CISO? Gatewood is a firm believer in growing the talent pool for state and local government cybersecurity professionals. Earlier this year, he gave a TEDx talk about the need for cybersecurity awareness among young people and the general need to grow the pipeline for cybersecurity talent.
Notable Quotable: “The biggest threat to the system? It’s not the latest malware or a virus. It’s funding, budgeting, support and strategic planning. If we don’t have those things, we’ll remain vulnerable.” — Stanton Gatewood, StateTech
Who is he? Chris Buse has served as CISO for the state of Minnesota since June 2007.
What’s his previous experience? Buse has a background in accounting, which led to work in IT auditing for the Minnesota Office of the Legislative Auditor, according to his official bio. Earlier this year, he was honored by the Cyber Security Summit and named Public Sector Visionary Leader of the Year.
What is one of his goals as a CISO? Buse aims to secure more funding for cybersecurity in his state. He has been out touting the need to invest in cybersecurity now, not after a breach has occurred. Earlier this year, Minn. Gov. Mark Dayton asked for more than $45 million from the state legislature “to help state agencies shore up cyber defenses,” according to a report from Minnesota Public Radio.
Notable Quotable: “You can't be a successful security leader if you live in a vacuum. You need to be part of a broader cyber security ecosystem that shares information across boundaries.”— Chris Buse, Cyber Security Summit press release
Who is she? Elayne Starkey has served as CSO for the state of Delaware since October 2005.
What’s her previous experience? Starkey studied computer science in undergraduate and graduate school before taking on her first post-grad IT job with Xerox, where she spent nine years working in software development. In 1996, she joined the public sector side of IT with the Delaware Department of Public Safety when she took on the role of CIO for the agency. After that, she became chief technology officer for the state of Delaware, a role she held until taking over as CSO for the state.
What is one of her goals as a CSO? Starkey wants to boost cybersecurity awareness among average users more rapidly. The Delaware Department of Technology and Information has a robust online hub called DigiKnow, dedicated to educating users on cybersecurity threats and best practices. It even has an accompanying Twitter handle that Starkey sometimes tweets from herself, with tweets signed ES at the end.
Notable Quotable: “It is extremely satisfying to protect state data and shut down risks. If I can say we are more secure today than we were yesterday, it’s been a good day.” — Elayne Starkey, MS-ISAC Q&A
Who is he? Timothy Lee has served as CISO for the city of Los Angeles since September 2014.
What’s his previous experience? Lee has over 15 years experience in the role of CISO. Prior to his current role, he was the CISO for the Port of Los Angeles for 13 years, “where he established the Port’s cybersecurity program and was the project manager for the Cyber Security Operations Center (CSOC), which won the 2015 American Association of Port Authorities IT Award of Excellence,” according to a bio from the RSA Conference.
What is one of his goals as a CISO? Lee works to integrate and centralize IT security so that information is stored and shared in a more effective manner — and doesn’t get lost in the silo vacuum. He deployed this consolidated model, which is called the Integrated Security Operations Center (ISOC), reports public sector IT magazine GCN. Thanks to this centralized security approach, “the city blocked over 127,600,000 cyberattacks and identified and remediated 14,189 pieces of malware” in May 2016 alone.
Notable Quotable: “ISOC is not just about information collection. We needed a system that allows our internal and external stakeholders to extract the information from ISOC directly with near-real-time, read-only dashboards that show the current security posture city-wide.” — Tim Lee, Infosecurity Magazine
Who is he? Michael Dent has served as CISO for Fairfax County in Virginia since September 2002.
What’s his previous experience? Overall, Dent has nearly 25 years of professional cybersecurity experience in state and local government. Prior to his current role, Dent served as Information System Security Officer for the Virginia Department of Corrections.
What is one of his goals as a CISO? Dent strives to control and limit the impact of insider threats. Last year, he spoke on a panel about insider threats at a government IT conference hosted by Symantec. One of the tactics Dent deploys to limit insider threats is to put the onus back on data owners, by asking specific questions about what is in the data and how it will be used, before granting permission to share that data outside of the organization, reports CIO.
Notable Quotable: “[CISOs] are the wall that every C-suite needs to ensure that all possible solutions, scenarios and risks are considered.” — Michael Dent, Security Current