Missouri has been a leading state government in the implementation of technology solutions for a long time. One example: Missouri jumped from a 'B+' in 2012 to an 'A' in its 2014 Digital States Survey grade. That improving score demonstrates how innovative Missouri leaders are in applying technology to serve their citizens. So how do these governments secure enterprise data? What cybersecurity priorities, challenges, actions and plans are Missouri's CIO and CISO working on right now?
I am continuing a series of popular interviews with state and local government technology leaders around the nation. Specifically I am asking questions of chief information officers (CIOs) and chief information security officers (CISOs) surrounding cybersecurity and the tactical and strategic security plans that are in place to protect citizens' data.
In highlighting significant state government technology accomplishments over the past few years, The Center for Digital Government (CDG) was especially impressed with the progress made in Missouri. Here’s a brief excerpt from a 2014 Digital States Survey summary report:
Missouri’s jump from a B+ to an A was partially the result of work done around collaboration. Projects like the 100 Missouri Miles Challenge, a website designed to encourage citizens to exercise and share their progress through social media, demonstrated a successful marriage of civic engagement, data, and modern technologies. ...
Missouri CIO Tim Robyn said the state's success stems from executive leadership from Gov. Jay Nixon and support from the Legislature -- support that continues throughout state government. “It is certainly an honor for our state to be mentioned alongside Utah and Michigan, and there are literally thousands of hard-working individuals that have been involved in our efforts,” Robyn said. “The willingness to work together has allowed our team of dedicated state IT professionals and private-sector partners to work together and change the way government operates, making it more effective and efficient while enhancing citizen access to services.”
Whenever I see this kind of technology success and progress in the public or the private sectors, I try to dig a bit deeper to see what I can learn about the top leadership that enabled their team to do great things.
In Missouri, state CIO Tim Robyn’s recent success and accomplishments are truly noteworthy. Tim was named State Executive of the Year by StateScoop in 2014. As described by the National Association of State CIOs (NASCIO) website:
Tim Robyn has been employed by the State of Missouri since 2005. In 2013 he was named Chief Information Officer after serving as Acting CIO for a year. From 2009-2011, he served as a Deputy CIO and was responsible for Enterprise Applications like the State’s ERP system. He was also responsible for the State’s public facing websites and led the State’s effort to develop citizen-centric websites and engage citizens through the use of social media.
Tim attended Stanford University on a golf scholarship and graduated with degrees in Economics and Engineering.
The Missouri government chief information security officer is Michael Roling. Michael has been the chief information security officer for the Office of Administration, Information Technology Services Division since October of 2009. He heads the Office of Cyber Security and is responsible for leading the information security posture for the state. Michael has been in information technology since 2001 and employed by the state of Missouri since 2003. Michael graduated from Saint Louis University with a degree in Management Information Systems.
Over the past year, I have been able to get to know Mike in a variety of settings, and I am impressed with his security knowledge, determination and his Office of Cyber Security (OCS) team’s plans.
Mike has been highlighted in state government as a Gen Y up-and-coming star for a while, and he published this interesting security PDF back in 2010 on the importance of security awareness for the end user. On a personal side, you can follow Mike on Twitter at: @michaelroling. (Check out his Twitter profile picture. He has a good sense of humor.)
On to the CIO Interview
Dan Lohrmann: Tell us about your scope of responsibilities as CIO in Missouri.
Missouri CIO Tim Robyn: My primary responsibility is overseeing the Office of Administration’s Information Technology Services Division (ITSD). ITSD is a consolidated IT agency of about 1,000 employees who provide direct IT support to 14 of Missouri’s 16 executive departments and two elected officials. ITSD is responsible for data center computing, networks, telecommunications, end user support, cybersecurity, application development, etc. We work with state agencies to support the technologies that help them fulfill their missions by delivering critical services to citizens and businesses.
Dan: Missouri has won many national awards for technology leadership. What is your secret to success?
