The CISOs CISO
"Most of our critical assets are either owned or operated by the private side so ensuring that this was a very inclusive process was essential if we were going to succeed in whatever the challenges that we were going to face post-9/11," Will Pelgrin, New York State director of cybersecurity and critical infrastructure coordination, said in an interview with GovInfoSecurity.com (transcript below).
"I'm constantly looking at a bigger picture and making sure that the individuals who are around the table are part of that process because no one entity really has the answer," Pelgrin said. "That collective view is always more powerful than the singular view."
In the first of a two-part interview, Pelgrin - a CISO many other state CISOs look up to - also discusses the synergy between safeguarding IT and physical infrastructures.
Pelgrin was interviewed by Eric Chabrow, managing editor of GovInfoSecurity.com.
ERIC CHABROW: The office you lead combines protecting information systems, networks and data as well as the critical physical infrastructures of New York State. Why combine safeguarding the digital and physical into one office? Where are the synergies between the virtual and the real?
WILL PELGRIN: My office is primarily focused on the cyber side of the house. The critical infrastructure side is more of a coordination role. The entity that is entrusted with that protection is the Homeland Security Office; however, the reason why it was important to have it as part of my agency's responsibility to at least coordinate the data associated with those critical assets is that we really can't separate out any longer the physical side from the cyber side of the house.
History has proven to us a physical attack can have major cyber consequences, as well as a cyber attack can have major physical. So it is really essential that there is a relationship between the two so no one looks at them in a stovepipe fashion.
CHABROW: It is almost mind boggling coordinating efforts to secure government IT, critical infrastructures among the federal, state and municipal governments as well as utilities, financial institutions and other private sector enterprises. What are the success in doing so and what are the challenges that remain?
PELGRIN: One of the things we did early on, and this is after the horrific events of 9/11, is that we started a public/private partnership because we really needed to ensure that the right people were at the table in a trusted environment, what I call a safe haven.
We brought in all the critical infrastructures from the private side, as you know, most of our critical assets are either owned or operated by the private side so ensuring that this was a very inclusive process was essential if we were going to succeed in whatever the challenges that we were going to face post 9/11. From a cyber side, we were one of the first that started looking at those public/private relationships, so we brought in the financial institutions, the utilities, the telecommunications, the agriculture and one of the best things that occurred is that we developed a relationship.
We would love to say that based upon my title or based upon somebody's position in their industry that that should be sufficient, but as we all know, currently and for the future that I can see out there, it really is based upon a personal, trusted relationship. Making sure you know who those people are, having them at the table and having that conversation in sort of that trusted environment is absolutely essential, both from a sharing of information perspective, but also from a response perspective when something happens, whether that is manmade or a natural disaster this needs to be an all-hazard approach.
CHABROW: What are some of the challenges in continuing or developing that relationship?
PELGRIN: I am not sure if it is a challenge. I think it is an ongoing process. It is an evolutionary process. I'm a big believer that you don't plan it out to death; I'm a real delivery oriented individual, so this is one that is just growing and increasing over time.
As human beings, we have this ability to conform to complacency sometimes and so if that is a challenge the challenge is to make sure that we keep it before how important this is and that this is essential for our future to be as secure as we can be.
But, I am really pleased that every year I ask each of the major sectors whether or not this activity that we are in, this public/private workgroup activity, is something that is important and should be continued because something that came out of those tragic events of 9/11 may or may not be so important now in 2009, and I pleased that every sector has agreed and sees the value in moving forward.
One of the evolution of this is how do we make sure that it gets beyond those that are just on the phone calls. We try to include every company that wants to participate and every public sector entity that has a relationship on the subject matter and then to cross-sector that because of the dependencies and interdependencies. Every other month we bring them all together on an interactive webcast to share across sector lines how essential that it is.
The next phase of this is to making sure that we have really incredible penetration into the sectors that we are trying to provide a value to, and that is always an issue of who is out there and who is the right person to communicate with in making sure that they get the appropriate information that they need in order to help both mitigate or protect their systems.
CHABROW: There are several bills before Congress to reform the way the federal government governs information security. As Congress considers these bills, there's talk about getting private-sector buy in to protect the nation's critical IT infrastructure. There's no consensus on whether or not there's a need for incentives to get the private sector to be cooperative. What advice would you have to Congress as they structure these bills?
PELGRIN: My counterparts in the private side, who are entrusted with the security of their industry, whether it is cyber or physical or both, and what I am always amazed at and everybody is trying to do the right thing and everybody wants to participate in making a difference and improving the posture that we all face every single day.
The challenges, as you know, are changing at lightening speed. This has to be with everybody at the table. This has to be an inclusive process.
I think there is willingness. I can tell you my experience is that there is absolutely a commitment and passion to improving our nation's cybersecurity efforts at both the public and private level. Bring them all together, to make sure you have the right people ... that there are environments that really foster that meaningful, trusted communities of interest that allow for real cultural changes, because one of the things that I am always striving for is not just fixing a specific spot, check of a problem that you may have identified, but then looking back systemically from an enterprise perspective to how can we improve the system so that we may be better able not to have that occur ever again versus in this department, in that department and down the road.
I'm constantly looking at a bigger picture and making sure that the individuals who are around the table are part of that process because no one entity really has the answer. That collective view is always more powerful than the singular view.
CHABROW: Is your feeling that there won't be a need to have some kind of regulation adopted to get cooperation?
PELGRIN: No I don't know; that's a great question. I think that in certain cases, regulations have helped and in other cases they have not. If there is a need for regulations, they should be built with a community that is public and private sector as to the appropriateness and the implementableness, if that is a word, of those regulations.
One of the things that I can tell you in New York State is we have mandatory policies. We build those policies with the input from all of the state agencies that I am responsible for at a very core and substantive perspective. The other thing that I always ensure is that at the end of the day is that standard that I am about to issue is able to be implemented. It does no one any good if you put a policy out there or a standard out there, even if you mandate that, if it really isn't able to be implemented. It may look great on paper but it is not going to do anybody any good.
I am of the philosophy that you constantly raise the bar versus setting it so high that nobody can ever achieve it and therefore there is a failure immediately. With that said, there is a bare minimum bar that has to be set, however, where anybody who fell below that bar the vulnerabilities or the threats and the expectations are just so great that it is unacceptable, but there is a huge gray area between that bar and the platinum bar so to speak of where we would all love to be. To me that incremental approach is a day-to-day due diligence approach to keeping moving that board.