(Scoop News Group)

Cybersecurity Leadership of the Year winners share post-pandemic challenges

The 2021 StateScoop 50 Awards recognize the top people and projects in state government IT. In interviews with StateScoop, winners of this year’s prizes look back at their work over the past year, most of which was dominated by the COVID-19 pandemic.

The pandemic revealed many of state government’s cybersecurity pitfalls, chief information security officers said last year, according to the biennial survey that often informs their organizations’ priorities. Yet many CISOs also found that government workers had also become more sensitive to cyber risks and more engaged with their agencies’ security initiatives. As the health crisis wanes and remote work starts scaling back, state cybersecurity leaders are considering what lessons from the last year-plus will last.

In a series of interviews, StateScoop 50 Cybersecurity Leadership of the Year winners share some of these lessons, the ongoing risks of ransomware and supply-chain attacks and what government leaders need to do to meet a growing threat landscape.

Previous interviews in the 2021 StateScoop 50 Awards include winners in the GoldenGov and State Leadership of the Year categories.

All interviews in this category were conducted by Benjamin Freed. These interviews were edited and condensed.

TwitterFacebookLinkedInRedditGmail

Laura Clark, chief security officer of Michigan

Laura Clark, chief security officer of Michigan

What are the lessons from the pandemic you’ll take with you?

One that’s going to stick with me is during the pandemic we saw a lot of innovation around technology but also around process. I think it was a catalyst for change, and we really had to look at all our processes and validate whether those processes were still valid. We didn’t want to bypass those processes because they’re in place for a reason, but it did make us take a step back and say how often should we look at these?

What was the biggest challenge you faced during the pandemic?

There are so many. A lot of our lessons learned are around the security basics and making sure we’re really good at those basic things, because most of the incidences we’ve seen really are exploiting those known vulnerabilities. Making sure we’re taking care of the basics, because the bad guys are going to do the most cost-effective attack. Where there are known vulnerabilities, they already have tools and protocols to exploit those, and that’s where they’re going to go first.

What are the cybersecurity issues government leaders should be thinking about the most?

I think all leaders need to be thinking about cybersecurity together and how we harden our systems. We’re very highly connected across all levels of government and within our other industry sectors. We need to think about how to secure that ecosystem together. We’ve been focusing on getting tools into the hands of the residents, information into their hands, as well as working in the cybersecurity ecosystem within Michigan to make sure we have incident response playbooks together, to make sure we have partnership opportunities, so if something does happen, we know who to go to so we know who to rely on.

TwitterFacebookLinkedInRedditGmail

Tim Roemer, Director of Homeland Security and CISO of Arizona

Tim Roemer, Director of Homeland Security and CISO of Arizona

As we’re exiting the pandemic and getting back to normal, what are the lessons you think will last?

I think prioritizing cybersecurity throughout the state is something that’s going to last. We’ve worked to get in front of our employees, virtually. We don’t want to just be white noise. They know we exist. Some state employees didn’t know we had a security operations center that was working to protect them. And then phishing training. Because of remote work and an increase in phishing attacks, we increased both the quantity and quality. So we raised the difficulty and started doing it monthly, and boy, that’s going to keep going.

Do you think you’ll still have more challenges with the complexities of remote work?

I worry about complacency. Cyber’s a lot more of a human challenge than it is a technology challenge, because humans are the ones making mistakes with technology. We’re blocking four times more risky websites visited by workers than we’d block when they’re at work. So we’ve worked really hard the last past year and a half to let our employees know they need to be more cautious. We’re starting to do some cool rewards. If you find a phishing link and you bring it to our SOC team, we’ll bring you some Goldfish crackers. So we have these things that are starting to work, but it’s not that economical to ship people individual packs of Goldfish, so we need to get even more creative in staying engaged with teleworkers.

Moving cybersecurity from IT into the homeland security department, why was that such an important change?

