Michael Roling, the chief information security officer for Missouri, said he treats any cyberthreat as if it’s “the big one.”
In the past year, the CISO said he’s made great strides in using cutting-edge technology to protect state assets: He recently deployed a new monitoring tool on the state’s network to help detect cyberthreats. But he also touted his work to promote a good workforce culture around cyber, and he cited his team’s responsiveness to threats as his single proudest accomplishment.
Roling’s work in cybersecurity in Missouri earned him a nomination for StateScoop’s GoldenGov StateScoop 50 award, which shines a light on the state and local leaders who are setting the tone for the future of the industry.
StateScoop talked with Roling about his approach to cybersecurity leadership, his vision for the future of the state and the challenges he faces every day.
Editor’s note: This interview was edited for clarity and conciseness.
StateScoop: Tell us about some of your main achievements over the past year that may have resulted in your nomination for a GoldenGov award?
Michael Roling: Each year I have four goals within our cyber security plan that drive our best practices:
1. Create a culture that fosters the adoption of cybersecurity best practices.
2. Use cutting edge technology to protect state assets.
3. Respond to cybersecurity incidents swiftly and effectively.
4. Establish and maintain IT governance that promotes cybersecurity.
Over the last year, with the help of my team and other areas within IT, we made great strides in reaching these goals. For starters, I have rolled out a new end user awareness program targeting approximately 40,000 employees. Unlike our old program, the new program is highly interactive with quizzes and educational games. In terms of using cutting edge technology, we have partnered with companies that shed light [onto things like] shadow IT and advanced malware. With regard to responding to incidents, I increased our Security Operations Center (SOC) staffing by more than 30 percent and have improved our threat intel capabilities through our threat intel portal. Lastly, governance has been improved by aligning components of IT to within my team.
SS: What are you most proud of accomplishing during your time in your role? What’s still left to be done?
MR: The single biggest action I have taken as a CISO has been to kickstart the cybersecurity cultural change within Missouri. All Missouri state employees must understand the importance of safeguarding state data and the importance of cybersecurity best practices — especially as they relate to their job. Informed and motivated state employees will ensure that those best practices are adhered to and made a routine part of conducting state business. Our end users are now more aware of the threats they face on a daily basis, our application developers now have formal processes in place to write secure code and then to validate apps using static and dynamic analysis, and the biggest impact from the cultural change has been the incident response mindset. My team takes each incident seriously as if it’s the “big one.”
If I had to be proud of a single accomplishment, it would be the cybersecurity team that I have fostered. I’m proud of their teamwork approach to solving problems and their quick ability to learn from one another.
There’s still more to do though. Our adversaries never rest and are constantly refining their attack strategies. I will continue to explore ways of improving our processes, technology and awareness by looking to our current and potential partners and by collaborating with our peers.
SS: What’s been the biggest challenge you guys have faced in the past year? How’d you overcome it?
MR: The biggest challenge that we’ve faced over the past year has been our growth. In just a year, I have taken an organizationally flat group and created three unique teams: the SOC, the infrastructure team, and the audits and compliance team. In 2015, we have grown the number of staff by more than 130 percent. In terms of capabilities, we have expanded both coverage and technologies to quickly and effectively respond to incidents. This tremendous growth has been a challenge but one that we’ve been able to execute due to good planning and the support of our administration.
SS: Why public service? What lessons would you like to share with the next generation of state and local IT leaders?
MR: I chose public service because of the incredible opportunities to make a difference. The actions we take on a daily basis make an impact on the services we provide to our citizens. Being a part of these processes and ensuring Missouri’s data is safeguarded is an incredibly rewarding experience.
SS: What advice do you have for next year’s eventual class of GoldenGov nominees?
MR: Continue striving for great change. Odds are good that the nominees have been tremendous agents of change, so their momentum needs to continue and be role models for all of us.
This Q&A is part of a StateScoop series highlighting the nominees for the StateScoop 50 GoldenGov award. To vote for this nominee, and to vote in the other categories up for awards, go to the StateScoop 50 awards page. Winners of the StateScoop 50 awards will be announced on May 4.