Assuring State ISOs Have the Right StuffGetting Agency Information Security Officers Up to Snuff
A California law requires each of some 120 state agencies to have an information security officer, but not every agency ISO is well-versed in IT security.
Before the law took effect two years ago, about 60 percent of state agencies had ISOs; now they all do. But because of a dearth of trained information security professionals, and a lack of money in state coffers, many of the agencies designated other information technology specialists, including some chief information officers, to be their ISOs.
"Some of them also were not IT classifications, so it kind of brought to light the fact that a lot of the ISOs did not have the skills sets or training to be ISOs," Keith Tresh, director of the California Office of Information Security and state chief information security officer, says in an interview with GovInfoSecurity [see transcript below].
But Tresh is working on a plan to make sure all agency ISOs become qualified. His office is charged with developing standards for agency ISOs, and is working with the state Office of Professional Development to provide the training to get those underqualified ISOs up to snuff.
Deputy Director Michele Robinson, in the interview, says California participated in a federal Department of Homeland Security study that produced an "essential body of knowledge for IT security professionals." Findings from that study will be used to identify the skills IT security professionals in California state government will need to oversee agencies' information security programs.
Tresh and Robinson are realists; they recognize that highly rigorous IT security requirements won't work, at least for foreseeable future. They envision less stringent requisites for smaller agencies. "We don't want to establish these criteria and responsibilities and skill sets so high that nobody can get into it," Tresh says. "We want to have that spot where there is a minimum level, so we can bring them in for training and development to grow them. ... Those would be at the smaller agencies so they can gain the experience there and then move up through a department or agency to get to a large agency and then possible to the state level where we are at currently."
In the interview, Tresh and Robinson discuss:
- Minimum qualification for agency ISOs;
- How they involve various stakeholders, including labor unions, in deciding the qualifications for agency CISOs;
- Recruiting IT security professionals inside and outside of government.
Tresh had been serving as chief information officer of the California National Guard since 2006 when Gov. Jerry Brown tapped him to be state CISO last fall [see Golden State's New CISO: Keith Tresh]. Tresh held a number of positions in the National Guard between 1993 and 2005. He served in the United States Army in Iraq as a brigade communications officer from 2005 to 2006.
Robinson had held senior IT security positions with the state Department of Finance and the California Unemployment Insurance Appeals Board.
IT Security Governance in California
ERIC CHABROW: Before we discuss getting qualified ISOs to oversee each agency's IT security functions, please take a few moments to explain how IT security is governed in California state government?
KEITH TRESH: We have statutes that the government has put in place, and we are supposed to have oversight of the training program to make sure that the security professionals in the state actually are in these positions and then to ensure that we help get them trained to the level of competence that would make a good ISOs within their agency.
MICHELE ROBINSON: Essentially our office directs the state agencies through policy standards, procedures and guidance, and one of the directives is supported by statute now that each agency has an ISO to fulfill the security roles and responsibilities within both entities. We meet regularly with the ISO community. We have been working diligently to try and ensure that the ISO community has the resources and skill set needed to successful those roles, and we've seen the need and determined there is a gap to fill with respect to training and development for ISO professionals within the state.
TRESH: This is a nationwide issue and it's not just ISOs. The Office for Professional Development that was established is also there to help all IT professionals within the state of California get the correct skill sets and grow them so that we have a good succession planning process as well within the state. So it is kind of dual full mission.
CHABROW: The legislature in 2010 enacted a rule that required each agency to have an information security officer. At the time, how many of the hundred and twenty or so agencies had an ISO?
TRESH: We believe it was 60 percent of them had.
CHABROW: The ones that had ISOs at the time, were they doing other jobs too?
TRESH: Yes, that is kind of the challenge and good point. A lot of them, even if they had an ISO that ISO could have been somebody that had multiple hats, you know two or three hats. Could be the CIO filling in as the ISO, but then also there were some of them that were not even IT classification so it kind of brought to light the fact that a lot of the ISOs did not have the skill sets or the training they needed to be ISOs because they did have those multiple roles.
Little Kept Secret
CHABROW: And even today, where every agency now has, or is supposed to have an ISO, even some of those aren't really trained to put out the position correct?
TRESH: That is absolutely correct. There is no secret about the California budget and the constrained resources and positions. A lot of folks have had to make decisions in their agencies and so some of those folks have been placed into the ISO to meet the statutory requirement, but are in deed not necessarily ISOs full-time.
CHABROW: The law that went into effect basically said that each agency needs to have an ISO, but it left it up to, was it your office to help develop the standards of what that ISO the qualifications of the ISO?
ROBINSON: Yes, another section of the statute specifically called out that our agency is charged with establishing some specific qualification criteria for ISOs.
CHABROW: Okay, so why don't we spend a few moments to discuss first, how you went about to determine what those qualifications should be and then what are those qualifications?
TRESH: When you are a network person, you need to know stuff about routers and how things go, and so on the security side we want to make sure folks understand you know a little bit about, how do you look for things, how do you troubleshoot things? We talk about attacks or breaches or viruses and stuff like that, so being able to understand how to look for, what you're looking for and those kinds of things is how we kind of got to what kind of skills that we think they need to have to be good ISO.
