As data breach headlines keep rolling in from private sector companies such as Target Corporation as well as government agencies and universities from all over America, the importance of cybersecurity leadership has never been more paramount. Meanwhile, the pace of technology change and the need for new forms of cyber protection continues to accelerate – from mobility projects to big data analytics to cloud computing capabilities.
Last November, the National Association of State Chief Information Officers (NASCIO) surveyed the top state government technology leaders in the nation regarding upcoming IT plans and challenges. The CIOs again voted cybersecurity as the #1 priority to be addressed for 2014. The roles of government CIOs and CISOs has never been more important in championing change. Meanwhile, the CIO/CISO relationship has evolved over the past decade to a point where a close partnership and common strategy are vital to building a successful cyber defense for government enterprises.
Which leads to several important questions: What is really being done right now to address and mitigate our growing cyber threats in government? Who’s leading the charge at the state level? How do they achieve the desired results? What best practices can be shared?
To help answer these questions, I am kicking-off off a series of interviews with top state and local government CIOs and CISOs from around the country. The goal is simple: To listen to their words and learn from their ideas and actions. I also hope this series can advance a necessary dialogue. Note: In most cases, state government CISOs reports to their state CIO.
One huge benefit of getting involved with NASCIO, the National Governors Association (NGA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) events and committees is that we can learn from our peers from all across America and gain insights while developing positive professional networking opportunities.
Why start in Mississippi?
I am starting the CIO/CISO interviews in the South, because Mississippi has two solid technology and security leaders with a rare combination of technical and management expertise along with an unassuming approach to performing their professional duties. Dr. Craig Orgeron, who is the Mississippi CIO, is a class act who has emerged as national government technology leader. Mr. Jay White, who is the Mississippi CISO, is a respected, confident, cybersecurity leader with several security best practices to share.
I was given the privilege of working with Jay very closely in 2012-2013 in the MS-ISAC mentoring program. Needless to say, I was very impressed. Throughout the program, I often felt as if I learned more from Jay than he learned from me. Many other CISOs and security directors around the country have developed similar relationships by collaborating with cyber pros in other federal, state and local governments.
Here’s the interview:
Dan Lohrmann: Tell us about your scope of responsibilities as CIO of Mississippi.
Mississippi CIO, Dr. Craig Orgeron: As the Executive Director of the Mississippi Department of Information Technology Services (ITS) I am responsible for the establishment of policy, future direction, and for provision of computing and telecommunications infrastructure for all information systems technologies within Mississippi State Government. I strive to position ITS to serve as the catalyst for effective planning, deployment, and operation of innovative information technologies by forming dynamic partnerships with our customers and the private sector. In the last several years, with the rapid change brought about in our industry and with the impact of the great recession, ITS has focused on a set of efficiency-based recommendations with hopes of fostering a dialogue to discuss the types of changes and resources necessary to continue to provide successful leadership and stewardship for statewide IT efforts.
Dan: What keeps you up at night regarding cybersecurity?
Dr. Orgeron: I am most concerned about the human factor, as it relates to cybersecurity. The ubiquity of available platforms, especially mobile devices, creates a rich and diverse landscape for exploiting the human factor – which would make awareness and training a significant mitigation strategy. Forwarding an agenda targeted at training and awareness in a state government that has many independent agencies is a challenge.
Dan: As the NASCIO President, you have testified before Congress about cyber threats that states face. What was the main message and how was that received at a national level?
Dr. Orgeron: From the feedback NASCIO gathered, the message was well-received. The message, at its core, was one of collaboration. As noted in our testimony, both public and private sector entities will need to develop better tools and increase collaboration to both deter attacks and plan a coordinated response to contain the damage from successful attacks. The issue is only partially financial, and also revolves around policy and human resources. On policy, the single key to ensuring a substantial attack does not blindside us is the federal government facilitating greater information sharing between federal agencies, the private sector and state and local partners. As for workforce, NASCIO also supports efforts to include state governments as a participant in programs that build the public sector cybersecurity workforce – states face a great challenge is attracting and retaining talent in this information security sector.
Dan: Is cybersecurity given a high priority in Mississippi?
Dr. Orgeron: Yes, we have made cybersecurity an area of priority, as I expect all state governments have, given the potential threat. Jay has done a superb job growing our program, in partnership with all our peer agencies. From an awareness and training perspective, we strive for ever-increasing level of cyber vigilance.
