The CISOs CISO: Part 2
Pelgrin doesn't have sleepless nights, in part, because of his efforts to educate the officials who control the state's purses strings - the governor, executive branch commissioners and lawmakers - about the need to be proactive about information security.
He'll attend legislative hearings or conduct briefings for New York State officialdom, explaining cybersecurity challenges in terms non-technology officials understand. "We made it really crystal clear for them: just because you don't have someone breaking into your home, you don't take the locks off of your door or off of your windows and put a sign up saying, 'Come on in.'" Pelgrin said in the second of a two-part interview with GovInfoSecurity.com (transcript below).
(In the first part, Pelgrin discussed the synergy between safeguarding IT and physical infrastructures and the need for government and business to work together to ensure cybersecurity.)
Educating state officials and employees means much can be accomplished to secure government IT assets at a time when the state governments don't have the money to invest in new protective technologies.
In the interview, Pelgrin - one of the nation's most respected chief information security officers - also outlines steps government agencies can take to secure information systems and data within current budget limitations as well as ways to safeguard IT assets when employees use social networks.
Pelgrin spoke with Eric Chabrow, managing editor of GovInfoSecurity.com.
ERIC CHABROW: We are in a recession and budgets are tight all over, especially among the states. Are there sufficient funds to properly secure government IT and the nation's critical IT infrastructure?
WILLIAM PELGRIN: It is a great question. Here is my concern, because of the fiscal situation that we are in, and I am talking about state and local governments, I am not talking about the federal level, but at the state government level cybersecurity is resonating. When we think about cybersecurity from a component of an industry, we are very young still; computers only came in during the late '60s, from a mass production perspective. You know, when I started in state government in 1982, I didn't even have a computer, so when you think where the government was and where it is now, relative to technology and dependence on that technology, we are relatively new.
With that said, the concern I have with cybersecurity is that it is very difficult to touch, feel, see. We know we are going to get hit, but we don't know when, we don't know how and we don't really know where it is going to come from sometimes. While we live in that environment all the time and we are used to that and we are monitoring local and state governments and we are looking at 6.5 billion logs a month, I am used to all of that environment and analyzing that and coming up with appropriate approaches to deal with what we see.
But for those that control the dollars, however, sometimes because they may not see an impact or an effect as when they are looking to cut corners that they may say, "Well, we haven't had an impact" (that they know of) "and therefore maybe this is an area where we maybe can have a cost savings." That is my concern.
I am pleased in New York that we held in June an executive briefing for all commissioners. We had an overwhelming response to that and 150 individuals and 55 state agencies attended. We always visualize this for the executives so they can see what is going on within their environment so they know what the impact is. We made it really crystal clear for them: just because you don't have someone breaking into your home, you don't take the locks off of your door or off of your windows and put a sign up saying, "Come on in."
These safeguards that we have in place, these multiple layers which are absolutely essential since no one layer is protected in and of itself that you have to have these layers which are absolutely essential for the purpose of continuing our security. When we can show where there have been incidences of impact globally, it starts to resonate and it starts to say, "Okay, we have to be as vigilant and resilient at possible." But, it is a concern.
It is like one of the things that I preach about internally within the entities that I have responsibilities for in New York: the concern that we never fall in that sort of complacency. Because you haven't seen something or there a few agencies doing relatively well and it hasn't been a target, that doesn't mean tomorrow you are not going to get hit. I am very fortunate that the governor has been incredibly supportive of this issue and a real leader on the cybersecurity front. That gives me the flexibility to continue to move forward even in the fiscal climate that we face today.
There are a lot of things we can do that are not very expensive, while you always hear the excuse of well it is going to cost too much money. A lot of this is about management and not about technology. A lot of this is about how we think and how we act that costs almost nothing for us to implement. While yes there are fiscal issues, I am also out there saying there are a lot of things that you can do.
For example, meet monthly with your information security officer. Meet monthly with your chief information officer. Sit down and ask the following questions: What is going on in my environment? What data do we have? Who has access to that data, especially if it is personal, private and sensitive? How do they have access to it? How can it be transmitted? How can it be transported and how is it stored at risk? Have we had any incidents? What were those incidents? What was the impact relative to it?
