Creativity Replaces Dollars to Safeguard ITInterview with David Matthews, Deputy CISO, City of Seattle
"We've had to be very creative," Matthews said in an interview with GovInfoSecurity.com (transcript below), relying on help from other city departments and vendors to maximize municipal resources. "We also do a lot with vendors, trying to do pilots and manipulating vendors, if you will, in order to find ways to get their products at a lower cost, working with other government organizations to try to leverage our purchasing power and that kind of thing."
Finding resources to protect IT assets is only one of the challenges Matthews discussed in this first of a two-part interview with Eric Chabrow, managing editor of GovInfoSecurity.com. In the first part, Matthews also describes:
In the second part of the interview, which will be posted presently, Matthews discusses IT forensics and the IT security office relationship with the city's legal department.
ERIC CHABROW: Please tell us about the information security operation in the city of Seattle?
DAVID MATTHEWS: We have a fairly small office, just myself and the chief information security officer, and we try to cover all the basis as best as we can. We do application security forensics for event response and monitoring of different things that are going on the network. We really use a lot of the other IT staff network staff as multipliers to help us get all this work done.
CHABROW: The federal government has the Federal Information Security Management Act, directives from the Office of Management Budget and guidance from the National Institution of Standards and Technology. What do you have in Seattle?
MATTHEWS: There really aren't a great deal of requirements of that kind of things for the city for local government. However, we do have to follow PCI (payment card industry) rules, the PCI data security standards because we do take credit cards. That's probably the main regulation that we fall under.
CHABROW: The state doesn't have any kind of rules that you have to follow?
MATTHEWS: No, not really. There is a state intergovernmental network for which all the different local governments take part in or use for communications for various things. They are working on developing some better regulations. But other than that, there really isn't anything from the state.
CHABROW: Is there any kind of auditing that goes on with IT systems?
MATTHEWS: The state does have an auditor, but we have never had them as far as I know in the history of Seattle, have them audit IT. They audit financials and that kind of thing. That seems to be their main focus. We would love to have regulatory oversight. I think it would be an advantage to us and to all local government to have something like that.
CHABROW: What steps do you formally take to make sure that your systems are secure?
MATTHEWS: We start off with a good policy, a relatively new thing in the city. Six years ago or so I was on the first committee that started creating the formal information security policy, although they had something before that but not real formalized. At that point, is when we first hired the first CISO for the city, about five or six years ago. We started out with that, with a policy, and then we do a lot of user education to try to make sure that the people understand the policy and understand why there needs to be a policy.
Probably the biggest thing we do is communication with the business leaders. The city is a very federated organization with many, many different lines of business, all of which have their own needs and the IT that needs to help them with that. We really need to understand all those different business lines and be able to work with them. We've really done a lot of work over the years getting to know them, letting them to get to know us, and I think we've made a lot of progress in that respect.
Otherwise, we have typical hardware kind of controls in place, the IPS and different things around to monitor the networks and see what's in the antivirus; that kind of thing. ... And we have a good cyber-incidence response process that we use for anything that does come up.
CHABROW: You said you have a very good policy. Please briefly explain the policy.
MATTHEWS: Basically, it tries to define what people's responsibilities and roles are and what the acceptable uses are of digital equipment. We outline classification of data and protection of that data, who is responsible for that and how that is done. It is fairly high-level, though, because [the city] is a federated organization with different departments, different groups and divisions that have different needs. Some need to be much more secure, such as the police department or the utilities.
We are somewhat unique in that we own our own electric utility. We also have the water and the roads and those kinds of things; some of those needs to be a little more secure and some of the others don't need to have such strict security guideline. We make a general overview of what we would like people to do and then we kind of a high level, and we encourage and teach and consult with the different divisions and departments about how they can adjust to make best of the security for them depending on their business needs.
CHABROW: What are the top two IT security challenges Seattle faces?
MATTHEWS: No. 1, and this is not just unique to Seattle, is the financial problems that we are all suffering from. Our latest figures were something around $75 million hole in the budget that we have to face in the coming years, and everybody is having to work with that.
Over the years, that has kind of consistently been an issue of not having the resources we need to really do the work that we want to do. We've had to be very creative, and I think we've done a very good job. [We've incorporated] the IT staff and the network staff and communication staff in all of the different departments and divisions, and really got them on the bandwagon for security and understand it and be a part of it and help us with it. We've had to do without real robust security programmers to tie into using all these other resources. We also do a lot with vendors, trying to do pilots and manipulating vendors, if you will, in order to find ways to get their products at a lower cost, working with other government organizations to try to leverage our purchasing power and that kind of thing. So, we've had to be pretty creative about the way we deal with that particular issue. That is No. 1.
No. 2 is user awareness, and we spent a lot of time working on that. We have a lot of different classes we do within the city and in the community as well trying to give as much information out as possible, making sure people understand why there is a need for security consciousness and the kinds of things they can do to protect themselves, their families, the city, the city's network and that kind of thing.
CHABROW: You deal in areas such as discovering forensics correct?
MATTHEWS: That is correct.
CHABROW: What is the state of art of forensics today in the city of Seattle and how is it being used?
MATTHEWS: We do assist the law enforcement so that is part of what we do. Really more of what my work concentrates on is then response trying to figure out when we've gotten attacked by malware or botnets, trying to do some analysis of that so we can find out exactly what happened and when, and there is a good reason for that.
One of the reasons we really have to do this malware research and really understand when we were attacked, if we were attacked, and what kind of data might have been infiltrated is because there is a state breach law as there is in many states, which says that if any personally identifiable information or personal health information has been breached, we have to notify the folks who had their data lost. So far knock on wood, we have not had that happened in the city.
We also we deal with acceptable use issues. ... Taxpayer money [is] being spent and it is very important to us and a high priority to us, to insure that the digital tools that are provided to city employees are used for city work.
CHABROW: Are social network being used in Seattle government? Does Seattle allow its employees to access social networks?
MATTHEWS: I wish I could say we didn't. I had an interesting conversation with our legal department just in the last few weeks about that, and the first thing that we had to admit was that the horse was long gone out of the barn, and there is really nothing we can about it at this point.
Users - including counsel members, mayor, everybody else - are using social networking, either personally or for city business. There area few of them that have bothered to ask us what we thought about it on the security side of things, but the vast majority have just gone ahead and done it. So the legal department and our office here are working to try to create some guidelines and explain the ... legal issues ... try to give them some guidelines as to what they should and shouldn't do and what their responsibilities are when they post data on to social networking sites.
CHABROW: Is this something that your department is coming up if, or you and the legal department?
MATTHEWS: The legal department is authoring it with our consultation.
CHABROW: Is there an attitude in government that city IT professionals should be able to figure out ways to use the technology, or is it just sometimes you just say you can't do this?
MATTHEWS: We recognize that our No. 1 job is to help the business work. That is where we try to come from with all of our work. There is always a temptation as a security professional to just say turn everything off and we'll be safe. But, in the end, we recognize and we ... understand that it all starts with what are the business requirements and that our job is to make sure the business works and not to put the stops on it. We do need to understand first the way things work, what needs to happen, and then secondly, how we can assist in making that happen in a secure way with as little distraction or trouble as possible. We always start from that point of view.
Social networking is a good example. We certainly understand there are some great uses. We really want a person to understand how they can use them in a way that will enhance their work product and not get themselves in trouble, and not cause trouble in the long run so that it doesn't end up being a distraction or something that hurts that business or the city.