City CISO Creates Own IT Security GuidanceBacking of City Manager Crucial
As Moulton explains in this interview with the Information Security Media Group's Eric Chabrow, Charlotte and North Carolina don't have the luxury of the Federal Information Security Management Act, the Office of Management and Budget and the National Institute of Standards and Technology to regulate and guide IT security compliance, though NIST guidance is often employed.
Still, cities like Charlotte - population topping 600,000 - look to Washington for ideas, and Moulton says he's closely following developments from the White House as President Obama implements new federal government cybersecurity and wonders what impact that could have on his operation.
Here's an edited transcript of Moulton's conversation with Chabrow:
ERIC CHABROW: What are the primary information security challenges facing the City of Charlotte.
RANDY MOULTON: When I first came to work for the city, we didn't have any regulatory requirements, where we had to do things to meet the standards of outside entities. In the last three years, that has come about. Every year, we've had a couple of new ones added. It initially started with having to do the Payment Card Industry requirement. The city uses a credit card as a payment medium for a number of the services that they offer; we have 11 merchants. We had to go through and get 11 merchant PCI requirements. That was a big cultural shift for the city because you typically didn't have that type of thing that you had to do, particularly in information security.
Since that point, North Carolina passed an identity theft law, and we had to deal with that. The federal court started establishing standards around e-discovery, and that kind of rolled downhill into the state and local courts, so we have had to take that on.
We are starting to get involved in retention. The state is establishing retention requirements around e-mail and all those types of documents, which have always been subject to the Freedom of Information Act. Now, you need to keep this stuff for this amount of time. All these outside influences were dictating the law of what we have to do, and we have to respond to that. That's been one of the big drivers over the past couple of years, along with just the constant cyber attacks and virus updates, which has become pretty commonplace, but you have the ebbs and flows with that.
CHABROW: The federal government has Federal Information Security and Management Act, the Office of Management and Budget, the National Institute of Standards and Technology, and they are all involved in providing direction to federal agencies in IT security governance. Is there anything equivalent to that in Charlotte, or North Carolina?
MOULTON: No, there isn't anything equivalent to that. But, essentially, what occurs, and you saw this exact thing happen with e-discovery stuff in federal courts, is it just kind of rolls downhill. As the President is getting this whole cyber security thing going, my expectation is that whatever comes out of that will roll downhill and that's what we will end up doing. North Carolina doesn't have any specific thing around information security. You know, and everybody kind of uses the NIST standards, and all that, it's kind of the standard that you base your stuff on, and in fact, what we do here, with our information security policy, and all that, is we have elements of that within it, as well as some of your other standards.
CHABROW: What exactly is Charlotte's information security policy? Is that a formal document that you created and can be followed?
MOULTON: Yes, it is. Having an information security policy was a requirement for a PCI. I went and created the information security policy, and went through the various technology committees that we have in the city, and eventually made its way to the city manager, who signed it. It is a City of Charlotte policy that everybody follows, and that defines my roles and responsibilities as chief security officer. When we do information security, it's based off of that document, and there's a few supporting documents to it as well.
CHABROW: Is there buy-in from the city manager for information security, sort of like what the president is doing nationally?
MOULTON: Yes, he is very supportive of information security. I know he is always there if we get to something that would actually raise his level. And, in addition to that, my boss is CIO and he is extremely supportive of it. From that senior management perspective, I have great support.
CHABROW: What does that support mean?
MOULTON: There is an understanding in the city that information security is important. If we are in a situation where I need something, I know that I can go to senior management and I'll have the support to do whatever it is we need to do to remedy whatever the situation may be. It makes my job easier, in that all the various business units have an understanding. It's important to the city manager, it's important to them, that I can go into a meeting, and say, "This is what we need to do." Everybody is onboard and they are all interested in resolving whatever that situation is.
CHABROW: With the president announcing a cybersecurity initiative for the White House, and Congress considering legislation to reform information security guidance, what impact, if any, of the goings on in Washington have in securing IT in Charlotte?
MOULTON: That's a really good question. It's something that I've been paying particular attention to. I don't exactly know what that effect is going to be. I've read one thing, and I think it was actually maybe on your website, that when they were talking about the scope of what cyber security was, they were talking about that it would include water systems, traffic signals, airports, 911 systems, and all that. Every item that they mentioned, we do at the city of Charlotte. The city sells water, the city operates traffic lights, the airport here in Charlotte is run by the city, and of course, we have police and fire, and they're associated with 911 systems. It could potentially have a lot of effect on us, because we have all of those areas.
CHABROW: You've been in this job about four years. Has anything surprised you about information security in Charlotte, since taking office?
MOULTON: The thing that surprised me and actually continues to surprise me is the amount of support I am able to get out of the organization, to do what we need to do. Sometimes we end up in a situation where we have to do something that is fairly drastic. And I'm sitting here and I'm looking at this, and I'm like, "We're going to have to do this thing, and people are going to freak out." We go in there, we get in the meeting, we explain the situation and we say, "This is what we need to do." And, people are very supportive. It's very refreshing.
But at the same time, it never ceases to amaze me, because maybe I'm just more on the pessimistic side, but I always think I'm going to be in for a major fight, and it just doesn't happen. The technology managers and the executives for the various business units have been extremely supportive of what we needed to do to ensure that we are protecting the information of the citizens, and it's a nice surprise every time it happens.
CHABROW: Why do you suspect they have that attitude>
MOULTON: I have no idea. I've wondered that myself. I think they have confidence in the information security program that we've developed here.