Chief information officers should continue to expand the roles they play in their organizations’ cybersecurity policies, especially as enterprise networks evolve to support new products and malware becomes more sophisticated, Linda Gerull, the chief information officer of San Francisco, said Tuesday.
“There’s so much information and so much to protect,” Gerull said at StateScoop’s California Innovation Summit in Sacramento.
One of the biggest challenges in securing government networks, Gerull continued, is balancing new applications and devices with legacy platforms that still require a lot of maintenance. The new products may have better security, but they can cause other headaches.
“Even though new applications may behave better on the network, we have mainframes to protect and other environments that may not work well with new applications,” she said.
But she also noted that she encounters new, internet-connected devices designed to operate city infrastructure that do not have any security considerations in their design.
Gerull appeared on stage with Herb Thompson, a former chief technology officer for the state of Wisconsin who is now the chief strategist for state and local government services at the cloud computing firm VMware. Thompson, who worked for Wisconsin until last February, recalled being able to improve cybersecurity across most of Wisconsin’s executive agencies, but also being stymied by his lack of authority over networks serving the state’s legislature, courts and board of elections, the last of which became an issue in 2016, when the state was one of 21 where hackers working for the Russian government attempted to penetrate a voter registration database.
Like Gerull, Thompson said government CIOs — who don’t always oversee their organizations’ cybersecurity policies directly — are challenged by a flood of new network activity that makes it increasingly difficult to protect their systems.
“There are things that keep CIOs up at night,” he said. “A lack of dedicated funding for security, complexity of malware and number of devices coming into network. Before, we were able to build a moat around the data center. Now that dwindling edge is disappearing.”
But Gerull said her office is trying to keep some of those barriers up even as new technologies break them down. CIOs, she said, to “really know [their] network,” from which users have access to what permissions and protections are applied to software from outside vendors.
“It’s about architecting your network for defense,” she said. “The new tools we have to do monitoring and alerting, [and] segregating is absolutely essential. In San Francisco it allows us to control policies on the network. It’s also about knowing your vendors. When there’s a breach it’s all-hands-on-deck, and that includes vendors like VMware, Oracle, Amazon or Microsoft.”
Gerull said her office is implementing a zero-trust security model throughout San Francisco’s municipal government, in which users are required to authenticate their identities and devices and have their network access limited only to the functions they are authorized to use.
“Everyone stays in their little pool, no wandering around,” she told StateScoop. “You’ve got to wall that damn thing off.”