STATETECH: What were the issues you had to address with a mitigation plan?
HUBER: On the whole, the assessment did validate our program, but we had several areas that needed to be addressed, in varying degrees of criticality. We already had several projects underway to reduce risk in the county and, the assessment allowed us to add to the list then prioritize what needed to be done in what order. The priority of work became less urgent when the convention went virtual.
STATETECH: What is your mitigation strategy?
HUBER: We received the assessment report in April. We immediately focused on critical issues, but generally you have to pick and choose your battles about where to start — resolving a specific issue quickly, or something such as deploying an enterprise tool correctly, which can take longer but gives us more bang for our buck. Then, there’s low-hanging fruit. I like to get a couple of quick wins with something like this. It demonstrates to people that we can take care of this, and usually there will be some items on the list that are not going to be that comprehensive and difficult.
STATETECH: What were the quick wins?
HUBER: Legacy system decommissions. The assessment found that we had some Windows 7 and some other outdated machines on the network, and we shut those down by the time of the convention. We’ve been working on the retirements for more than a year, but we finished them before the DNC, so that’s a win to tell everybody about.
STATETECH: Did the uncertainty about the form and venue of the convention because of the COVID-19 pandemic make it harder to address security issues?
HUBER: The county was more concerned, from a cybersecurity perspective, about the city and the county becoming targets for all the bad actors out there. We host milwaukee.gov, a joint effort that has resources for both the city and the county. Hosting the convention here made the site a prime target. The site is hosted in the cloud, but there were questions about perimeter security and issues like that.
Another concern was how we would be impacted when it comes to phishing or spear-phishing campaigns directed at either all our users or specific users within the organization. How were we going to prevent those attacks and deal with them if they happened?
If you had asked me last fall, I wouldn’t have been as relaxed as I became when the convention went virtual. At that time, I didn’t know what I didn’t know, and we hadn’t received the assessment report yet. Once we got the findings, there were some things I knew we needed to address, but nothing significant. It affirms what we’ve done for our cybersecurity within the county.
STATETECH: What lessons have you learned that will extend beyond the convention and into your day-to-day operations?
HUBER: My experience with the security assessment was really good. One of the lessons was that I’d like to do something like a comprehensive assessment on a more routine basis that would provide a complete validation of our security program. We’re always refining our security operations, but the shadow of the convention put a lot more focus on them. We expanded the use of our tools in the security operations center and we’ve refined our processes as well. We’ve been able to tweak the tools so they give us more information to rely on and enable us to do more with that information.
The assessment also changed our approach to funding. When the convention went virtual, we didn’t have as much urgency to go ask for the cash, but we had a plan in place for how we were going to come up with the funding.
Finally, I think that as a result of the assessment, people across the county organization are more in tune with and more alert to cybersecurity concerns. We’ve been communicating with our security council, which is made up of leaders and managers of 20 different departments, about the findings of the assessment, our response and other cybersecurity topics throughout the county. The assessment has allowed us to bring more awareness of security to the organization. It was an indirect result, but it was an important result. Awareness is the first step in cybersecurity.