In the physical world, if someone was showing up to your place of work trying to break in, someone would take that case and prosecute that. Unfortunately, at the federal, state and local levels, the capabilities of law enforcement to do so [in cyber] aren’t really there. So the biggest thing for us was we get to roll underneath a homeland security department, use that to have more of a bully pulpit with law enforcement, to co-locate and sit with law enforcement at our state fusion center. That will put our cyber analysts and our SOC team to share information, work with law enforcement and partner with prosecutors. That will ultimately make the state of Arizona safer, and it sends a heck of a message to the criminals behind it.

What are the big cybersecurity risks government leaders should think about the most?

Getting the buy-in of your top level of government is priority No. 1. I’m lucky I have that from Gov. [Doug] Ducey, because he gets it, he understands it, he respects the threat that’s out there. But to be completely honest, I don’t hear that from other CISOs in other states, and I think that’s the biggest challenge facing them. When we talk among our CISOs, we’re trying to be sure every governor’s office prioritizes cybersecurity like Gov. Ducey does in Arizona, and I hear my private-sector colleagues as well. They’re trying to get their C-suites on board, and not just the customer service ease of use thing.

TwitterFacebookLinkedInRedditGmail

Maria Thompson, chief risk officer of North Carolina

Maria Thompson, chief risk officer of North Carolina

This interview was conducted May 28, prior to Maria Thompson’s announcement that she’d be stepping down from the North Carolina Department of Information Technology. She is now a state and local government cybersecurity leader at Amazon Web Services.

What are the lessons from the pandemic you think will stick?

I think what we’ve come to understand is that we don’t necessarily have to work on site. We can have a hybrid workforce and still produce quality output. From a risk-management perspective, tightly ingraining cyber into all the projects will be key. I know in some cases during the pandemic there was a rush to deploy capabilities and cyber may not have been thought of as a primary solution to be integrated, but we’re all circling back to do cleanup. We all know cyber is not a one-and-done. Supply chain risk has been huge for us, especially during the pandemic.

What are the security issues leaders should think about the most?

We talk about the Colonial Pipeline and SolarWinds and all these supply chains, and that’s increasing. And leaders in general, not just cyber leaders, should think about how we are approaching our supply-chain risk posture. Those incidents were calls to action. It almost appears we have folks out there who are hitting the snooze button. And then it happens again. We really need to start investing in solutions, in people, in processes to ensure the security of our environment. It’s not just buying tools, it’s investing in people, in their knowledge and ability that they are prepared.

You’ve made growing the cybersecurity workforce, especially in ways government leaders haven’t always thought about, a big part of your job.

It’s all about partnerships, and at every engagement I’ve been in, I’ve always brought it up. I sit on multiple school advisory boards. One of the primary reasons I do that is to build those relationships, to figure out how I can be a part of curriculum development. And look how we can bring some of those students to the state, and see what we have to offer and build that interest. We’ve had students tour the data center. We have partnered with companies like SANS, and we’ve been part of CyberStart. Wherever there are opportunities, we have been involved. I’m part of the #IAmCS movement, which is a group of ladies across the public and private sectors who are in STEM roles.

TwitterFacebookLinkedInRedditGmail

Adam Ford, CISO of Illinois

Adam Ford, CISO of Illinois

What are the lessons from the pandemic you think will stick?

That state government can be and has to be more adaptable than we ever thought, that’s first and foremost. Our state, and every state, responded over a couple of weeks that really hadn’t been played out or exercised. The nation of disaster recovery or continuity of operations planning around a building falling down or power being out, that was an assumption that was put on its head. We can be more adaptable and more flexible and faster than before.

How do you tackle that from a security perspective?

When you go into cybersecurity and you study for your CISSP, you always talk about life, health and safety being the priority. And we conceptualize that as getting people out of burning buildings and not putting people in dangerous situations. But sending people out to work remotely was in some ways a worst-nightmare scenario in how we provide security. We had to just be adaptive. I don’t know if we were necessarily creative. We were just more adaptable.

What are the cyber issues government leaders should be thinking about most?

