NASCIO Midyear 2018: Michigan Embraces CISO as a Service

The state of Michigan saw a challenge: It wanted to assess the baseline cybersecurity of public networks throughout the state — but it wanted to do so with consistency, and it wanted every county to participate.

To meet these requirements, Michigan launched a pilot program to establish a Chief Information Security Officer (CISO) as a Service. Michigan IT officials explained the program during a panel discussion at the 2018 National Association of State Chief Information Officers (NASCIO) Midyear Conference in Baltimore on Monday.

“The goal was to provide resources to each county and to serve as a trusted broker,” Michigan Deputy Chief Security Officer Chris DeRusha said. And to do so with awareness that funding is often in short supply, particularly at the local level.

The Michigan Department of Technology, Management and Budget (DTMB) saw common governance as a key to establishing a baseline. DTMB asked the questions, where do we start, and what are the priorities? It then deployed a knowledgeable CISO to provide a baseline assessment of the cybersecurity posture of participating counties. That CISO employed a free IT security assessment tool called CySAFE (Cyber Security Assessment for Everyone), which was created by the state and counties to assess, understand and prioritize their basis cybersecurity requirements.

The initial 18-month, state-funded project runs through the end of fiscal 2018 and includes 10 counties, with three more in the pipeline. Each initial assessment took perhaps a half day or more and cost $5,000 to $10,000.

The reception so far has been positive, and the state and counties already are contemplating how to ensure the program stays funded perpetually.

SIGN UP: Get more news from the StateTech newsletter in your inbox every two weeks!

CySAFE Scorecard Sets Local Priorities

At the end of each assessment, CySAFE generates a scorecard, rating 35 different controls on a score of 0-5.

“All municipalities for the most part have the same problems,” DeRusha said, explaining that best practices from existing frameworks developed under 20 Critical Controls, ISO 27001 and the National Institute of Standards and Technology informed CySAFE’s controls. With CySAFE, Michigan seeks to provide its counties with actionable findings and meaningful metrics so that they can make risk-based prioritizations and realize cost efficiencies. They also can benchmark their progress against their peers.

Deputy Director Andy Brush of the Office of Infrastructure Management and IT Manager, Washtenaw County, Mich., emphasized the benchmarking was very important to the participating counties, including his own.

“Everybody got to do the self-score, and then we talked about the scores,” Brush said. With their scores, each county could choose perhaps the top five things to address instead of trying to focus on all 35.

As the pilot draws to a close, stakeholders agree that it’s been valuable, so they are looking forward to what’s next with CISO as a Service.

“Do we keep it in the state? Go to a nonprofit? Farm it out to a for-profit company? Each option has its pros and cons, and that is what we are going to weigh together with the state,” Brush said.

After an annual assessment, counties then could decide if they want to purchase individual services from the CISO service, whether that be penetration testing, log monitoring, policy development or other support, he added.

State CIO as a Trusted Broker

“They don’t know what they don’t know,” emphasized Michigan CIO David DeVries. The goal of the state is to help counties identify the challenges they face.

“It’s not about getting an appropriation — that’s a losing battle,” DeVries said, saying the state would like to figure out the best way to act as a trusted broker to the counties and find ways to connect them with the services they require.

Brush echoed that sentiment: “The win is that we are working together and performing a common assessment. We work together where it makes sense and work locally where it makes sense.”

DeVries, who was formerly CIO for the U.S. Office of Personnel Management, compared the state service with how the U.S. Defense Department provides support to state National Guard bureaus. The Pentagon cannot fix every problem for each bureau — it can only provide guidance and support where it has resources to do so. Similarly, state agencies for healthcare, energy and others hold responsibilities for their networks but turn to the state CIO as a resource.

“We provide advice and assessment, but they still own the problem,” DeVries said. “How do you put the right resources to it? Hopefully, we have given them better information to deal with their challenges.”

Bookmark this page to follow StateTech’s coverage from the NASCIO 2018 Midyear Conference. Follow us on Twitter at @StateTech and keep up with the latest conference conversations using hashtag #NASCIO18.