Maricopa County, Arizona’s Chief Information Security Officer Michael Echols said his team was able to achieve several critical information security goals in 2015.
The county installed a new cybersecurity infrastructure, which uses advanced techniques to identify risks across the county’s network environment and provide departments with a deeper analysis of how well county services can stand up against cyberattacks, Echols said. Echols added he was able to aggregate threat data to help county officials understand the importance of investing in cybersecurity.
Echols’ efforts earned him a nomination for StateScoop’s GoldenGov StateScoop 50 award, which highlights the visionary leaders in government who are setting the tone for what the future of the industry looks like.
StateScoop talked with Echols about what he’s learned in the county’s cybersecurity infrastructure, what’s still left to be done in the county and his vision for the county’s cyber future.
Editor’s note: This interview was edited for clarity and conciseness.
StateScoop: Tell us about some of your main achievements over the past year that may have resulted in your nomination for a GoldenGov award?
Michael Echols: Technology is playing a huge part in how state and local government entities deliver services to stakeholders. However, the growing portfolio of technology-enabled capabilities must be accompanied by a robust strategy to protect the integrity of personal data and demonstrate that information is being handled in a secure, responsible manner.
I perceive my role as chief information security officer for Maricopa County as being an enabler for the wide range of services that are delivered by the 50+ county departments. As the fourth largest county in the U.S. and one of the top 10 fastest growing counties in the nation, Maricopa County has a long record of providing innovative and cost-effective technology solutions to enable county departments to transform their operations to best serve their customers and citizens.
Establishing a partnership with the CIO was paramount to demonstrating the value of information security to the business. As technology enables services that support the strategic priorities of the county to operate, securing those services is equally important. Working with the CIO to identify those services, correlate them to the county’s strategic priorities and identify the risk posture of each, [we were able to deliver] an information security portfolio, which enhanced the resilience of the county’s ability to deliver services to its constituents.
2015 witnessed the culmination of all the individual elements of the strategic plan and the creation of a comprehensive security posture that fully supports delivery of enhanced IT services across the entire county. The plan uses advanced techniques to identify potential risks across the environment, provides departments with detailed analysis of the security posture of their services. This analysis resulted in justification to introduce new services to enhance the resiliency of departmental business process through information security investment.
SS: What are you most proud of accomplishing during your time in your role? What’s still left to be done?
ME: I am most proud of the impact I have been able to have on the lives of Maricopa County’s employees and residents. The exponentially escalating volume and sophistication of internet-based threats has potential to harm everyone: Reports of high-profile breaches — such as suffered by Target stores, Blue Cross, Sony and even the IRS — seem like a daily occurrence.
I have used sophisticated methodologies to aggregate data and conduct trend analysis to enhance our abilities to anticipate threats and risks. We have established a systematic set of procedures that work together to identify, manage and mitigate the risk of cybersecurity threats. The metrics provide further evidence that the operating programs are working to mitigate the cause of risk in a continuous and effective manner. I believe that this ongoing process will continue to achieve results long into the future, based on the repeatability that we have been able to implement.
I have been able to leverage my experiences and expertise in the prevention of cyber-based threats to maximize security in all aspects of the county’s operations. The transparent, goal-oriented approach has resulted in a visible rise in trust and respect, demonstrated by the significant increase in security-related budget and resources at a time of widespread fiscal pressure and cutbacks.
SS: What’s been the biggest challenge you guys have faced in the past year? How’d you overcome it?
ME: One of the largest challenges we have faced was demonstrating the return on investment associated with information security. The ROI for investments in information security is difficult to articulate because it requires trending information across various categories over time to demonstrate what has been accomplished. Without trend analysis, the organization would be unable to show differences in the information security operating picture, and thus measure success or failure. Leveraging trend analysis however, allowed us to show a reduction in threats and exposures, representing the ROI.
We were ultimately able to demonstrate the relationship and relevance of information security to the county’s operations, and, by extension, to the ROI associated with buying into the portfolio of information security services and solutions.
This was accomplished by establishing a tangible link between the impact of specific vulnerabilities on the delivery of services and the steps that needed to be taken to mitigate the risks associated with cybersecurity threats.
SS: Why public service? What lessons would you like to share with the next generation of state and local IT leaders?
ME: I chose public service because I love being a member of my community and very much enjoy being a part of a business that provides fundamental resources for it. I have also tried to give back and enhance the community in my role as an adjunct faculty member for the local Estrella Mountain Community College. In this capacity, I volunteer time to share my experiences in cybersecurity across the Phoenix metro area. As testimony to the impact, Estrella was recently recognized as a National Center for Academic Excellence by the Department of Homeland Security and the National Security Administration, specifically for the cybersecurity degree programs that I was instrumental in establishing.
My advice to the next generation of state and local IT leaders is to involve themselves in the community so that they understand the needs of the citizens and can passionately represent their interests. This will serve to enhance business acumen in a technology environment, and ultimately improve their ability to deliver the right services to the communities that they support.
SS: What advice do you have for next year’s eventual class of GoldenGov nominees?
ME: Do something great instead of just settling for maintaining the status quo. Promotion of successes, and the impact on human level, will shine a light on what is great about state and local government and ultimately improve the quality of life for many Americans in their respective service territories.
Additionally, nominees should always strive to enthusiastically participate in community activities to fully understand the realities, demands and pressures residents’ experience: It takes this kind of first-hand knowledge to push for the changes that have the maximum positive impact. I believe if you have perspective on what the citizen’s desire, and leverage your abilities to provide them high quality services in your area of expertise, it will result in significant improvements to the overall mission of the organization and to the lives of individual Americans.
This Q&A is part of a StateScoop series highlighting the nominees for the StateScoop 50 GoldenGov award. To vote for this nominee, and to vote in the other categories up for awards, go to the StateScoop 50 awards page. Winners of the StateScoop 50 awards will be announced on May 4.