Ransomware is the most devastating attack any state or local government can face right now because it’s effectively a robbery and a home fire at the same time. But I think ultimately it goes back to a lot of the basic hygienic stuff. Not that anyone didn’t take it seriously. But we have to know what our environment looks like, what’s in our environment. In many states, in our state and others, historically security wasn’t first. It is now, but some of those systems from 20 years ago have to be modernized and modernized in a way that puts security first. We’re under fire from sophisticated threat actors and have to keep the lights on.

TwitterFacebookLinkedInRedditGmail

Jim Edman, CISO of South Dakota

Jim Edman, CISO of South Dakota

This interview was conducted May 26, before Jim Edman announced his departure from the South Dakota Bureau of Information and Telecommunications. He’s now a state cybersecurity coordinator at the U.S. Cybersecurity and Infrastructure Security Agency.

What are the lessons from the pandemic you’ll take with you?

I think that probably the biggest lesson, and it may not necessarily be cybersecurity-related, but the culture of state government, historically, is if I can’t see you, I can’t manage you. It’s the whole remote-work thing. Jeepers, people can be more productive, they can work from home. It is a benefit that can be added to the recruitment and retention problem that state government suffers so much from. The technology has been there, whether it’s using VPNs or multi-factor authentication.

What do CISOs need to make the remote-work trend stick?

There’s always more things out there we’d like to add to the toolbox. In South Dakota, we were in pretty good shape from a remote-access perspective. We had to expand on some licensing. The biggest challenge was on the device side. The IT department, we all have laptops and we were able to go home pretty easily. The agencies, though, they had a heavy investment in desktop computers which just makes it not impossible, but more difficult to go mobile. You’re at a fundamental level where you’re trying to teach how you secure Wi-Fi networks. They’re not complicated, but when you have to scale that from a few people a week to thousands, it becomes a resource strain.

What are the security issues government leaders need to be thinking about?

I go back to the basics: education and training. You have to have buy-in from the business side that cybersecurity is important. You might think, jeez, it’s 2021, it’s like walking or riding a bike. It’s not. The priority within the business sector of government is still not there. We still have to convince agencies that you’re collecting personally identifying information about constituents, hence, we have to prioritize the protection of that. That means in your daily practices, your RFPs, your contracts, it has to be a priority to protect constituent data, and sometimes that means you have to say no to a vendor you’ve done business with for a long time because they don’t practice good cyber hygiene.

TwitterFacebookLinkedInRedditGmail

Anupam Srivastava, CISO of Ohio

Anupam Srivastava, CISO of Ohio

What are the lessons from the pandemic you think will stick?

The coronavirus has been very transformative, for normal people and businesses. The state was not set up for any sort of remote work before. We looked at the kind of controls we’d need to implement to get the state workforce remote and secure. I think people have shown they can work remotely. It’s definitely something they’ll demand. It also gives the state a little bit of flexibility in recruiting the right talent. Before we were looking at people who could be in central Ohio. The option to work remotely, we’ll have to be competitive.

What does that mean in terms of tools, resources, things you’ll need to invest further in to give people that flexibility while they’re working securely?

Initially it was going to be three weeks. Then it went to six months. Here we are a year later. I think we’ve already tooled up sufficiently, distributed laptops to people. Initially, everyone had the option of using their home machines, but that was the thought when we thought this would be a narrow time frame. As things went month by month, we did end up getting a lot of laptops to distribute to our staff with configurations and tools so we could do remote monitoring and have the right endpoint protection. So I don’t think we’re going to miss a beat whether they’re coming back or continuing to work remote.

What are the big cybersecurity risks government leaders should think about the most?

Cybersecurity is all about risk management, right? So how much risk is the state going to tolerate? Because of the amount of sensitive data the state maintains, the answer is often a lot. It’s very important for us to continue to ensure we have the right controls in protecting that data. 

TwitterFacebookLinkedInRedditGmail

TwitterFacebookLinkedInRedditGmail