Jim Edman, CISO of South Dakota
This interview was conducted May 26, before Jim Edman announced his departure from the South Dakota Bureau of Information and Telecommunications. He’s now a state cybersecurity coordinator at the U.S. Cybersecurity and Infrastructure Security Agency.
What are the lessons from the pandemic you’ll take with you?
I think that probably the biggest lesson, and it may not necessarily be cybersecurity-related, but the culture of state government, historically, is if I can’t see you, I can’t manage you. It’s the whole remote-work thing. Jeepers, people can be more productive, they can work from home. It is a benefit that can be added to the recruitment and retention problem that state government suffers so much from. The technology has been there, whether it’s using VPNs or multi-factor authentication.
What do CISOs need to make the remote-work trend stick?
There’s always more things out there we’d like to add to the toolbox. In South Dakota, we were in pretty good shape from a remote-access perspective. We had to expand on some licensing. The biggest challenge was on the device side. The IT department, we all have laptops and we were able to go home pretty easily. The agencies, though, they had a heavy investment in desktop computers which just makes it not impossible, but more difficult to go mobile. You’re at a fundamental level where you’re trying to teach how you secure Wi-Fi networks. They’re not complicated, but when you have to scale that from a few people a week to thousands, it becomes a resource strain.
What are the security issues government leaders need to be thinking about?
I go back to the basics: education and training. You have to have buy-in from the business side that cybersecurity is important. You might think, jeez, it’s 2021, it’s like walking or riding a bike. It’s not. The priority within the business sector of government is still not there. We still have to convince agencies that you’re collecting personally identifying information about constituents, hence, we have to prioritize the protection of that. That means in your daily practices, your RFPs, your contracts, it has to be a priority to protect constituent data, and sometimes that means you have to say no to a vendor you’ve done business with for a long time because they don’t practice good cyber hygiene.