Recently, I had the distinct pleasure to meet and work with Jeff Maxon, the talented CISO who leads the Kansas Information Security Office within the state's Office of Information Technology Services.
Jeff became the Kansas CISO in July 2020, in the midst of the COVID-19 pandemic, after serving the state in other capacities for more than 10 years. You can read Jeff’s bio here.
What immediately impressed me about Jeff was his passion for excellence in government, wide-ranging cybersecurity knowledge — demonstrated by a long list of certifications and education, including MSIAC, CISSP and CISM — and also his humility and breadth of experience.
I think Jeff’s description of how he got into the security field, as well as his professional growth in management and other government and business skills, is a model that many others around the world can learn and benefit from. Which brings me to this conversation we have on all things cybersecurity in Kansas state government. Enjoy.
Jeff Maxon (JM): When I began my career, I was not originally pursuing a cybersecurity path. Over the years, several supervisors and managers supported, guided, coached and even pushed me to where I am today. These supervisors and managers took a chance on me, gave me an opportunity, challenged me and placed a lot of faith in me. For that, I am grateful. In addition, I have been surrounded by great coworkers, peers and employees. I would be remiss if I did not mention them and their impact on me.
After several years of working as a server engineer for the Kansas Department of Revenue, the agency was in need of an information security officer. I had a Security+ certification for my Cyberspace Operations job in the Kansas Air National Guard. Based on my certification and understanding of the organization, my then-manager thought I was a good fit for the position and encouraged me to take it. He managed the IT security group for the agency and wanted to evolve the group into a more holistic security program from both a technical and policy side. This was my opportunity to move into a growing and increasingly important field and fill a need for the organization. The more I became involved in cybersecurity and information security, the more I wanted to continue down the cybersecurity path.
From the start, it was definitely a steep learning curve. Along the way, I had my fair share of failures. Despite the hiccups, it has been a rewarding experience, and I have come a long way from my first job with the state of Kansas as a third-shift computer operator.
DL: How has the pandemic changed the role of cybersecurity in Kansas government over the past two years? What have been some of your team's top accomplishments?
JM: The pandemic brought a heightened awareness to the importance of cybersecurity. The state of Kansas was very successful in quickly transitioning to a remote workforce while still being able to deliver services to the citizens of Kansas with minimal interruptions. In some cases, we had to evaluate and adjust our current security model to support the migration to remote work. In other cases, it accelerated certain cybersecurity efforts that were already underway. The pandemic greatly expanded our communication avenues with agencies and their staffs for the better. The level of interaction with our office was significantly more than before the pandemic.
The Kansas Information Security Office (KISO) has had numerous accomplishments over the past two years. First, the KISO received a 2021 CSO50 Award for developing and implementing a centralized log aggregation and management solution to provide a centralized SIEM solution for the state of Kansas. The team worked hard developing and implementing the solution and expanding it to numerous agencies. The KISO also assisted in the successful migration of agencies out of legacy data centers into new data center environments. In partnership with agency technical staff and agency leadership, we also launched two monthly lunch and learn series to talk about cybersecurity and information security topics and concepts and how to incorporate them into their organizations. Finally, Kansas also participated in its first national cyber incident exercise with DHS Cyber Storm 2020.
DL: What are your top cyber priorities for 2022?
JM: I am excited to see what is in store and what we can accomplish in 2022. We have a handful of priorities. Last year we took part in several efforts to develop a strategic cybersecurity road map for Kansas. First, we participated in the National Governors Association 2021 Policy Academy to Advance Whole-of-State Cybersecurity. We also recently completed a cross-sector cybersecurity task force on behalf of Gov. Laura Kelly to develop recommendations that improve cybersecurity in Kansas. Both efforts highlighted the state’s cybersecurity needs and strengths.
Building on our work in 2021, one priority for 2022 is to expand our outreach and collaboration efforts to additional partners and stakeholders throughout the state. For example, strengthening our existing partnerships with local governments and higher education institutions. We also want to partner with the higher education institutions and other regional STEM programs to create a cybersecurity internship or apprenticeship program. Based on lessons learned from our participation in Cyber Storm and the efforts of the task force, I would like to see us work with our various stakeholders and develop a cyber disruption plan for Kansas. Finally, one of my constant priorities is to continue raising awareness and educating agencies and their staff on information security, cybersecurity and cyber risk. I can put all of the security tools in the world on the network, but unless everyone is aligned, we won’t be successful.
