Creating InfoSec Occupational Categories - Interview with California CISO Mark Weatherford
"The spend is not going down" on IT security, Weatherford said in an interview with GovInfoSecurity.com (transcript below). "We are actually just looking at ways that we can spend a little bit more efficiently and get a little bit smarter about how we do spend money."
Among the efficiencies California is implementing is a trusted-Internet-connection model, in which Internet access to and from state systems is limited, requiring fewer assets to monitor fewer connections.
In the interview, Weatherford also discussed the challenge he and other government CISOs face when trying to recruit IT security professionals: lack of governmental occupation classifications for infosec specialists. He also discussed his role as head of an office that like the federal Office of Management and Budget doesn't have direct control but holds much influence over 152 state agencies.
Eric Chabrow, GovInfoSecurity.com managing editor, interviewed Weatherford.
ERIC CHABROW: California has made headlines around the country with Gov. Arnold Schwarzenegger and the legislature making massive spending cuts in government services. How has California's budgetary woes affected spending on state IT security?
MARK WEATHERFORD: I wouldn't say that we have actually seen any cuts in security. That is one of the challenges that we are working on right now with a fairly large enterprise effort to begin consolidating some of our infrastructure and some of our IT resources around the state. We are very, very decentralized and up until recently we haven't had a good opportunity to kind of aggregate what the total spend really was, the total spend on IT, so subsequently it is pretty hard to determine what the total spend on IT security is. But from what I can see, again, from my perch, I don't have a lot of specific control over IT budgets and security budgets at the state agency level. The spend is not going down, we are actually just looking at ways that we can spend a little bit more efficiently and get a little bit smarter about how we do spend money.
CHABROW: Can you give me an example or two of how to be more efficient, how to get smarter?
WEATHERFORD: Sure. Let me back up and give a little background first. We have 152 state agencies, not only is the business different but the mission and the security requirements of each of those organizations is considerably different. Across those 152 agencies we have about 10,000 IT employees across the state, we have about 130 information security officers scattered throughout those 152 or so agencies. The aggregate IT spend is around $3 billion dollars a year and that does not include some of the major projects that are ongoing, which that is probably another $6 billion dollars or so. We have fairly large organizations, very distributed; most of the agencies are fairly autonomous in how they run their IT infrastructures.
Back to you question now, how are we seeing some efficiencies? We don't have a common backbone, common wide-area network for the state, but we do have a common data center where all of our mainframe operations are run out of and they provide WAN services so we are trying to increase the adoption of some of those WAN services by other state agencies. Obviously, the more customers you have using the same services the costs go down there.
From my perspective, it's important from the being able to be able to centralize a little bit more some of our perimeter security. Right now, where we have quite a few different points of presence for the Internet across the state government, the fewer we can have, the better I can consolidate the perimeter security posture of the state. So we do have a project working on to start necking those down. It is very similar to what the federal government started with (former federal CIO) Karen Evans a couple of years ago, the trusted internet connections, similar in philosophy.
A couple of other things that I am working on are an enterprise threat and vulnerability management program. It is a vision right now but it is a program where I want to be able to offer services, security services, to state agencies for things like penetration testing, web application assessments, wireless assessments, networking monitoring, security services that you would consider a part of any organization. Because they are so distant and spread out across the state right now and each of the agencies we don't have good centralized visibility into all of them and so this threat and vulnerability management program, which will come to fruition hopefully over the next couple of years, will be a centralized service that we run out of my organization providing those kinds of security services to everyone.
My office is also responsible for security policy for the state. We are in the final throws of a project to refresh and develop what I would consider a comprehensive security policy library for the state. I have been here for about a year now and one of the tings that I discovered pretty quickly after arriving was that we didn't really have comprehensive and consistent security policies across the state. I put a program together where we have begun an enterprise policy organization where we set the bar for everything that you would consider appropriate for a policy for all of the state agencies. That is a pretty big job and we are getting close to actually having the policies drafted and then actually getting them implemented will be the next hurdle that we work through, which I expect to take probably a year or so to roll all of the policies out across the state government.
CHABROW: Would you say that is analogous to what the Office of Management and Budget does for the federal government?
WEATHERFORD: It is probably pretty close to that. OMB is a policy-making organization.
CHABROW: Do you have the equivalent of a FISMA law or a National Institute of Standards and Technology Guidance?
WEATHERFORD: We have actually adopted NIS as the framework that we are building all of our policies and building our security program around. Statutorily I have authority to develop policy and implement policy. I have authority to encourage agencies to meet policy requirements and I have authority to help them remediate when they have deficiencies. I have a very similar role I would say.
CHABROW: How about the skills of IT security professionals in California? What are the main skills that you could use and are they available?
WEATHERFORD: Well, you are scratching an itch right now. That is the next, I would call it the next phase of a project that we have been envisioning in that we don't have a job classification for security professionals. We don't have a career progression for security professionals and it is something that I have been trying to figure out how to fix for some time and I think we have an avenue but it a cumbersome process to add new job classifications and the requisite skills and training that go along with that into state government.
As you know I was the CISO for the State of Colorado before I got here to California and it was very much the same there and didn't have the time there to solve the problem but we got involved with the Department of Homeland Security and they are working on a central body of knowledge and EBK for the federal government and then last summer they asked if state's would be interested in participating in that so we were one of I think five or six states that went to D.C. and we spent a couple of days in discussing the EBK and how we could implement something like that in state government.
Probably the bigger problems associated with that is that 50 sovereign states have different ways of doing business so implementing a common framework for job classifications, roles and responsibilities across 50 states is probably never going to happen, but if we can just reach some kind of consistency I think that would be a huge milestone.
CHABROW: That's Mark Weatherford, Chief Information Security Officer for the State of California. We will talk again with mark in another Podcast interview so please look for that. Until then, for the Information Security Media Group and www.govinfosecurity.com, I'm Eric Chabrow. Thanks for listening.