CISO as a Leader to Transform GovernmentFour-Step Model Forwarded to Improve Delivery of Services to Citizens
That's the point championed by Nevada CISO Christopher Ipsen. "We need to embrace change effectively because it's coming and we need to look at those opportunities that we have in these transformational states and embrace change in a positive manner," Ipsen says in part two of an interview with GovInfoSecurity.com (transcript below).
Seeing transformation as a challenge, Ipsen says the intelligent adoption of emerging technologies can help government change, by focusing on:
- Vision and empowerment to act,
- Strong architecture and rigorous security controls,
- Effective intergovernmental collaboration and
- Effective public/private collaborative.
CISOs are well situated because their involvement in securely deploying technology affects nearly every aspect of government. "I have been involved with a number of projects, a number of great ideas, never got off the ground because there wasn't a strong leader behind the process pushing it forward," Ipsen says. "We need strong leaders moving forward. And if you look at all of the challenging times we have experienced in history, the leadership has been an essential quality."
Ipsen, interviewed by GovInfoSecurity.com's Eric Chabrow, oversees the security of Nevada's enterprise data and network infrastructure. He chairs the Nevada State IT Security Committee, is a technical representative for the Nevada State Fusion Center and is a member of the Nevada Technological Crime Advisory Board and the Multi-State Information Sharing Advisory Council. He also served as Nevada's chief enterprise architect. He holds certifications as a certified information security professional, information system architectural professional and certified information security manager.
In part one of the interview, Ipsen discussed the financial struggle state CISOs face in funding IT initiatives.
ERIC CHABROW: You recently wrote an article on how state CISOs can intelligently embrace emerging technologies in a transformational model. You suggest they focus on developing four areas: vision and empowerment to act, strong architecture and rigorous security controls, effective inter-governmental collaboration and effective public/private collaboration. Before we get to those, just briefly tell us a little bit about this transformational model from a 60,000-foot level.
CHRISTOPHER IPSEN: It's an observation that I am having right now and as you sit back and you look at government and you look at information security, you are oftentimes challenged as a state chief information security officer. What I'm seeing, and this was actually started by a discussion that I heard about three years ago from a former controller general of the United States, David Walker, he talked about the future state of government.
What he essentially said was that we're in a perilous state and that it is not a particularly positive message but he talked about not the fact that we don't have a budget but that we have three budgets and we are not following any of them and without strong fiscal accountability on how we spend, that governments are at risk.
From my personal perspective, that really sparked my interest. I thought about that and about what happens to governments that are traditionally slow to move, slow to change by design; democracies that move fast are not good democracies. What happens when they are forced in to changing quickly?
We fast-forward three years from that point, and now we are in a fiscal crisis. Two years ago with the federal government, we had a strong fiscal crisis in the private sector, in the public sector, and government is still lagging behind, we don't have the resources to do what we need to do, so what we are required to do is transform. And, that transformation will occur whether we come up with good ideas or not.
My presupposition is that we need to embrace change effectively because it's coming and we need to look at those opportunities that we have in these transformational states and embrace change in a positive manner.
In looking at that, about four years ago we had a brief from the National Association of State CIOs that talked about the transformation state and the first concept is a sense of urgency. Well, we have got that sense of urgency right now and it really begs what do we need to do and those four concepts represent the ideas that I have been able to derive from both the transformational model and juxtaposing it against a state framework.
CHABROW: Okay then, let's just start discussing them. You first mentioned vision and empowerment to act. What is that?
IPSEN: If we are going to transform our leaders, our legislators, our governors, our secretaries of state, and our attorneys general, we need to come together and recognize that certain parts of our government can be improved through technology.
When I go out and talk to all of the leaders that I can talk to, I ask them three questions. Do you think you are going to have more money going forward? And, the answer is always no. Do you think you are going to have more people? The answer is always no. Do you think that the service requirements are going to be less? The answer again is always no.
We have more demands to our resources, what do we use to bridge that gap? It is always technology. Technology, at least good technology, has that ability to bridge that service delivery model, but without the executive sponsorship of people who are making decisions about the budget, the ability to invest in technology and good technology, nothing ever happens.
I have been involved with a number of projects, a number of great ideas, never got off the ground because there wasn't a strong leader behind the process pushing it forward. Even David Walker in his discussion mentioned that the silver lining is that we need strong leaders moving forward. And if you look at all of the challenging times we have experienced in history, the leadership has been an essential quality.
CHABROW: Next on your list was strong architecture and rigorous security controls.
IPSEN: Having been both an enterprise architect and a chief information security officer, it's interesting to me is the contrast in requirements moving forward.
Strong architecture tells me we can spend resources efficiently if we plan efficiently for building those systems. That really speaks also to the business people that say what do we need to define our businesses well? What do we need to do as government and how do we build systems that reflect the appropriate roles of government?
Secondly, once we have defined that, we also need to be extremely mindful of rigorous security controls around that data that we collect. We may or may not be aware that governments compel citizens to give them information. When they do that, I believe that it is government's role to protect that information with all of the tools and skills necessary to make sure that it doesn't become compromised.
CHABROW: You then talked about effective inter-governmental collaboration.
IPSEN: Some of these sound very somewhat superficial; all we need to do is collaborate as governments; we need to talk more; we need to work together. One of the constraints of us being effective as an enterprise is if we cannot work together, and I mean cities, counties and states, effectively, then we cannot effectively build enterprise systems.
