Altruistic CISOs Employ Their Smarts to Succeed
Those challenges are intensifying because of the growing pressure on governments to become transparent, says Marilu Goodyear, chair of the University of Kansas Department of Public Administration - herself a former chief information officer, who coauthored the recently released study: Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers
"There is lots of talk about, 'We want that stuff on the web, we want the citizens to be able to see it,'" Goodyear said in an interview with GovInfoSecurity.com (transcript below). "Total area of data management is something that is really concerning this whole profession because it's really true that data wants to be free and it really moves quickly in the electronic format and it's just really hard to get a handle on how do you really begin to address those issues."
Several states have implemented data preservation initiatives to tackle the security implications. "There is lots of experimentation going on, but I'm not seeing out there right now one model or framework of how states will approach the whole electronic data problem," she said.
Among topics addressed by Goodyear in the interview:
- Specific non-technical skills state CISOs need to succeed;
- How different states govern IT security; and.
- Pros and cons of being a political appointee.
Goodyear, who earned her doctorate in public administration at the University of Colorado, served as the University of Kansas' vice provost for information services and CIO from 1999 to 2005. After a year-long sabbatical, she joined the university's Department of Public Administration as an associate professor and undergraduate program coordinator. For the past three years, Goodyear has been the department's chair.
GovInfoSecurity.com's Eric Chabrow interviewed Goodyear.
ERIC CHABROW: You co-authored a recent release study entitled Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers. What is the main takeaway of the study?
MARILU GOODYEAR: There is a tendency to think about approaches to IT security as controlling environments, kind of a command and control, but that is not really the strategy we are using to approach IT security anymore. The profession, which has existed for about 15 years, has really evolved as technology has evolved. When we use to have mainframe technology, we had a lot of control over what was happening because everything was centralized. Then we moved to personal computers, individuals got very much in the act because they had that computer on their desk. They could do with it what they wanted. They had lots of electronic data they could move around and manipulate, and that was when IT security was really beginning to be challenged in a great way because the control mechanisms were much harder. We could control network traffic, we could do defense in depth strategies. It was harder to just focus on controls, and that is when I think the IT security profession really began to think about this concept of informed individual actions.
Each technology user had to understand the importance of IT security, and understand what they individually needed to be doing to protect the data in the system. At that point, there was kind of this dual approach, a kind of controlled technology approach but also in education, individualized approach, and what we found in this study is that each state tends to kind of lean one direction or another. There are states using technology more to control and secure their environment and there are other ones where they are really, really focused on user education.
In our study, we gave some case studies. Colorado would be an example of a state that is still taking a technology and control kind of approach, centralization of services kind of approach to IT security. Delaware, on the other hand, has been a lot in user education and trying to inform users from K-12 through high school, state employees, etc.
We're moving past the personal computer and we've now got these things that are extensions of us. You know, I am never anyplace without my Trio no. The president always has his Blackberry with him, so you've got to find ways of securing these devices that are much more personal and much more multi-functional. And what the CISOs are finding in that kind of environment is that they really have to collaborate with each other and they have to develop skill sets where they are really able to gets lots of different people to work together to provide a defense mechanism for IT security.
The other major takeaway from the study besides the variations and the strategies that means that this person needs skill sets that are leadership in management and collaboration just as much, maybe even more, than the technical skill set that you would think of for this kind of position.
CHABROW: I was struck by that, if you look at the top 10 skills that the CISOs you surveyed felt they needed to succeed, none of them involved technology.
GOODYEAR: Yes, it's really very interesting. In our interviews there was lots of emphasis on the skill sets they needed to try to convince governmental managers and leaders to spend more time thinking about IT security. The skill sets they needed to convince people that this was really another role that they played. The public manager manages a service. They are an HR manager, they're a budget manager, they are a technology manager, and now they are a data manager. Now the focus is much more on what electronic data do we have, where is it, what parts of it do we need to protect, what parts of it don't have to worry about it at all because it doesn't really need protection? The skill sets to interact with those managers and help them see that broader framework and landscape of IT securities are really more communication skill sets, they are leadership skill sets, they are collaboration skill sets, they are conflict resolution skill sets. They are skill sets that are really very different from the technical ones that we've had.
CHABROW: The one that impressed me the most was political skills or at least understanding politics, and I suspect that it's different for a state CISO in dealing with government than say a federal CISO in respect that I believe in many states that the political leaders may not have the understanding or the appreciation of cyber security as they do in the federal government maybe in part because of homeland-security concerns?
GOODYEAR: Yes, I think there are a couple of differences. One certainly is scale. Individuals that work in pretty small states. They work in environments where they have the ability to reach out to the entire state government and actually get to know these individuals on an individual basis and really interact and develop a collaborative relationship with them that are very strong and personal. In other real huge states like New York or California, the collaboration is done more at a planning and a strategy level, more similar to what it would be at the federal level.