Part 2: Interview with Mississippi CISO
Dan: Tell us about your scope of responsibilities as CISO in Mississippi.
Jay White: As CISO, I am director of the Information Security Division of the MS Department of Information Technology Services (ITS) and our mission is to provide resources, guidance, and oversight needed for improving the cybersecurity posture of the enterprise network for state government operations. We are responsible for developing and maintaining the State of Mississippi Enterprise Security Policy that establishes the minimum security requirements for state agencies and we manage core and perimeter defense systems for the enterprise state network. We also collaborate with each state agency on strategies for improving the enterprise-wide approach to information security.
Dan: What’s hot right now regarding your role? Where are you spending your time to protect your state government?
Jay: Over the last 18 to 24 months, cybersecurity has made national headlines with the announcement of multiple high profile data breaches and reports of cyberterrorism activities. This proliferation of cybersecurity news has reached a larger audience outside of the information security community raising the level of concern of federal, state and private entities including our citizens. Key government stakeholders are beginning to realize that cybersecurity is much more than just an information technology problem – it is a business problem.
Dr. Orgeron and I realize this is a critical point-in-time for bringing state agencies, government leaders, and policymakers together to encourage them to consider cybersecurity risks as a priority similar to more traditional risks like financial, safety, and operational. Improving cybersecurity risk awareness can lead to government stakeholders becoming problem-solving partners by committing resources, participating in the decision-making process and helping to remove barriers that impede progress.
Dan: What actions are you taking in Mississippi to mitigate the risks your state agencies face?
Jay: Advancing enterprise cybersecurity for state government must include state agency participation and we are fortunate to have an effective Information Security Council made up of Information Security Officers (ISOs) from each agency. The ISOs are an integral part of our initiative for aligning the enterprise security program with the recommendations outlined in the National Cybersecurity Framework and the National Governor's Association Call to Action for Governors for Cybersecurity. Utilizing the recommendations provided by national experts from both the public and private sectors will help the state close the gap between where we are today and where we would like to be in the future.
We continue to research enterprise security solutions for protection against emerging security threats. However, we realize that an increased focus on detection capabilities and our overall ability to respond to cyber events are vital components for improving our cybersecurity posture. Last year, we partnered with the Department of Homeland Security for our first multi-agency cybersecurity tabletop exercise and we believe the lessons learned from this exercise will serve as an impetus to improve upon cybersecurity policies, procedures, and readiness.
Dan: Do you have enough talent in the cybersecurity area? How are you attracting and keeping cyber talent?
Jay: It is no secret that finding skilled cybersecurity professionals is a problem that we all face. We must create a higher demand for those professionals, as they are crucial to an organization’s cybersecurity posture. All stakeholders must understand that achieving a high level cybersecurity posture will not be possible without appropriate resources. Aligning funding with cybersecurity goals is imperative as we develop initiatives for attracting talent.
Dan: Is there anything else you’d like to share about your cybersecurity program in Mississippi?
Jay: With the heightened awareness of the challenges surrounding cybersecurity, now more than ever, stakeholders have a vested interest in improving state government’s cybersecurity posture. By working together to establish a common methodology, we can ensure state agencies have appropriate information security controls and can have confidence those controls are implemented in a cost effective manner. Improving the enterprise-wide approach to information security demonstrates due diligence to the citizens and businesses who rely on government services.
Dan: My thanks go out to Dr. Craig Orgeron and Mr. Jay White for their time in participating as the first state in this CIO/CISO interview series. Mississippi, NASCIO and the MS-ISAC are fortunate to have these excellent leaders.
Wrap-up
Heading into the gubernatorial elections this fall, when thirty-six states and three territories hold elections on November 4, 2014, cybersecurity topics may become campaign issues in some states. Even where that doesn’t happen, good cyber leadership remains an urgent need.
A perfect storm of issues is raising the profile of our cybersecurity leaders. Therefore, the thoughts and plans of current leaders can help during this transition process.
As the CIO/CISO interview series continues (every few weeks as part of this blog), I plan to cover leaders from around the country to gain different perspectives on cybersecurity projects, programs and issues from leading CIOs and CISOs. I hope to hear from large, medium and small states reflecting our sometimes differing but shared challenges in all parts of the country.
Feel free to leave a comment or questions. I’ll try to get input from the appropriate government CIO or CISO.