Vitaliy Panych, who was affirmed as the state’s chief information security officer in January, discussed broad-level IT and cybersecurity issues and goals, how California works with security partners, and offered best practices during a recent virtual event. Among the takeaways:
-
The state aims to make its services easier for residents to use even as having a diverse, large population gives California a huge digital footprint and a “pretty significant attack surface,” its CISO said — making “the way we operationalize it and operate our systems, our attack surface, become critical.” But putting people first is one of the tenets of the state’s IT strategic plan — meaning the state must close the digital divide and make its services more equitable, inclusive and easier to interact with.
“So, we need to make our services accessible, easy to use; and sometimes, the way we generally in the industry implement and operationalize security can impede our service delivery. If we get inconsistent, how we implement identity management can also affect how we interact with our users or deliver services. So that’s a huge challenge is, really, the accessibility in delivering our services that are unique but at the same time, privacy preserved and in a secure fashion,” Panych said during an online Fireside Chat Thursday with representatives of Optiv. -
Doing more in the realm of digital service delivery also opens up a bigger attack surface for the state, Panych warned. Officials have observed fraud, misinformation and disinformation — but also the commoditization of fraud to the point where bad actors can potentially acquire what they need on the dark web to accomplish “what used to be sophisticated fraud.”
-
There are two challenges around data, the state CISO said — one of which is the supply chain of the flow of data, which he described as “highly critical.” Tracking the state’s data, ensuring it’s secure and managed; and that privacy is operationalized, Panych said, making things further complicated when dealing with third- and fourth-party organizations. Data integrity is also crucial for the state, as “an askew data set or information set can really have some negative downstream kinetic effects,” Panych said, highlighting the COVID-19 vaccine supply chain as an example of an area where accurate data is vital.
-
The state needs to deliver “services including security controls and security control services” via a centralized or uniform fashion, Panych said, when asked about aspirations or goals for the state in a broader, two- to three-year timeframe. The services offered by California’s Security Operations Center have matured; and many of its processes such as monitoring data correlation, automation and orchestration are being automated. Additionally, officials will likely be looking into ways to operationalize audit and assessment tasks to enable “additional audits to organizations,” the state CISO said; and “operationalizing it, just so we can have more continuous metrics and continuous security posturing, visibility into all organizations.”
An ongoing goal in state government during the past decade has been centralizing resident-facing identity management, Panych said, noting that among California’s roughly 140 different departments, there’s “roughly 300 different services.” He’d like to see one state identity for residents, where a person can go to the California Department of Motor Vehicles, get a Real ID and have their mobile identity displayable on their smartphone — along with a secure, audited, managed account that can be used everywhere from filing for unemployment to obtaining state hunting, fishing and other forms of licensing, Panych said: “We need to really head towards a single, unified identity management system to not only just secure identity management, but also create that seamless easy user experience that is putting people first, so that they can interact and get services from the 300 or so different applications out there.” -
Informal and formal collaboration happens “all the time,” Panych told Optiv CEO Kevin Lynch in response to a question about working with other governments and states to understand “the attack side of this equation” and compare notes. Informal collaboration happens regularly with other states and even private organizations and other countries, the state CISO said. But California collaborates more formally as well, which is why officials created the California Cybersecurity Integration Center, “to exchange threat intelligence information in a non-automated fashion,” he said, indicating he expects its “fusion center-type model” to continue to evolve during the next year.
-
Don’t overlook the basics, the state CISO said in his final words of advice. Do your patch management, look at how your administrative accounts and privileges are managed — and don’t forget security awareness and education and focusing on internal culture change. “Because a lot of security due diligence can be done with just that and just culture. Security is not a tool; sometimes it’s a process, but it’s also a practice,” Panych said.