Q&A: New Orleans CIO Kimberly LaGrue Discusses Cyber Resilience

STATETECH: Could you highlight some of the technological developments New Orleans has achieved during your tenure as CIO?

LAGRUE: Well, the thing that gets way more attention than I would like is surviving the 2019 cyberattack. That was an achievement for us. Having done as much preparation as we had, we led not only an extensive recovery but a swift and consistent recovery. It actually took us nine months to fully recover, but it involved a total refresh of our architecture. We stood up a robust disaster recovery strategy and a data center outside the city.

It was an enterprisewide refresh of our computing environment. It was a move to modern business applications and a significant reach into quality infrastructure that we had not made before. The interruption fortunately lasted for a brief period and happened two weeks before Christmas. We had a lot of staff on vacation and out of the office, and it gave us time to plan and a goal to restore service by the new year.

When the pandemic hit soon after, we were even ready for that, because we had implemented a remote work strategy in the three months after the cyberattack to protect the city from threats outside of our environment. Our pivot into remote work was pretty successful, and we are very proud as an organization that there was minimal interruption of city business during the pandemic.

We are also really proud of our strong data center migration strategy outside of the city. We can mitigate damage from environmental factors such as hurricanes and other external threats by placing our resources outside the city. We operate on a higher level for business continuity than many other agencies in our space. We are proud of that strategy and of how we’ve been able to virtualize much of our environment and modernize the infrastructure and the way our teams are working.

DISCOVER: How state and local governments can modernize data centers.

STATETECH: These sound like great elements of cyber resilience.

LAGRUE: They absolutely are. Cyber resilience is truly born out of having plans. And that cannot be an afterthought. Your strategy cannot be reactionary.

Filing an application for cyber insurance takes an organization through a series of questions that are critical to seeing how a potential investor or insurer perceives your organizational structure and your business continuity. Cyber resilience is about how you continue to work in an environment when threats are present. We think about all kinds of things. What if a bus ran through the window of our data center? We go through those scenarios and ask ourselves if the city would ever pay a ransom. We have built a strategy that makes sense for our organization. You have to know your environment, and you have to know your business and how to survive those things.

Every organization should take itself through the exercise of cyber resilience planning. Each organization faces its own unique challenges.

READ MORE: Boost data protection with Backup as a Service.

STATETECH: Could cities in particular be better at specific aspects of cyber resilience?

LAGRUE: Cities in particular must have a strategy and the personnel to do that work. They must realize that it is always underrated and underfunded. Some people may see that you have technical staff and ask why they can’t also perform security functions. Why do you need new people with specific expertise? Well, cybersecurity is different from other aspects of technology infrastructure, and not everyone understands that.

Cities are used to doing a lot more with less. We must call out overlapping roles in cybersecurity.

The other thing that we saw here was the attention our city leadership paid to cybersecurity. It was instrumental. It was the thing that allowed us to recover so quickly. It was having cyber insurance. It was greenlighting recovery projects. It was being able to retire legacy applications or not reintroduce legacy applications that had their own set of risks back into the environment after the cyberattack. Those things are strong supports for a cyber resilient strategy in any city, and they are not something that cities may think about a lot.

Cities are engrossed in the business of delivering services to constituents. But appreciating that a cyber interruption could knock down a city makes everyone think about that differently. In our cyberattack, we had the support of the mayor, the chief administrative officer and the homeland security office. The problem was elevated to those levels, and we were grateful that they appreciated the importance of the challenges.

The most integral part of a good resilience strategy for government, especially for city government, is for city leaders to pay attention to it and buy into the idea that these are real threats, and they must be addressed?

STATETECH: How is the whole-of-state cybersecurity approach working in Louisiana? Does New Orleans benefit from state resources?

LAGRUE: First, I have to tell you the state has been a lockstep partner with us. We learned of cyberattacks across the state through Louisiana’s fusion center. They were very active, very vocal about other threats. We gained a lot of insights, a lot of information, and they were on the ground helping those agencies to recover. The state had almost 200 volunteers in its response arsenal, led by the Louisiana National Guard and the state of Louisiana’s fusion center. During our cyberattack, the group of volunteers that was helping other agencies came from those events straight to New Orleans for our event.

The state has been pretty thoughtful and vigilant about preparing for cyberthreats for years. Louisiana was one of the first states to introduce a cyber emergency support function into its emergency support framework. So, we have Emergency Support Function 17, which was the last emergency support function to be added into the framework for Louisiana. And that’s because the state understands this.

In our state, and I know it’s common in most states, there are many very small agencies that don’t have much technology infrastructure, let alone a cyber strategy or a cybersecurity posture. And the state is considerate of those places and what levels of protection they need. Through our fusion center, the state has developed an innovative shared services model. We fully trust the state of Louisiana and support the planning work that’s happening at the state level.

We haven’t decided if we will need to participate in the shared services model, because we understand that so many other agencies need support more than we do. But we are considering buying into that program as well. Louisiana is exemplary in what they’re doing in the cybersecurity space.

EXPLORE: Building modern integrated cyber recovery environments.

STATETECH: At Smart Cities Connect 2023, you talked about how New Orleans uses open data to inform residents of flooding. Have there been any updates to that initiative?

LAGRUE:  We’re constantly building on our GIS footprint. We started GIS mapping with looking at blighted housing in the city and understanding how that was affecting neighborhoods, and we’ve continued to build on that GIS footprint. We overlayed our GIS footprint with flood alerts using the calls for service and underpass flood sensors. When a resident calls 911 and says, “My street is flooding,” or an officer calls to report a flooded street, we take that call for service and overlay it with our GIS mapping. That became our map at Streetwise NOLA.

It wasn’t very sophisticated. We basically crowdsourced our flooding footprint. And that continues to grow. The next step is the further use of sensors for a more real-time picture. Weather is intensely local in New Orleans, and the difference between flooding and not flooding can be a few blocks in any given storm. We’ve partnered with Weatherstem for a more comprehensive view of weather from neighborhood to neighborhood, and investments are being made in more localized sensors.

We’re hosting the Super Bowl in 2025. We’re using our GIS insights and we’re starting to identify where we might need permits and understand how we would manage traffic in this large footprint. We are in the middle of an asset management implementation, which will then put our street-level assets in the same space with our flood sensors and our traffic sensors, so that we understand what the city owns, where repairs need to be made and how we can address those things more quickly.

LEARN MORE: Why GIS is central to future emergency responses.

STATETECH: Are there any other milestones that you hope to achieve in the next few years?

LAGRUE: Right now, we are exploring AI and machine learning, the hottest topic in technology. We’re looking at how to pragmatically implement generative AI and machine learning to deliver city services. We see them as force multipliers. We have sizable investments of American Rescue Plan Act funds. So, we have millions of dollars dedicated to several ARPA projects, and a proliferation of data, particularly in our justice system, where we might use AI and machine learning to sort through data and get responses to our public safety officials more quickly.

It’s also a force multiplier in the cybersecurity space. We can do more with AI to speed up detection and improve insights into our response to cyberthreats. In the next 12 months, we want to become very proficient.