DL: As you think about the dedicated cybersecurity grants coming from the federal government to state and local governments nationwide, each state is required to have an acceptable plan. How is Kansas preparing for that process? Will you be developing a new plan, or updating an existing strategic plan?
JM: The completion of the Kansas Cybersecurity Task Force has positioned us to work on a cybersecurity plan for the federal grant program. This will be a new effort for Kansas as we will leverage the work and relationships built from the Cybersecurity Task Force. The grants from the federal government have the potential to have major impacts on cybersecurity for the states and here in Kansas.
One of our primary goals is to find ways to maximize the effectiveness of these dollars coming into the state. We will be looking for ways to pool resources and leverage scales of economy to the best of our ability to try and have the greatest impact. We are very appreciative of the efforts from organizations like NASCIO and NGA in advocating for this program.
DL: How important is a zero-trust model/architecture to Kansas government? Where are you regarding implementation?
JM: A zero-trust model is very important to Kansas for a variety of reasons. The conversation has shifted from not if, but to when, approaches need to be developed that make responding easier and minimize as much damage as possible. While not the most fun conversation to have, it is the unfortunate reality. Zero trust is an architecture that organizations can implement to achieve those objectives. The tangible security benefits of a zero-trust model are seen as more organizations adopt it.
The pandemic has accelerated efforts within the state to support the zero-trust model. Agencies support the model in varying degrees, but many are exploring what it will entail for their organizations to fully adopt the model. We also recognize we may see some core concepts from zero trust lead into potential federal compliance requirements for certain agencies. From a central perspective we are looking at what core components we may be able to build out and support at an enterprise level to take the burden of the individual agencies.
DL: What are your thoughts on StateRAMP? Is certification of systems and solutions an important goal?
JM: StateRAMP is a fantastic effort to support states. Any level of additional vetting is important. As states continue to leverage cloud services and third-party risk continues to become a larger conversation, system and solution certification is vital. Programs like StateRAMP can help states assess cloud vendors and add another level of assurance. It is beneficial for the cloud vendors as well.
FedRAMP has been seen as the gold standard for government cloud vendors. However, FedRAMP can be an expensive and a time-consuming undertaking for cloud vendors. In turn, this leads to increased costs for the customer. Additionally, there are multiple cloud vendors that only work with state and local governments and could not achieve a FedRAMP authorization. The StateRAMP approach solves several of those challenges while giving states a level of assurance when using a cloud provider.
DL: How can security and technology vendors support governments better in 2022? Where is the industry falling short?
JM: From a vendor perspective, we are always looking for partners, not just vendors. Cybersecurity and IT are an ongoing journey, and we need organizations that will be with us in this journey lockstep. We also need vendors who understand the dynamics of state government and Kansas in particular. IT and cybersecurity organizations at the state level are organized differently and have different laws that determine what they can and can’t do. Vendors need to understand the various nuances when engaging states.
DL: There is an ongoing debate about whether a degree, certifications or other credentials are needed for a cybersecurity career. What are your thoughts on this question?
JM: This will always be a debate. However, I think the desire to learn is one of the most important components when pursuing a cybersecurity career. Cybersecurity, and more broadly, information security, encompasses multiple disciplines and is rapidly changing and evolving. The constant evolution of the industry is why I think the desire to learn is so imperative. There are so many factors that can play into having a successful cybersecurity or information security career, and I view credentialing as a tool in the toolbox. As a cybersecurity leader who has pursued several certifications and higher education in the field, I see them as part of a broader professional development and continuous learning or education program. I am a huge advocate for continuous learning efforts for folks in the cybersecurity, and more broadly, information technology, career fields.
While degrees, certifications and other credentialing lends credibility to an individual’s understanding of broad cybersecurity and information security concepts and topics, they can also be seen as a barrier to entering the field. In a sector that has a significant shortage of professionals, the messaging that everyone needs to be credentialed can be a double-edged sword. As a cybersecurity leader, I keep in mind the opportunities my supervisors gave me to prove myself beyond what was on my resume. It’s important that we do the same and invest in the development of our employees and future cybersecurity professionals. There are very good employees and cybersecurity professionals out there just waiting for their first opportunity.
In an effort to help close the cybersecurity skills shortage, multiple Kansas higher education institutions have established cybersecurity programs. We are working on ways to become more involved with those institutions in the development of educational pathways as we look for opportunities to develop traditional and nontraditional students who can immediately contribute to the profession.