Bargain Hunting Raises Infosec AwarenessGetting Governments to Implement IT Security at a Discount
A new program aims to aggregate the purchasing power of local and state governments to buy IT security wares.
The program is known as the Trusted Purchasing Alliance, a new division of the Center for Internet Security, which operates the Multi-State Information Sharing and Analysis Center. The Alliance aids in identifying areas for improvement and assists in aggregate procurement of IT security technologies for state and local governments at a discount, says William Pelgrin, the Center's chief executive and founder.
The process is driven by two factors, he says. One is determining what technology areas government partners of the alliance deem important. The second factor is in identifying top IT security vulnerabilities. "There are so many low-hanging fruit that we can all improve our cybersecurity posture on," Pelgrin says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
About three years ago, under Pelgrin's leadership, MS-ISAC pulled together a number of local and state governments to purchase at discount encryption technology, resulting in a combined savings of $40 million.
"When you look at what we do collectively, it's so rewarding when we can all come together for a common purpose," he says. For example, the encryption buy resulted in a savings of $40 million.
"That alone is wonderful," Pelgrin says. "But again more importantly these are very complex issues so a number of entities may not have the wherewithal to do that complex analysis of the technology."
In the interview, Pelgrin explains in the interview how the Alliance:
- Picks IT security wares to purchase;
- Vets IT security vendors and providers;
- Aids governments in contracting their discounted IT security purchases.
Pelgrin, known as the CISO's CISO [see Will Pelgrin: The CISO-Plus] when he was the top IT security official for New York State, founded the not-for-profit Center for Internet Security with the mission to enhance the cybersecurity readiness and response of public and private-sector organizations.
Besides the Trusted Purchasing Alliance, the Center consists of two other divisions: the Multi-State Information Sharing and Analysis Center, which serves as a key cybersecurity resource for the state, local, territorial and tribal governments in the United States, and the Security Benchmarks Division, which provides consensus best practice standards for security configurations.
Trusted Purchasing Alliance
ERIC CHABROW: What's the Trusted Purchasing Alliance and why did the center create this division?
WILL PELGRIN: We've all talked in the past about government - state, local territorial government - and really we have a great ability to leverage our purchasing power to improve our cybersecurity posture, and since CIS's mission is to enhance the security readiness and response of those entities, it was really a natural sort of flow for us to look at being that Trusted Purchasing Alliance organization. It actually started out a while ago. I did probably 3-4 years ago an aggregate purchasing with the federal government for encryption, and what we were able to do is lower the cost for encryption across the board for everyone that participated, the state and local governments at the time. More importantly, it actually got people into implementing encryption that probably wouldn't have done it but for sort of that awareness that this aggregate buy was going on, the ease of the aggregate buy and the ability to partner with the federal government on it. The bottom line for what we were trying to achieve is, "How can we help entities in the government sector who are really overburdened with so much on their plate already?" This is a very complex area. How can we make it easier, more efficient and more cost-effective to improve the cybersecurity posture?
How the Process Works
CHABROW: How does this work? Do vendors go to the alliance and offer deals? Do you go to the venders?
PELGRIN: Great question. This is driven by two factors. One is our membership. That's the state, local, territorial and tribal governments. ... We have surveyed our membership to see what's most important to them. Then the second factor is where the greatest vulnerabilities are out there. There are so many low-hanging fruit that we can all improve our cybersecurity posture on, like encryption, two-factor authentication and a number of issues that it really dovetails very nicely, and then all of those go back to the membership before we go forward. Then we go out to the vending community and see who the top-tier vendors are that can provide those services or products to the membership, and we drive it from that perspective.
CHABROW: So there's someone in your organization that says this vendor is the best in this area and let's go talk to them?
PELGRIN: We do a number of due diligence in that regard. We look at third-party analysts and then we use a peer committee of our membership to help look at that and then we move forward with those entities. And again, this is not exclusive deals. These are multiple vendors within the same sector that are providing those services, and then they produce a proposal and it could be time-limited because generally the discounts are significant for our membership. Then the membership looks at them. They do their due diligence and then they either buy or don't buy directly from that vendor. It really allows for this aggregate way of both insuring that we're raising the bar consistently across the board on many issues of cybersecurity, but again at the same time trying to do it in the most cost-effective way when our dollar resources are limited.
CHABROW: Are there specific types of technologies that you're interested in at this moment?
PELGRIN: One of the things we did is we looked at where the most vulnerabilities come from as well. So when you look at data theft loss, when you look at a number of factors out there, encryption always came right to the floor. We're looking at encryption, new encryption buy. We're looking at two-factor authentication. We have a training one that's going on right now and it's really one of those that start to delineate where there's the most concern from a perspective of ensuring that these basic security precautions and procedures are in place. If you went to our Trusted Purchasing Alliance website, we have all of the call for proposals at this point in time listed on our website. It's everything from, as I said, patch management, application, white listing, vulnerability management, mobile device management, things that anybody in the industry would probably pick these off as some of the top areas where we have to ensure we're as protected as we can be.
CHABROW: You're talking about a variety of different kinds of wares. You mentioned some things about training, so I guess that could be part of it, also hardware software?
PELGRIN: That's correct, absolutely.
CHABROW: Cloud services?
PELGRIN: Yes. When you look at what we do collectively, it's so rewarding when we can all come together for a common purpose, and when we did the first encryption buy, documented savings to local governments was $40 million-plus across the country. That alone is wonderful, but again more importantly these are very complex issues so a number of entities may not have the wherewithal to do that complex analysis of the technology. We can be very much assisting in that regard. CIS stood an entity that's agnostic to any particular vendor, that this is really a way to have a broker that allows for us to do it in a trusted environment.
CHABROW: Is there any problem from the local or state government's perspective of using an organization like yours as part of their contracting processes?
PELGRIN: Also a great question. The contracting laws across the state are all different. We did not have any issues relative to it - or no major issues I should say - relative to it during our first encryption buy that we did. We have done an analysis of the laws across all the states. They procure directly from the vendor, not through us, when they ultimately do purchase. So we're looking at that issue to make it easy for them to do this and there are some entities that have to have certain requirements in place, but so far we've met most of them as we've gone forward.
CHABROW: Anything else you would like to say about this subject?
PELGRIN: From a mission perspective, where we all want our country to be as secure as possible, this is just a wonderful example of a common approach, a real collaborative approach that's driven by memberships, that's driven by criticality, that's driven by our ability to commonly raise a security bar that really sees dramatic improvement very quickly.