Exempting Infosec from Civil ServiceDelaware CSO Elayne Starkey on Employee Performance Metrics
"We can't compete necessarily with private-sector agencies in Washington and Baltimore, or should we, but we have been very successful in recruiting a very high-caliber team at DTI," Starkey, chief security officer for the state of Delaware, says in part one of a two-part interview with GovInfoSecurity.com (transcript below).
Delaware's Department of Technology and Information is one of only two state departments in which all employees aren't protected by civil service, or as it's known in the Diamond State, merit service.
DTI employees get pay raises - when a salary freeze isn't on, as it is now - only if they meet specific predefined metrics agreed upon by employees and their managers. And, not all pay raises are equal. Employees also are evaluated as a team since it would be unfair, for instance, to blame an individual for an IT security breach, Starkey says. "Every particular type of intrusion of incident probably has multiple root causes," she says.
In the interview, Starkey explains the:
- Metrics the department uses to evaluate IT security professionals;
- Oversight the CISO has over all state IT systems, including those of the legislative and judicial branches as well as state education institutions; and
- Responsibility of the CISO for developing disaster recovery plans for the entire state IT networks.
In part two of the interview, Starkey discusses a new state policy that allows employees to use their own mobile devices to access state IT systems.
As one colleague put it, one of Starkey's strengths is the knack to explain IT and IT security to non-techies, including elected officials in the legislature and executive branch. Starkey, who was interviewed by GovInfoSecurity.com's Eric Chabrow, holds two computer science degrees, a BS from James Madison University and an MS from the Rochester Institute of Technology.
IT Security Governance Structure
ERIC CHABROW: Please explain how IT security is governed in Delaware?
ELAYNE STARKEY: My office is responsible for providing the governance structure for not only information security, but disaster recovery, business continuity, and our goal is to foster a climate of ownership and accountability over the information assets that we have here in the state of Delaware. My office is responsible for IT security in all three branches of government that includes our education network as well. That is K-12 in all of the public schools in Delaware.
CHABROW: Is there any problem overseeing the judiciary and the legislative branch?
STARKEY: Oh no, we don't have those kinds of problems here in Delaware. Yes, it always comes with a challenge. Each branch of government has their own policies and procedures, and there is always a challenge of trying to come up with a single approach to all three branches. We have a fairly good collaboration among the three branches so we've been successful. Just the fact that all three branches of government sit on the same network, our core network services are highly centralized in Delaware. That provides the foundation for a lot of other centralization as well. So we've had some good success in that area.
CHABROW: Traditionally, a lot of responsibilities that other states may give to local governments, Delaware has absorbed basically Delaware is relatively a small state.
STARKEY: Delaware is small. Our nickname is "The Small Wonder." We are also "The First State." So we use both of those slogans a lot. We do like being first and our smallness helps us in a lot of ways. There is a lot of collaboration between not only, among state government agencies, but also with our local partners whether its county government or local government, and our federal partners to an extent too are able to get some things done quickly here in the state.
CHABROW: You had mentioned that you are also responsible for disaster recovery and business continuity. How does that work?
STARKEY: Being the central IT provider in the state, obviously the disaster recovery responsibility is somewhat of an obvious one. That does happen to be run out of my office. We run annual tests. We simulate some type of significant outage every year where our primary datacenters are unavailable and we recover at an off site, hot site, location. In addition to that, we also run the statewide COOP program. COOP stands for Continuity of Operation Plan; sometimes it is referred to as COG in state government - Continuity of Government - and basically it's much more than just how are we going to recover systems, but how are we going to recover all of our critical business processes. First of all, let's identify what they are and what are the most critical, and then determine where offsite work locations are going to be and where we are going to tell our employees to report to work if suddenly a building becomes unavailable or suddenly a category 5 hurricane comes up the coast and we all have to relocate. The planning process and the exercise of our COOP plan is run not only for DTI, for my department, but for other departments run out of my office.
CHABROW: When you talk about the disaster recovery, does it make a different what kind of disaster it is, whether it's some kind of cyber attack or whether it's Category 5 hurricane or pandemic?
STARKEY: Very good question. We kick that question around a lot here. The approach we use is really an all-hazards approach. Certainly our plans need to be tweaked depending on what it is. The response to a cyber attack is much different than a flood for example, but in terms of the basic premise of the recoverable ability and the availability of the system, it sometimes it really doesn't matter. We use an all-hazards approach here. That is consistent with what is being done at the Delaware emergency and management agency and quite frankly at the federal level as well.
