Ellen Sundra, VP of Americas System Engineering at Forescout presided over a CIO and CISO panel at RSA Public Sector Day 2019. The day-long event offered presentations that focused on the cyber security issues facing government agencies. According to the program, Sundra’s session would “consist of a thoughtful discussion between federal, state, and local government CISO’s relative to challenges, threats, and opportunities” and “highlight initiatives they’ve undertaken to improve cybersecurity capabilities, organizational resiliency, and a deeper organizational understanding of risk.” It definitely delivered.
The state of Texas, for example, is evolving its CISO office into something of a for-profit Managed Security Services Provider (MSSP). Their approach is to generate revenue by providing cyber security services to hundreds of municipalities and agencies across the state. This appears to be win-win for everyone involved. The CISO’s office can now do its work without having to ask the legislature for more money. The towns and agencies, in turn, get services they could almost certainly not provide for themselves.
Small towns and government agencies are simply not set up for the level of cybersecurity countermeasures they genuinely need. It’s not anyone’s fault. They may have a small IT department that is also tasked with security. Such a department is usually not staffed for cyber. Now, with the MSSP service from the state, provided by an inter-agency contract, they can get high-level firewall services, endpoint protection, intrusion detection, incident response and so forth.
The panel also delved into ways that state-level cyber security agencies are simplifying procurement for other agencies. California, for example, is piloting new contract vehicles that enable individual government entities, like city and county governments, to get the preferred statewide procurement terms on security technologies and services. Previously, the state had been more of an “everyone for himself” procurement environment. This had led to inefficiencies and unintentional overspending.
Michael Dent, CISO for Fairfax County in Virginia, shared some interesting thoughts on how to communicate risk to stakeholders in a government setting. His approach is to make it clear to officials that if they decline his agency’s services, they must own the resulting risk. For example, an agency may request an exemption from a countermeasure for a variety of reasons. Legacy systems may not be patchable, for instance, so their owners want an exemption from patching requirements.
That’s fine, according to Dent, but he makes the agency sign off on owning the risk arising from that decision. He makes them sign a document that clearly defines the accountability the agency leader must face if there is a security incident as a result of the exemption.
Communication was a recurring theme at Public Sector Day. Mark Makstman, CISO of the City of San Francisco, spoke about the challenges of effectively communicating with government leadership about cyber security issues. “It’s very different from a corporate setting,” he explained. “If I speak to the Mayor of San Francisco about mobile security, as a hypothetical example, it won’t help me or him if I discuss how many mobile endpoints we’ve secured. I can only be persuasive if I frame the issue in terms of citizen risk. Like, if there’s an emergency and the Mayor can’t communicate with his crisis team – what does that look like, and what can we do to avoid that outcome? Now, I have his attention and we can start solving the problem.”
Other presenters at Public Sector Day echoed this sentiment. Communication best involves describing risk scenarios that are meaningful to a politician. Technical stats are meaningless. Issues of public safety, image and media impact are far more relevant. “What’s the headline this person dreads?” seemed to be the theme. “Let’s avoid that headline” was the opener of a successful government cybersecurity conversation.
Shown in photo: Missouri Governor Michael Parson tours a bridge construction site.