Connecticut picks financial sector IT security veteran as CISO
Jeff Brown, a private-sector IT security veteran, began Wednesday as the new chief information security officer for the State of Connecticut, officials said.
Chief Information Officer Mark Raymond announced the news in a tweet Tuesday reading: “We are incredibly thrilled to have Jeff W. Brown join our team in building a safer state.”
According to his LinkedIn profile, Brown has held information security positions at several major financial corporations, including AIG, GE Capital, Citigroup, Goldman Sachs and Merrill Lynch. He joins the information technology division at the Connecticut Department of Administrative Services, where Raymond has served as the top technology official since 2011.
Raymond told StateScoop that Brown is essentially the state’s first chief information security officer. Former Connecticut Gov. Dannel Malloy in 2016 named Art House as the state’s chief cyber risk officer, but Raymond said that role was “more public-facing” and involved evangelizing for cybersecurity across the state, rather than focusing on the state’s internal IT security posture.
Brown began his first day in the new role Wednesday as much of the state government’s workforce continues operations remotely during the novel coronavirus pandemic.
“He was in this morning, we outfitted him with technology and sent him out to remote work,” Raymond said.
In a state that partially relies on a federated service-delivery model for technology, in which the IT office shares responsibility with state agencies for managing technology, Raymond said Brown’s role will be to improve how risk is managed across the state.
“While we have been working in that [federated] model for a while, our ability to get qualified resources on an agency-by-agency basis and to put them in place in the appropriate numbers for our smaller agencies was not allowing us to address the risk in the way that we wanted,” Raymond said. “One of our big focuses is how do we work across agencies to bring new cyber protections and risk reductions in play?”
Improving how the state manages its IT security risk, he said, could involve practices such as ensuring adherence to popular security controls and streamlining the state’s cybersecurity auditing processes.
“It’s really about improving our security operations across the state in a more coordinated manner,” Raymond said.
As much of the state government’s staff continues to work remotely, Raymond said there are new and heightened cybersecurity considerations, such as educating users about the increased incidence of spam and phishing emails.
“People are being targeted with using COVID-19 as an opportunity to get people to open things or click on things that they normally wouldn’t,” he said.
The new working arrangement is also creating new complexity in the work environment, he said.
“As we have people work remotely, we’re changing the landscape of where risks are and we want to enable people who are used to working in an office environment either remote or in other ways with technologies and practices that keep our citizens and business data safe,” Raymond said.