Missouri Chief Information Security Officer Michael Roling has announced that he will step down from his position at the end of the month, after nearly a decade with the state government.
As the state’s top cybersecurity official, Roling took Missouri’s information security operation from an unfunded policy shop to a 20-person outfit that today is raising cybersecurity awareness from the lowest staff levels up to the governor’s mansion.
“In the Office of Cybersecurity, we don’t handle business data,” Roling said. “It’s not possible to protect our end-users from every single threat from a technical perspective. It’s up to them to realize it’s a phishing message or what we’ve seen a fair amount of recently is social engineering over the phone.”
Heading to work for a private company that has some government clients but isn’t specifically focused on government is “bittersweet,” he said, but the right timing for his career. Roling says the state will be fine without him, having built a talented team that can outlast his tenure.
“There’s been some programs we’ve been instituting for quite a while now, but they’re the ones who actually carry it out and deliver,” Roling said.
Raising cybersecurity awareness and getting members throughout all levels of an organization to actually change their behavior is challenging, he said, but Roling’s team has done it through a clear explanation that the risk is pervasive and not always technical.
“In many situations, they’re not targeting networks, they’re not writing malicious code to target a state government. They’re going after the human,” Roling said. “And conveying that to them I think has been an eye-opener. Especially if you can get cabinet-level members on up onboard with the mission, then it becomes easier. Then it becomes ingrained within the various departments.”
Roling’s said the three governors he’s served under and the Missouri General Assembly have bought-in to the cybersecurity mission.
His role transformed in 2013, when the Information Security Management Office was reorganized as Office of Cybersecurity, a substantive change that, along with real funding, brought a “drastic shift” in how the office worked.
“That’s when we really started to morph into something way beyond just policy, procedure, paperwork,” Roling said. “We were introducing new technologies and processes that had never been seen before inside of Missouri.”
Having funding for the first time helped, he said, and it also helped that the state built its security operations center to instantly respond to any threats that popped up around Missouri. Roling later added another group devoted to securing the state’s infrastructure. Another team was formed to handle audits, compliance and preventative measures like ensuring that information security is included in the planning processes for new state projects.
Roling said his suspicions about the state’s cultural cybersecurity success were validated last summer when a “large non-state public entity” joined the state’s fake phishing email campaign to see who knew to avoid phishing emails and who needed more training. He said the state’s worst-performing agency was still about 19 percent better than this new participant.
When asked how a state can keep its systems secure and keep awareness high, Roling said the main two elements in his experience have been a strong baseline of IT fundamentals he was allowed to build on and support from the governor’s office.
“The not-so-secret secret has been the fact that we have had unwavering support from the top of state government,” Roling said. “From Gov. [Jay] Nixon to Gov. [Eric] Greitens to Gov. [Mike] Parson, they have all believed in the mission that we are carrying out. We’ve been blessed in those two places and that’s allowed us to grow the team and be successful along the way.”
Deputy CISO Stephen Meyer will serve as Roling’s interim replacement.