As new California CIO Amy Tong settles into her role heading up the largest state IT apparatus in the nation, some legislative scrutiny and staff upheaval has her working to whip her department’s cybersecurity practices into shape.
Tong stepped in for Carlos Ramos as the state’s CIO on an interim basis earlier this year, but once Gov. Jerry Brown tapped her to take the job on the job permanently in August, she had the green light she needed to put her stamp on the Department of Technology.
With a 2015 report from the state auditor blasting California’s cyber practices and Chief Information Security Officer Michelle Robinson stepping out the door a few weeks after legislators grilled her about those findings, Tong had little trouble choosing the first thing she wanted to focus on.
“We want to take a holistic approach in addressing information security overall,” Tong told reporters Wednesday. “There was a lot of work being done by the individual departments and staff behind the scenes. But I think it was just a matter of it being time to really consolidate these efforts to a coordinated effort and articulate what that coordinated effort is.”
Indeed, she said designing a unified cybersecurity strategy will be her “top priority” for her first year at the helm, and she feels she has Brown’s full backing on that front.
She’ll be tackling that goal without a state CISO for now — Tong noted that they’ve been conducting “a national search over the past few months” and “have several candidates we’re in talks with and we’re hoping soon we’ll be able to announce someone” — but she’s still been able to sketch out a basic framework for her cyber plans so far.
At its heart, Tong wants the state to start fully taking advantage of the newly convened California Cybersecurity Integration Center that Brown created via executive order last year to bring together state and federal agencies. While representatives from plenty of departments make up that group, Tong sees an outsized role for four state agencies in particular: her Department of Technology, the Office of Emergency Services, the California Highway Patrol and the Military Department (an agency that oversees organizations like the state’s National Guard).
“The four partners working very closely with the federal and local [agencies] to put together a perimeter check, access monitoring to look at the various attempts that are coming into the state of California for this public information that we’re protecting,” Tong said.
Namely, she hopes the center can act as a “single point of coordination” for data coming from the state’s network monitoring efforts, giving analysts a chance “to look at the various feeds coming from these entities so they can identify patterns and any correlation.”
After all, she noted that the IT department, the emergency services office and Military Department are engaged in “proactive monitoring” efforts. But that works only goes so far, and Tong is hoping to pull in the Highway Patrol to head up the “criminal investigation side” of things to chase down hackers.
“When an incident happens and we want to go after a bad actor, there’s a way they can do it if they can identify an incident early enough,” Tong said.
Tong also wants the center to serve as way for the various agencies to collaborate on the various cybersecurity-focused auditing work they do — the Military Department works to conduct a biannual independent assessment of state agencies, while the IT department does so on a tri-annual basis as well.
Yet she added that her department is primarily responsible for the remediation work that stems from the results of those cyber reviews, and she’s hoping to put a new focus on breaking down the basics as part of that process.
“A lot of it is coming from individuals who are using their computers everyday, and they need to be educated,” Tong said. “It’s about the simple things, ‘Don’t click on the phishing email,’ which opens up their machine to become the door to the bigger network.”
Indeed, she said she’s specifically hoping to “not only educate based on what the textbook says,” getting state workers away from just “learning all these acronyms of information security policy” and moving to “helping them to actually define what are the things most relevant to the state.”
“Remediation is not just about having additional tools to beef up a system,” Tong said. “Sometimes it’s just training people better.”
That’s not to say that the department won’t focus on providing agencies with the most secure tools possible — Tong notes that they’ve applied for certification through the General Services Administration’s “FedRAMP” program for their cloud service, CalCloud, showing that they’re “leading the way” for cloud security at the state level — but she’s putting a premium on staff development. Beyond workers at other agencies, Tong said that goes for her own employees too.
“I’m focused on growing our staff, not necessarily in size, but in skill set,” Tong said. “We have a great team of staff, but as technology continues to evolve it’s our responsibility as leaders to continue to grow our staff, elevating their experience and expertise. Doing so is not just about applying training, but doing so is about soliciting industry input.”
To that end, Tong said the department convened a “vendor advisory council” last week, pulling in “at least 30 different vendor groups and associations” to offer the state feedback.
“We see them as a partner, it’s not adversarial, since many of the initiatives that the state takes on requires our vendor community to work with us,” Tong said. “Because of that, we want to make sure we’re at the forefront of hearing their feedback and what their challenges are in working with the state and what are the ways, based on their experience, we can improve how we as a department operate.”
She said that effort has been “well received” so far, and she wants to expand the concept going forward. These days, she’s aimed at establishing a “local and civic entities council,” to get some perspective from the nonprofit sector as well.
“I’ve heard a lot from some people who are retired, some from the private sector who just want to give back to help California, even smaller nonprofits on the leading edge of transformation work,” Tong said. “So we want to codify this participation. In addition to how do we do business from the vendor community, we want advice on how to run business in an efficient way, connecting to the citizens of California.”