CHABROW: The state Department of Technology Information, which is headed by the state's CIO where your office is situated, is one of two cabinet agencies in Delaware - the other being the Department of Economic Development - that is exempt from the merit system. The merit system is sort of the civil service system, correct?
STARKEY: That's correct.
CHABROW: That means that you and your employees are paid for performance. How do you determine for cybersecurity that you are doing your job properly and you warrant some kind of pay increase?
STARKEY: This is something that we're very proud of here at DTI, because it is something that separates us from many of the other state agencies.
In a time when there are pay raises available, we haven't enjoyed that in the last couple of years, but when they do become available again, every employee does not get the same amount of increase like they do for employees in the merit system. And, the way that we determine that is across the board, every employee here at DTI has a pre-agreed upon performance plan where important metrics that are relevant to that particular job, whether it is cybersecurity or a service desk or a telecommunications has that discussion with their manager on what are the most important aspects of their job and what are the performance measures, the most important performance measures, and then there is a midyear review and then an end of the year review. It is very much like the private sector. You know, those of us that came from the private sector are very familiar and comfortable with this model of agreeing on what the objectives are upfront, measuring and monitoring them throughout the year, providing feedback to our employees throughout the year, and then there are no surprises at year end.
CHABROW: What are the metrics used for cybersecurity employees?
STARKEY: There are several cybersecurity-related metrics that our employees are measured on. The overarching metrics are the number of security audits that are conducted throughout the year and overall cybersecurity posture. Those are department-wide metrics, but each employee on my team also has several metrics related specifically to their job responsibility.
I'll give you an example: We process the mainframe security access request form, and we set goals for our employees to turn those forms around in a certain turn around time to provide good customer service. We continue to kind of lower, in this case, lower the bar, because we want quicker turn around and that is something that we can track with an automated tool, and that team has an overall team objective to meet the turn around security access request form in a certain pre-agreed upon time frame.
CHABROW: Do they tend to be the way they service your customers, the various state agencies, or are there actually security measures in there? When I say security measures I mean number of intrusions or things like that?
STARKEY: Number of incidents or number of intrusions at this point is not part of the metrics that we gauge salary performance on, but it is something that my office tracks. Certainly, not only the number of incidents that we have handled here at DTI, but also gotten involved in with our customers.
CHABROW: Are you not counting intrusions because that may not be fair for an individual employee to be responsible for that?
STARKEY: Yeah, actually that's probably a big part of it. I think the team approach, we realized that every particular type of intrusion or incident probably has multiple root causes, and (not) to hold someone directly accountable. Sometimes you can do that, but many times you can't.
CHABROW: So it is more of a customer service type of approach, all of your workers I guess in some respect are dealing with other people and you measure them in how they basically deal with these other people?
STARKEY: As an example of that, our customer-service metrics, the survey results we get each year from our customers that input is on every single employee's performance plan that's for. We have goals that we set and if we fall short that is a collective team. Just not one person takes the hit; the whole team takes the hit.
CHABROW: When the money is around and they are pay raises, it's not necessarily individual performance but a team performance that determines the pay raise?
STARKEY: It's a mix of both. On any given employee's performance plan, they will see not only performance measures that are directly responsible for and can contribute too, but they will also see some team metrics as well like customer satisfaction level.
CHABROW: And why is this a better way in IT security to determine performance?
STARKEY: Well, I can tell you why this was created in Delaware, and it started about nine years ago when our new governor, Gov. Ruth Ann Minner, came in and wanted a kind of top to bottom review of our IT of the entire information technology posture of the state and wanted to revamp it and improve it. One of the disadvantages of being in state government in a merit agency is our inability to recruit and retain high caliber employees. So the model was basically turned upside down basically. The merit system, the old civil service merit system, was replaced with this pay-for-performance model.
CHABROW: And you find that you'll be able to attract more qualified people using this model?
STARKEY: I do yes. It's been very successful. We can't compete necessarily with the private sector agencies in Washington and Baltimore per say, and maybe nor should we really, but we have been very successful in recruiting a very high quality, high caliber team here at DTI. ity, high caliber team here at DTI.