Tim: It starts with the leadership at the top. Governor Nixon and the Legislature have worked in bipartisan fashion to leverage technology for the benefit of citizens. I’m very thankful for the collaborative spirit that exists between the commissioner of Administration and department directors that allow projects to be executed in accordance with strategic priorities, including cybersecurity. And of course, success ultimately depends upon our excellent team of IT professionals and the dedicated state agency employees they work with on a daily basis to make things happen.
Dan: How important is security in your job?
Tim: Cybersecurity is our No. 1 priority. We consider it part of everyone’s job and attempt to make it part of state government culture and bake it into the processes that are employed every day by all of our employees.
Dan: What keeps you up at night regarding cybersecurity?
Tim: Cybersecurity is an ever-evolving challenge for all state governments. Our adversaries are smart, persistent and more than capable of inflicting harm upon us. We remain vigilant and are not under the misconception that we have defeated them. Our hope is that we can make it difficult for them to gain access to state assets. When they do gain access to state assets, we hope to have insight into the threat and respond swiftly and effectively in order to minimize the damage they cause. But it’s a daily battle.
Dan: How has security changed throughout your career? Is it more important today with big data, mobile computing and the cloud security challenges?
Tim: Cybersecurity is indeed more challenging in today’s world. First, technology is more important and pervasive than in years past. We have more numerous and more diverse assets to protect -- mobility, cloud and the Internet of Things are good examples. We need to move forward with the rest of the world while securing our new technologies and systems. Second, our adversaries are more numerous, more sophisticated and better equipped than ever before. It is critical to understand that. That fact makes it imperative to remain vigilant at all times and equip our cybersecurity professionals with the tools and training they require to be effective. Third, hacking techniques are often targeted at end users. Social engineering and spear phishing are especially difficult to defend against. Thus, success depends on making cybersecurity best practices a part of our culture and training our end users on how to use email and the Internet in a secure manner.
Dan: In 2015, is cybersecurity given a high priority by your governor? How does cyber get attention with so many competing projects and priorities?
Tim: Cybersecurity is indeed a high priority for our governor and the Legislature. In fact they have led the charge in Missouri. It is foundational to our successful use of technology because citizens expect us to secure their data and maintain their privacy. The media has done an excellent job informing the public of data breaches and the threats that exist. It seems like there is a different news story about a data breach every day so the awareness exists in everyone’s mind. This makes it easier to have conversations about cybersecurity with all stakeholders.
Note from Dan -- Tim gave this on camera interview to Statescoop last year:
On to the CISO Interview
Dan Lohrmann: Tell us about your scope of responsibilities as CISO in Missouri.
Mike Roling, Chief Information Security Officer: As the CISO for the state of Missouri, I provide cybersecurity guidance and oversee related efforts throughout state government. My office, the Office of Cyber Security (OCS), is responsible for managing all cybersecurity-related events within the enterprise and ensuring proper administrative and technical controls are implemented to safeguard Missouri’s information systems. OCS promotes and provides expertise in cybersecurity management for all state agencies and supports national and local homeland efforts.
Due to the increased awareness of information-security-related events and insight into the network and endpoints as the result of expanding its capabilities, OCS has created a Security Operations Center (SOC). The SOC, as the name implies, is responsible for monitoring all information security operations within the enterprise. The SOC is also responsible for managing all information-security-related incidents for the enterprise, ensuring they are properly identified, analyzed, communicated, remediated and reported.
The citizens of Missouri benefit greatly from the SOC as the core mission of the SOC is to ensure that citizens’ data remains private and secure. The SOC also mitigates the potential liability caused by data breaches. A single data breach could cost Missouri taxpayers approximately $20 million to $40 million based on similar-sized government breaches and data lost. The SOC also assists in the enabling and continuity of state government processes. The intelligence gathered by the SOC is distributed throughout state government so that appropriate controls and proper threat awareness are achieved. Additionally the SOC takes action on incidents that could lead to significant downtime if left unattended.
Dan: What’s hot right now regarding your role? Where are you spending your time?
Mike: Incident response, awareness, threat intelligence sharing and automation are all hot items right now within my office. These items play a significant role in us achieving the four goals outlined in our cybersecurity plan: create a culture that fosters the adoption of cybersecurity best practices, use cutting-edge technologies to protect state assets, respond to cybersecurity incidents swiftly and effectively, and establish and maintain IT governance that promotes cybersecurity.