Start building in at an executive level that awareness on these issues that they need to have at the executive table and don't push it down to a technology because it is not about the technology. If it is about the technology alone we will loose.
CHABROW: What kind of briefing sessions to you hold with the legislature?
PELGRIN: If you can't tell by now, I am a big one about sharing information and love what I do. I offer frequently to do cybersecurity briefs, either threat analysis, compliance analysis or just a general situational awareness level for anyone in the legislature who would like to have that. We have had hearings in the past and I am very big on making sure that is about full disclosure.
Sometimes that full disclosure is an executive session because of the nature of what you may be discussing, but generally, I think we over classify stuff and we tend to over estimate the impact of some information being out there. There is appropriate stuff that should not be out in the public domain, per se, that you don't want to get into the bad guys hands. But from a legislative perspective, they should know everything and I am actually proactive in ensuring that we provide that information to them whenever they want it in a format that they would like to have it. I have tried very diligently to make sure that it is in plain English and that it is in visually understandable components. Because again, when you start talking about Java obfuscation and SQL injects, eyes can roll very quickly and understandably. What I say is no, let's put it in a way that people can understand, including myself, and that means showing them what it is to take over a system. Let's show them visually how we can take over a system, what that means and what are the impacts relative to that.
CHABROW: Anything related to cybersecurity that keeps you up at night?
PELGRIN: I sleep at night. Again, it is changing so quickly that a philosophy of how I do my office is that we plan and we look out, because you have to look to some degree out in the future, but it can't be out so far that you become wedded to a path that is going to take you down the wrong road.
One of the newest things, of course, is the new word of the day, Twitter, I am not criticizing Twitter or any of the other social networking sites. My goal, as we deploy, is to say let's make sure everyone is aware of the appropriate uses of those technologies and what are the potential vulnerabilities, but also challenges in those and make sure that we have good behavioral practices as we use them.
For example, if we are telling people don't click on a link from an untrusted source, we want to make sure that carries over when you start looking at social networking sites as well. It is that sort of bringing together situation awareness. A process that as you deploy these new technologies, which really do in many cases make our lives better, more efficient, but at the same time that we do it in a smart way and a secure way.
That as they deploy those that they take into account the following issues. What are the appropriate uses? Because if I can't go on my desktop when I am connected to the Internet to certain sites, I shouldn't be able to do that when I am on a social networking site as well. You need to make sure that that acceptable use policies and that the actual implementation of that is done in a way that protects your enterprise as best as we can depending on what the current malware or malicious activities are that going out into cyberspace.
The last is data theft, data loss, data leakage. It is rampant. Over 260 million-plus records have been reported as accessed. It is almost becoming a rite of passage. When I ask in presentations how many people have had an access issue, have had breach of information or have gone and had to get a new credit card, it used to be you would see one; now, so many people are raising hands when you ask that question.
As a society, we have to start questioning ourselves and say, "Okay, we shouldn't be in that state. We need to be better at what we do." There are certain things that are outside our control, right? And there are other things definitely within our control. One of the things that is in our control is knowing what information you have, knowing what you do with that information, knowing who has access to that information and protecting it the best way you can.
We don't always ask those questions, so information data classification is absolutely essential. It seems daunting, but it really has to be done because I don't know how you protect data if you don't know what data you have to protect.
We made a decision in New York that all laptops need to be encrypted regardless of personal, private or sensitive data because that mobile device is so easy sometimes to have data put on it. We don't want to have a human accident where it wasn't anybody intentionally trying to do something but for the fact that they were doing their job now created a potential vulnerability because they had personal, private and sensitive data on a machine that is not encrypted.
There are ways that we need to look at it. We have data encryption policy that I am very pleased has been out there for about two years. We started with mobile devices and things that are the most easy to go stray, a rogue out of your system, and then work our way to things that are much more permanent, sort of almost fixed to your infrastructure. It has really worked well for us. We shouldn't put up with the fact that just because everybody is getting a new credit card at some point in time from a breach that that's the right thing or that is just the normal thing. It really isn't. We need to do better.