Before joining the state, Deborah (who often goes by Debbi) led the Information Technology Security and Compliance programs at TeleTech (five years) and Travelport (three years). Deborah is a Colorado native and graduated Summa cum Laude with a Bachelor of Science degree from Regis University.
I have known and worked with Debbi on several Multi-State Information Sharing and Analysis Center (MS-ISAC) initiatives, cybersecurity webinars and NASCIO security committee deliverables over the past several years, and she is always full of enthusiasm, displays a positive “can do” attitude and has a deep knowledge of technical topics. She is a sought-after expert regarding state and local government cybersecurity initiatives, so I was delighted when she agreed to be interviewed for my first blog of 2021.
Dan Lohrmann (DL): Debbi, you have held several security leadership positions. What are some of the differences between government and the private sector? What duties are the same?
Deborah Blyth (DB): The things that strike me as being vastly different as CISO between the public sector and private sector are scope of responsibility, legislative presentations and budgetary planning cycles. I have a much larger scope of responsibility as the state CISO than I did in either of my roles as the CISO of a private company. Being responsible for security for the executive branch agencies of the state government is like being the CISO of several distinctly separate companies all at once! In the private sector, I often presented to the board of directors. As state CISO, I often present to the legislature, and it’s very different and has a much more formal feel to it than presenting to a corporate board. In state government, the financial planning cycle is much longer than in the private sector. In March, we’ll start planning for fiscal year 2023! And we will have officially requested FY23 funds by November of 2021. I am always having to think about what my needs may be, several years into the future.
DL: As a result of COVID-19, tell us about a few of the top challenges you faced in 2020 in Colorado regarding technology and cybersecurity?
DB: In March, almost every state agency sent all personnel home to work remotely. Our office, the Office of Information Technology, was able to pivot quickly to accommodate all personnel, via the virtual private network (VPN), over a weekend! We had a great solution to handle the increased number of concurrent VPN connections; however, it wasn’t meant to be a permanent solution.
Additionally, the monthly patching process required VPN in order to be successful. Not everyone required VPN for their daily work, so our patching metrics started to trend downward after a few months of remote working.
Internal teams were working quickly to build new applications or evolve existing ones to assist with the state’s COVID-19 response. Security was considered critical to ensure sensitive information was protected; however, it was a challenge to incorporate security testing into the agile project development process.
DL: How did you overcome those issues?
DB: After a few months, we realized that not all 30,000 state workers would be connected to the VPN during working hours each day. So we were able to reinstate the redundancy we had, before breaking it to accommodate a fully remote workforce, to ensure we had a more resilient solution. Additionally, we were able to continue some of the projects that were underway prior to the COVID-19 response to add new remote access capability. We are starting to envision and architect the network of the future, which will service a greater percentage of remote versus on-site state workers. We actually deprioritized some of the projects we had underway to improve controls over the on-premise environment, favoring instead newly prioritized projects to improve security controls for remote workers. One of those projects was to ensure that the patching process doesn’t require the use of VPN.
It is fully accepted that the security team needs to be an active participant in the DevOps process. During our COVID-19 response, we had a chance to really engage into the agile workflow in a very fluid manner, and maybe more efficiently than before. We also became familiar with new tools, used by the development team, and were able to help insert placeholders and action tasks at the appropriate time and with the appropriate priority to not slow down the project, but to ensure that security was addressed along the way.
DL: How big is the shortage of cybertalent in Colorado? Are you finding the right people to fill key vacancies?
DB: It really is a problem. However, I am finding high-quality candidates for every job I post. The problem is that I’m having a hard time retaining my qualified people, because everyone is looking to fill key cybersecurity positions. So my people are being lured away, either by more money, growth opportunities or typically both. We came up with an innovative way to address this problem — we have a veterans internship program, in which we hire military veterans as interns into our cybersecurity program and train them on our tools and our environment. The goal is to hire these veteran interns permanently into our program as openings become available. The program has been extremely successful: Currently, our permanent cybersecurity staff includes five employees that we hired from the program.
DL: Describe your resource situation. Is funding/budget a significant problem right now?
DB: Colorado is proud to be funding its cybersecurity program at almost 5 percent of the annual IT budget. However, that funding is still not enough to address all of our known gaps in a timely manner. We struggle with the execution of our projects because all IT projects are dependent upon personnel who are fully engaged with multiple competing priorities. And even when we budget for the addition of temporary project implementation resources, they still require support from our fully allocated personnel. Additionally, the cost of our tools seems to increase each year, while our budget remains static! So all of our tools are in competition with each other when it comes to renewal. We have been successful at increasing our cybersecurity budget incrementally over time; however, the budget isn’t quite at the level we need it to be, yet.
DL: What are your top cyberproject priorities for 2021?
DB: We have a project underway to implement Privileged Access Management for privileged accounts. We are making great progress and will be finishing this project during the first half of 2021. We are also implementing a new remote access solution to enhance the user experience for agency personnel and to simplify the network. Additionally, we have an effort underway to increase our compliance with CIS benchmarks and improve system hardening throughout our environment.
DL: How can security and technology vendors provide better help around the country in state and local governments?
DB: Security and technology vendors can familiarize themselves with state procurement rules and pay attention to the vendor management portal where solicitations are posted. MS-ISAC is another great way to bring technology to several states at once. MS-ISAC often pilots products for states and can help state and local governments utilize or purchase technology at reasonable rates. Most local government cybersecurity programs are significantly underfunded; vendors can help by expanding volume pricing discounts to enable those smaller entities to more easily afford security technology. Additionally, local governments often don’t have dedicated cybersecurity personnel, so they may be more interested in managed security services than on-site tools requiring ongoing maintenance.
DL: Where are the major vendor blind spots?
DB: Understanding state procurement rules is often a steep learning curve. Oftentimes, a security technologist will run into a constraint when trying to purchase a desired product because the purchase didn’t start in the correct manner. A procurement path is always needed, either through a currently established product vendor, or it can be created through a solicitation. When the product is chosen without the procurement path established, it can cause a lot of delay and sometimes actually prevents that product from being purchased. Vendors often don’t realize this and attempt to sell the security technologists on the product without ensuring that there is a purchasing path in place.
DL: Any career stories that you can share about lessons learned as a government leader?
DB: One time I signed up for a proof of concept (POC) as a way to pilot a new, really exciting technology. I assumed we had agencies who would want to participate, but I should have reached out and confirmed that first. The pilot was not successful because there wasn’t any buy-in, the timing was wrong and, as a result, our participation didn’t meet the requirements of the POC. The lesson that I learned was that buy-in and timing are critical to success, no matter how big or small the project will be. The work to gain buy-in and establish the timing needs to be done well in advance of the project, to ensure that the project is prioritized such that resources will be available to participate.
DL: Is there anything else you want to add?
DB: Being Colorado’s CISO has been the most rewarding and fulfilling job I’ve ever had. It has given me the opportunity to connect to the mission of each of our agencies and the valuable services they provide to the residents of our state. I am amazed at the talented people I work with, and I can see that they feel the same way I do about the mission of the agencies we support. And while we’ve made great use of video calls during this time of quarantine, I look forward to seeing my dedicated coworkers in person again someday.