State

After 10 years, Minnesota CISO steps aside

Chris Buse is staying in state government, but his time leading statewide cybersecurity operations is over for now.

November 7, 2017

Minnesota State Chief Information Security Officer and Assistant Commissioner Chris Buse is leaving his state’s IT office after more than ten years at the post, officials confirmed to StateScoop Tuesday.

Buse, who was the state’s first state CISO, will leave Minnesota IT Services (MNIT) at the end of the month and return to the Office of the Legislative Auditor, where he will serve as the deputy legislative auditor for the financial audit division. Before joining MNIT, Buse spent nearly 20 years with the legislative auditor’s office.

In an internal memo announcing the move, MNIT Commissioner and State Chief Information Officer Thomas Baden says they are “sad to lose Chris’s leadership” but “tremendously proud for the work Chris has done,” which includes forming the state’s first cybersecurity strategic plan from scratch.

“Chris Buse has been a strong advocate for increased cybersecurity protections, has served as a security leader for our state and nation, and has been recognized as a Public Sector Visionary Leader of the Year by the Cybersecurity Summit,” Baden writes.

The memo also cites “health issues at home” as a motivating factor for the change, which Buse confirmed with StateScoop as one of the reasons for the change.

Buse said that being the state CISO has fulfilled his personal goal of having a job endowed with a sense of purpose.

“I’m leaving my current role to take on a new and different assignment that will give me that same feel-good attitude at the end of the day,” Buse said. “I also have some other things going on in my life as well, and I think it’s important for me to get out of IT and turn the IT reins over to another individual within my organization.”

As the state’s first CISO, Buse helped the state develop its strategic plan, which is updated annually and contains a “five year vision.” Key cybersecurity strategies contained in the plan include building “foundational pillars” of the state’s enterprise security program, facilitating the sharing of resources with other levels of government and partnering with academia to help fill the state’s cybersecurity talent gap.

“I had this unique opportunity to build our cyber program from the ground up,” Buse said. “It was really a neat opportunity to come into an organization with a blank sheet of paper and be able to craft something as large as a cyber program for state government from scratch.”

The state’s cybersecurity plan is built around a “well-defined service delivery model,” a standards framework, and a strategic plan — a “living document” that serves as a baseline for all of the state executive branch’s cybersecurity operations.

“Most people think of a plan as something you write and put on a shelf, but that’s not the thing we’ve done here,” Buse said. “We have a really comprehensive strategic plan that outlines a five-year vision for our state, but it also includes current-year milestones. … This year we have 54 milestones in our plan that are driving the work that we’ll be doing.”

The state has yet to name a replacement to Buse, but whoever it is, he said will have a solid foundation to build upon — the challenge will be to find the funding to complete as much of the plan as possible. Cybersecurity isn’t just a technical task, Buse said, but a coordination and resource issue, as well.

“I’m proud of the plan because it’s brought the entire state government community together as a team so that we have one common plan that drives all the work that’s done in the executive branch of state government,” Buse said. “It’s a remarkable feat when you look at where we started at a long time ago with that blank sheet of paper.”

A hearing to appoint Buse to his new post is scheduled for Thursday.

“I’d just like to say thanks to all my colleagues in the state government security community and the multi-state-ISAC,” Buse said. “One of the things that’s become very clear to me over the years is that if we’re going to succeed in cybersecurity, we’re going to have to figure out ways to partner for success. … I feel really blessed to take on this role for so many years and I’d like to say a final thank you to all my peers out there in the government sector. There’s some really, really great individuals and I feel blessed to be able to work with all of them.”

Update: On Nov. 7, MNIT announced that Aaron Call, the department’s director of information securirty, will serve as an interim replacement to Buse.