Incident response drives many of our key initiatives. By increasing awareness within our end users, we’re providing them the knowledge to defend themselves against social engineering attacks and how to properly handle data. By doing so, end users have been a key incident detection system that complements our advanced threat detection systems and other controls.
Threat intelligence is the life blood of the SOC. Understanding the threats we face and knowing the enemy not only ensures swift and effective incident response, but they also drive the technical and administrative controls we implement. Besides utilizing the intelligence we receive from our vendors, we’re in the early phases of implementing a TAXII [Trusted Automated eXchange of Indicator Information] service to enable us to consume threat intelligence from other states and local governments and to also share our own threat intelligence. The TAXII service provides an excellent method for machine to machine communication, but doesn’t lend itself as a good intel source for humans. To share our threat intelligence to other analysts, we created the Missouri Cyber Security portal.
Because of all of the moving parts within OCS, we automate where we can. Not only does this reduce pressure on staff but helps us achieve the goal of responding to incidents swiftly and effectively. One example of this was where we automated our network access control solution to take action on an endpoint based on indicators from our advanced malware protection system.
Dan: Your state is known as a leader in the area of technology, so how do you handle cybersecurity as part of that team?
First and foremost, we handle cybersecurity by ensuring that everyone within IT knows their responsibilities. OCS is not responsible for writing secure code, managing access lists on switches or hardening servers. We have specialists within application development, networking and our state data center who accomplish these tasks. OCS helps drive the culture through awareness, continuing education and assessments. OCS does manage a thick stack of sophisticated security controls that fill significant gaps in visibility and protection.
In addition, I have been forward-thinking with the CIO’s Office about what the future looks like in the state of Missouri and trying to be a step ahead of the future business processes and the threats that may put them at risk.
Dan: Do you have enough talent in the cybersecurity area? How are you attracting and keeping cyber talent?
Mike: We currently have the necessary talent to execute Missouri’s cybersecurity plan. Two of the goals in our cybersecurity plan actually help in keeping our team lean, efficient and effective: creating a culture that fosters the adoption of cybersecurity best practices and using cutting-edge technologies to protect state assets. By creating a cybersecurity culture, it is in the forefront of every employee's mind. This culture empowers both business and IT to make the right decisions; in other words, a cybersecurity culture greatly reduces OCS’ workload. The cutting-edge, best-of-breed technologies from our partners maximizes our effectiveness and at the same time reduces overall workload.
We attract cybertalent in several different ways. In the past, we have utilized internship programs to attract potential full-time candidates and to introduce them to this ever-changing and challenging field. Second, we attend numerous job fairs across the state, promoting our solid work environment and the benefits of working for the state of Missouri. Keeping cybertalent is a challenging issue. I have been very fortunate to have 0 percent turnover rate since becoming CISO back in 2009. I attribute this retention to our solid team environment and as we have expanded OCS, hiring the right individuals for the job.
Dan: Is there anything else you’d like to share about your cybersecurity program and upcoming projects?
Mike: I’m very excited about our cybersecurity threat intelligence sharing efforts, our continuous incident response improvement process and automation of actions that historically have been labor intensive. Sharing actionable cybersecurity threat intelligence with peers and vendors alike will not only heighten Missouri’s security posture but everyone else’s too. As we continue to utilize best-of-breed solutions, our incident response process will be in a constant state of improvement throughout each of the five steps we have identified (detection, investigation, containment, mitigation and education). In regards to automating cybersecurity actions, one example is what we accomplished with the containment of infected endpoints. Using a multi-vendor approach, we have taken our advanced malware platform and integrated it with our network access control solution. When advanced malware is detected, network access control immediately contains the infected endpoint.
Dan: I’d like to thank Tim and Mike for taking the time for this very informative interview. Missouri is certainly a national leader in state government cybersecurity efforts.
Next week, we will travel to Portland, Ore., to learn about how the Port of Portland local government organization handles technology and cybersecurity.
Note: You can follow Dan Lohrmann on Twitter: @govcso