ROBINSON: Sure, I just want to clarify what we have today is some proposed qualification criteria that we all need to work with our new office in professional development, in the state's human resources department to put in place. So at this time the qualification criterion that we're looking at is proposed. Some of the inputs into that proposal were a departmental homeland security report from a study that California actually participated in several years ago to establish what is called "An Essential Body of Knowledge for IT Security Professionals". So California including our HR department for the state were involved in that particular study as well as some other states across the nation. So that was a significant input into what we're proposing for qualification criteria here in California.
Setting Minimal Qualifications
CHABROW: Can you go into some of the high-level criteria?
ROBINSON: Very high level, we were looking at minimum number of years experience and certifications at varied levels. We are also looking at individuals with IT skills that could be placed in a training and development assignment to achieve that minimum number of experience for the entry level ISO position.
TRESH: We don't want to establish these criteria and responsibilities and skill sets so high that nobody can get into it, so as Michele alluded to or was talking about; we want to have that spot where there is a minimum level so we can bring them into the training development to grow them so that we can get those. But those would be at like the lower end or the smaller agencies at some of the lower-end positions so they can gain the experience there and then move up through the department or agency to get to either a large agency and then possibly to the state level where we are at.
CHABROW: What do you have to do to finally make these criteria part of the standards that you're going to enforce?
TRESH: We've got to work with the personnel folks, and we are working through our office of professional development to do just that, because a lot of these, they are bargaining units within the state civil service, folks that we deal with, and we need to make sure that these skill sets and the training and certification we're talking about are acceptable and that they are going to agree to them. So we're working through the department of personnel and with our office of professional development to have that plus this work so that once we do get them agreed to that we could get them put into place right away.
ROBINSON: To add a little more about the process, we have to vet the proposal through the IT community, but perhaps meet and confer with represented groups to see if they had any concerns or issues with the proposal. Certainly respond to questions about how it would actually be carried out in achieving civil service staff meeting those criteria.
CHABROW: In California, these are civil-service jobs, the information security officers for the agencies?
TRESH: Correct, all of the positions are state civil service.
CHABROW: Are you considered civil service at your positions?
TRESH: The positions we are talking about are state civil service. No, I'm an appointee but for the most part they are.
ROBINSON: Especially if you were looking at an entry level into IT security in the state, it probably would not be at that level.
Starting Off at Smaller Agencies
CHABROW: When you are talking about entry-level ISO, are you talking about people responsible for smaller agencies.
ROBINSON: In some cases, yes.
CHABROW: IT security programs?
ROBINSON: Right now, it is a pretty broad range and depends on the size and scope of complexity of the particular agency, but that is a factor.
TRESH: We've got boards that are eight to 10 people that would have an IT person; so yes, as Michele was saying, the size and scope of the, you know, what their responsibilities as an ISO is really, what we're kind of eluding to when we talk about entry level.
ROBINSON: But in most cases, we would be looking at the ISO position needing to be at a level where they could carry out their responsibility. Based on our proposed criteria that would probably be at the first-level manager, supervisor and above.
If you had an employee who actually wasn't at that level, but who could be developed into that position, that is what we're looking at.
CHABROW: I gather most of the potential ISOs are people who have some kind of supervisor managerial experience in addition to whatever technology they are coming from, but it may not necessarily be security.
TRESH: Ideally, yes, but that's not always the case. So that is part of the other thing when we're talking about criteria and kind of minimum skill sets. That is kind of one of the things we want to wiggle into that as well.
Where California Finds its ISOs
CHABROW: It sounds as if as you're looking for these ISOs, you are looking internally within the California state system, people employed already, is that correct?
TRESH: For the most part, but as we have for every position that we hire for, there are state lists. In fact, we were interviewing for one of the positions and we've had folks coming from the private sector that took the test, and so not necessarily from within because if you've got folks who have worked in private sector or in the federal level that have the same skill sets and they take the test and get on the list, yes. We want to grow the IT force in the state by doing all these things, but by bringing folks in from the outside if they've got already have these criteria and skill sets, it is something that we're also looking to do because it helps broaden the perspectives that we get as well.
CHABROW: You identified people who could potential ISOs. What do you do as a state to provide the necessary training? How much is it through your office? How much is it through each of the specific agencies, and how much of it is on the own responsibility of the individual candidate?
TRESH: State, if we want to have a trained and good workforce that we bear some of that responsibility and that is something we have to work through to ensure that we put into this program once we put it together. The resources are constrained and budgets, and so there is going to be a certain level, probably an 80/20 split, maybe more of like I'm sorry like a 65/35 where the state would put together a program, potential employee would be notified and or discussed with them that some of the training is going to be on them and the re-certifications down the road for some of the programs would be on them as well.
ROBINSON: For a very high level and just generally speaking, it would be a shared responsibility across the board. We continue to develop training that we deliver from this office for ISOs and we'll continue to do that, and then to the extent departments and the individual seeking appointment in the position are working together to map out an actual training and development plan, if that is necessary, to get the individual to the level of qualification that we're going to specify.
TRESH: The part that Michele just said, the shared responsibility, I think is much more pertinent then trying to do a split saying like an 80/20 or 65/35.
CHABROW: Is there money for IT security in California? I hear all these stories about how tight things are out there?
TRESH: Right now, there is very little and there is no specific security money. It's all wrapped up into the IT budget that each department or agency or whatever has, and it goes with priorities and each agency and department, their directors have to decide you know what they are going to do. That is why it is very important for the ISO and the CIOs to have a good relationship with the senior leadership of the agencies