It's critical that in government we work together and there is no incentive for us to compete against each other. In the private sector, if you have one company that does a job better than another that is called a competitive advantage, it is a way of building a business; building a better mousetrap. In government, our bottom line isn't the bottom line; it is to deliver services effectively.
If we look at the way we can serve citizens better, create a citizen-centric view of building systems, and partner with counties and cities, rather than compete with counties and cities, then we have the ability to build systems that reflect the citizens best interest.
I am really happy to say that in Nevada, we talk all the time; chief information security officers and all information security professionals, we try to talk at least once every two weeks and we have got ongoing calls to talk about opportunities and shared responsibilities. I know that quarterly our CIOs meet and we talk about those opportunities. And more than just talking about technology we learn about each other and I think it is a really rich environment for us to move forward.
Actually, about four years ago we created a governance model called the Nevada Shared IT Systems Governance that allows us to leverage enterprise buy for counties, cities and state, and also to develop systems that are in the maximum benefit of the citizens. So that is really an accomplishment Nevada has along with the State of Nevada Entities IT Association, we meet on a regular basis to talk about our challenges and we are actually very committed to coming up with solutions. Those are a couple of examples of how we have done a good job and where it is necessary for governments to collaborate.
CHABROW: In some states there is this great feeling that control should be local. I don't know what it is like in Nevada or not, but would there be resistance at all by giving up certain authorities, or that is not really a big problem?
IPSEN: Well, I think, it is always a challenge. If you are in an entity, you have a mission to deliver a service and a larger entity comes along, or a smaller entity comes along and says, "I'd like to approach you about how you can improve your business." Well, that's like any other thing in life, we are somewhat resistant to change if we feel like we have got a working solution already.
The key for me is to come up with compelling solutions. If we have a better solution, if it is a more cost-effective solution, if it meets the scrutiny of standardized policies and procedures, if we have effective change control management, if we have rigorous controls around it, why would you not want to participate with it?
Speaking honestly, oftentimes people say, "Well, what's my role in this?" And, that is one of the key areas that needs to be addressed is that everyone has a role in this system and it is also a role that allows them to be more involved if they embrace it more effectively. How you approach the problem, the problem does exist, the challenge does exist, and that the way we overcome that challenge is by communicating effectively what role every IT professional in the state has in this common vision, and most importantly, what is the advantage to the citizens moving forward.
CHABROW: Finally, there is effective public/private collaborative.
IPSEN: Maybe it is just me, I have to admit I have a little bit of a bias; you know, when you are working in the public sector and you say, "I'm a civil servant and I'm very proud to say that I am, at least in the beginning of my career I thought, well I am in the (public) sector, I don't make as much money and I am doing this for the right reason that I have got a civic mindset. Hopefully, as I have matured through my career I have realized that this mindset also exists in the private sector. And, there are a number of individuals who are genuinely interested in doing the right thing for government because they are citizens as well.
As I have reached out to the private sector, I have found that my experience was actually opposite of what I thought it would be in the beginning, and I think it is imperative that we reach out to the private sector to say if there is a capacity that we can't do, we need to embrace your capabilities in the private sector to partner together.
One of the things that at the recent NASCIO rollout of the CISO IT security survey was in terms of the public/private collaborative; the assumption was that we could allay risk, that the risk is because we don't have the resources, where we can outsource the risk and capabilities to the private sector. I actually challenge that premise in the sense that I don't think states can offload risk.
We have a responsibility whether we choose to accept it or not, but we need to embrace private sector efficiently to say that if you can help us with allaying our risk for the citizens, and in a more efficient manner, then we need to look at that. So this is where the concepts of cloud computing: what's the right cloud, what's the right governance model, what's the appropriate way to engage private sector. Not to address that problem is to be negligent. We have to effectively embrace it and we need to communicate and continually reach out to the private sector to build effective collaborations.
CHABROW: When you talk about the private sector are you talking about the vendor communities out there or are you talking about the user communities out there who are citizens of your state?
IPSEN: Primarily, I am talking about the vendor community, but then also the citizens as well. The key for me is how do we do it better; how do we do it more efficiently; how do we own the risk? As a state, we have responsibilities, and one of the things that is critical to understand is in the vendor community, if somebody doesn't do something well and they are not very efficient and they fail, then those individuals who are within that company are the ones who are affected, any shareholders and any workers.
If government fails, the consequences are much more kind of cataclysmic. If we have an improper voting system, if we have unreliable systems that leak personal health information, if we have systems that continuously give up identities from a motor vehicle system, then we have got significant problems that run beyond just an actuarial problem, a cost problems. We have problems that affect our democracy.
In that regard, it is important that we own the risk, that we build systems that are effective, and that we are continuously to develop best of breed solutions on behalf of the citizens moving forward. We are living in challenging times and what is important for us is not to bury our heads in the command line or immerse ourselves in compliance requirements. We need to lift our heads up and look at the world around us and to build a reliable system for government that embraces our democracy moving forward and to recognize that we are in interesting times but there are also opportunities in these adversities.
And, as we approach fiscal constraints that we (a) look for leadership, (b) that we build systems that have strong architecture and rigorous controls, that we reach out to all of the governmental entities within a state and say, "How can we do this better on behalf of the citizens," and also look to the private sector to partner with them in an efficient manner to build enterprise licensing agreements and to leverage capacities so that we can all be the effective civil servants that the citizens deserve.