Safeguarding a Massive, Decentralized IT System - Interview with California CISO Mark Weatherford
In fact, Mark Weatherford, California's chief information security officer, sees decentralization as the largest state government's biggest IT security threat. "We are so decentralized that it is hard to have your finger on the pulse of what is going on in every agency," Weatherford said in an interview with GovInfoSecurity.com (transcript below). "We face the same kind of threats as everyone, whether it is a virus or a DDOS (distributed denial of service) or identity theft, the threats are the same. Your ability to respond to those threats and identify those threats is really the biggest issue."
In the interview, Weatherford also discusses privacy concerns, cloud computing and the impact of the economy on IT security.
In Part 1 of the interview, Weatherford champions an initiative to create occupational classifications for IT security professionals, a categorization he contends would make it easier to recruit and retain infosec experts.
Weatherford spoke with Eric Chabrow, managing editor of GovInfoSecurity.com
ERIC CHABROW: What are the greatest threat to California's IT systems, network and data?
MARK WEATHERFORD: The greatest threat is probably the simple fact that we are so decentralized. We are so decentralized that it is hard to have your finger on the pulse of what is going on in every agency. We face the same kind of threats as everyone, whether it is a virus or a DDOS (distributed denial of service) or identity theft, the threats are the same. Your ability to respond to those threats and identify those threats is really the biggest issue.
The decentralized nature of state government doesn't lend itself well to that, to being able to consistently identify things across the enterprise. If you can't identify it it is hard to respond in a consistent and appropriate method. We have so much sensitive personal and business information on all of the citizens and businesses in California that protecting that information, that is specific data, is kind of a constant worry of mine because it is so ubiquitous across state government.
CHABROW: Switching topics just a bit, I was reading your blog you wrote shortly after you returned from the Black Hat Security Conference and in your blog you mentioned three sessions that you enjoyed attending. I would like to discuss each one briefly. First, the session called I Just Found 10 million Social Security Numbers. Are such breaches a problem in California? Is this among your biggest concerns?
WEATHERFORD: That specific talk was about some research done at Carnegie Mellon, where they were able to use public information and predict Social Security numbers, using things like date of birth and state of birth, just simply because of the non-randomness of the numbers they were actually able to predict the Social Security numbers of people from what is a called a Master Depth File, MDF.
That goes back to my previous comment about sensitive information we have. Think about all of the different state agencies, we have a lot of sensitive personal information about people, so it is very important that those individual organizations understand where that information is located within their agencies and that they are, in fact, providing the appropriate levels of protection for that.
CHABROW: The second session was Cloud Computing Models and Vulnerabilities. Can cloud computing be secured for common use at the state level? What is being done in California regarding cloud computing and securing it?
WEATHERFORD: We haven't moved wholesale into the cloud environment, yet. I think that probably in a few years we won't have this discuss because we will be doing a lot of business in the cloud. I do have some concerns, obviously, once you put information out in the cloud, you do loose a lot of access to that, and you loose a lot of control of that information. And, as I pointed out in the article, sometimes you may not even know that your information has been subpoenaed or if in fact it is being accessed by other law enforcement agencies until after the fact.
It is a concern that once you put things out there, the vendor that you are working with is providing the same level of protection and due diligence that you would apply within your own agency. Obviously, there are tremendous cost benefits to doing that and not having to maintain your own infrastructure, not having to have all of the skills at hand to do that. Quite frankly, governments and state governments may not be as quick to adopt cloud computing as the private sector and there are probably some agencies and some kinds of information that simply will never be appropriate to put out in the cloud. Certainly things like national defense and critical infrastructure-tpe information, things that you consider very, very sensitive, are probably going to be a awhile before you see a wholesale adoption of cloud computing for everything.
CHABROW: The third session was called Reconceptualizing Security. Shouldn't cyber security be constantly reconceptualized as threats grow and change?
WEATHERFORD: That was a Bruce Schneider (IT security guru) talk and he has got a pretty interesting idea on applying psychology and economics to the protection and security of information. We are probably a little immature, probably like most state governments, in looking that far out to some of those kinds of things for our security.
I am still involved with some of the more mechanical aspects of protecting our information rather than getting out and thinking about the economic benefits and the economics implications.
Certainly, the current economic environment in the country has caused us to take a little bit of pause and look back of some of our personnel issues because there is, obviously, a little bit of a worry about how employees might react to things like layoffs, things like pay cuts. My office has been fairly proactive about making sure that agencies are paying a little bit more attention to employees' behavior, certainly employees that are being laid off. The whole psychology of decision making, we are not really into that here, yet.
CHABROW: Can't afford to have that kind of luxury?
WEATHERFORD: Yeah, you can only afford so much and I can't afford a psychologist on staff.