Many of the states CISOs are political appointees. Even their own jobs will leave or disappear depending on who gets elected governor and who is in office, so they definitely work within that political environment and have to pay attention to those political issues. And one of the things that we pointed out in our study, there has been some excellent work done on what skills are really necessary to be successful in collaborations across management within governmental organizations. Some excellent work done by Heather Taylor that is in our study, two of the things that came out of that, that I thought were particularly important in relationship to the political environment, was the absolute necessity of understanding everybody's motivations. When you are trying to get people to come to the table and pay attention to an issue or invest resources in the issue, to really target your argument toward what is going to motivate that individual as a really critical skill set.
And another skill set that she has identified that is particularly critical for collaboration is being very altruistic with resource sharing, bringing money to the table yourself if someone will also bring money to the table in to giving lots of other people credit for work that you might do in the political environment if there are accomplishments there. There is something there for those politicians to take credit for and to show progress when they are facing the voters the next time. Those kinds of skill sets really begin to play out in critical ways in these environments where we are dealing with the political actors as well as the state employees.
CHABROW: Does it make a difference whether they are politically appointed or not?
GOODYEAR: The feedback that I believe we got in our interview processes during this study was that there are pros and cons of both ways of approaching it. There is certainly a big pro being an political appointee in the sense that you are that governor's person and you are accessed to the governor, your ability to use that bully pulpit to help accomplish what you are trying to accomplish is certainly increased if you are that person's person, and if you are part of that political team. On the other hand, if you are not a political appointment, it is potentially easier to work with some of the agency heads because you might be there longer and be able to establish credibility with the agency heads and to really be somewhat independent of the political changes that are taking place, and there is certainly a real advantage in that, having that kind of a position as well.
CHABROW: The governance of IT security varies from states to states. You mentioned some are sort of decentralized, others there are actual control over that. What would you say are the main problems that CISOs regardless of how it is governed share?
GOODYEAR: Certainly on getting their resources they feel like they need to address the issues that need to be addressed. That is not unique to chief information security officer; all of IT and actually all of the agencies feel like they need more resources to really accomplish their missions. Resources were mentioned a lot in our interviews.
The other major problem that CISOs really think that they face on a regular basis was the increasing variety and type of electronic data that they collect, maintain, preserve, distribute, distribute increasingly more distribute with all of the pressure at the state level and federal level for more transparency with what government is doing. So there is lots of talk about, we want that stuff on the web, we want the citizens to be able to see it. Total area of data management is something that is really concerning this whole profession because it's really true that data wants to be free and it really moves quickly in the electronic format and it's just really hard to get a handle on how do you really begin to address those issues
A few states that have initiatives where they are working on various aspects of that. Colorado has a data initiative that has gotten some good publicity and they are kind of leading the way with some frameworks on how to approach that right now. Kansas is working on some data preservation issues. How do we make sure that this data stays around and how do we keep it around in a safe secure way? So there is lots of experimentation going on, but I'm not seeing out there right now one model or framework of how states will approach the whole electronic data problem.
CHABROW: How do state CISOs look to Washington for leadership?
GOODYEAR: We found in our interviews in talking to CISOs that there was a lot of diversity in how people viewed the relationship between, not only levels of government, but the sectors. There were some CISOs that had very collaborative relationships with Homeland Security, federal partners within their state, with private sector partners in their state, with non-profit sector partners, education partners. There were others who felt some frustration in there wasn't enough planning and strategy management between levels of government that says we're kind of doing their own thing and not really understanding state needs and vice versa.
One of our recommendations in our study is that this is an area that we really feel like the chief information officers of the state need to be sitting down with their federal counterparts and players and trying to work out some strategies and frameworks for collaboration. And I know that has been happening within National Association of State CIOs. NASCIO has been taking the lead in trying to help CIOs do that. There is work on the way to address that problem, but there is a real diversity of view as to what roles the federal government should be playing. I think it's going to take some sitting down and really talking through what that role really should be and how it might work for the states.
That's a hard problem for the federal level, I believe, because the states are very diverse. Their size, their complexity, the way they approach issues is all very different. It's definitely not going to be a one time fix all approach.
CHABROW: Anything else you would like to add?
GOODYEAR: Each profession kind of has it's culture in how it approaches issue and another challenge I think for CIOs and CISOs is building this collaboration with Homeland Security officials, of the fusion center people, the investigative bureaus of the states like the Kansas Bureau of Investigation, the National Guard folks, the emergency management folks, trying to make that all work as a whole in homeland security areas is a real challenge and I think there are mechanisms that are happening now like the fusion centers and like the ISACs (information sharing analysis centers) which is the information security regional groups. Those have been very successful so far in getting those conversations going and getting the connections made, and beginning to get the collaboration going.
What we heard in our study, is people thought we need a lot more of that. We need to spend more time and put more resource into those efforts to make sure that we're communicating across all these disciplines that are really jointly in a very integrated way responsible for security.