Creating an IT Security Culture - Interview with Vermont CISO Kris Rowley
"People have their own domains, and their the lord of their domains, and that's where they feel comfortable," says Rowley, who's been on the job since last September. "Part of that is a trust issue, as well. There's now an office of CISO in the state, and that's new to people. That involves change, and as we all know, change is difficult."
In an interview with GovInforSecurity.com Managing Editor Eric Chabrow, Rowley discusses how she plans to change old habits by fostering an information security culture in Vermont, as well as working to codify information assurance policies and procedures and looking to Washington for guidance and money.
ERIC CHABROW: Unlike the federal government, Vermont does not have the equivalent of FISMA, the Federal Information Security Management Act regulations or Office of Management and Budget directives to guide agencies in assuring information systems and data are secure. What is being done in Vermont to provide such information security compliance?
KRIS ROWLEY: Security in the state of Vermont is very young right now. I have been in this position for approximately seven months. I am still in the discovery phase, exactly what needs to be done. I have worked with the Secretary of States office and talked about some things that are going to need to go to legislature. My direct report, who is the CIO of the state, has some thoughts and ideas of things. Right at the moment nothing has actually been moved into legislature to have any kind of codification occur at this time.
CHABROW: What are some of the big challenges Vermont faces in securing IT and how are you addressing them?
ROWLEY: There has been a lot of stove-piping and we are trying to move more toward an enterprise architecture right now. Getting people out of their stovepipes and starting to work interagency as well as intra-agency is a challenge. People get into the "well this is the way it has always been done" mentality and sometimes it is difficult to get people to move out of that. People have their own domains and they are the lord of their domain and that is where they feel comfortable.
Part of it is a trust issue as well. There is now an office of a CISO here in the state and that is new to people and that involves change and as we all know change is difficult. But mostly, one of the largest difficulties is the stove piping of agencies at this time. Also, the fact that there really has not been a solid security office in this state and that has made it difficult. People don't know that I am here or that my office is here and they don't always think to consult with me before they start standing up an application, as they are writing document designs and things like that. But it is getting better, actually quickly.
People are happy and very encouraged to have someone in this position and to have someone to turn to and say, well what should I do about x, y or z, or how should I handle that, what is the best practice.
There is a lot of policy writing that needs to be done. There is a lot of evaluation, risk assessment, risk analysis, those kinds of procedures need to be stood up and then put on schedules and help various agencies with identifying their strengths and identifying their weaknesses. Those kinds of things are going to be a challenge, especially in the times of cutbacks and the economy on a downslide because resources have been cut back, people have been cut back and so that is another big challenge right now.
CHABROW: When you discuss the problems with stove piping, why is that a problem for information security?
ROWLEY: People look within their own realm. Networks and function in business, in general, don't live in a vacuum. Agencies are connected or interconnected in various different ways. And, if each agency is out there doing their own thing without consideration of how is this going to impact another agency or another department or even departments within agencies, then you end up having these huge gaps in security.
One of the things that we are working very hard toward is centralization of our databases and things like that to try to consolidate, which economically saves money, but it also makes it a little more efficient in the security realm. If you can standardize what applications are used or standardize, what procedures are going to be followed, even something down to as simple as what USB drives are we going to use and how are they going to be encrypted, and what application is going to monitor that, you can't function in that way in a stovepipe.
It is very important that we try to open that up and get some communications going. Also, we have resources across the state that can be shared and right now in some instances that is not happening. That is a waste of resources; it is a waste of a lot of people's energy in having these individual little stovepipe areas working in their own vacuums.
CHABROW: With the president about to announce some kind of cyber security initiative and Congress looking to reform FISMA, what kind of impact would or could that have on states like Vermont?
ROWLEY: Vermont specifically is going to be in a reasonably good position when that comes out. We are working toward all of the right things. We are getting our policies in line, lining up our ducks in a way that the federal government is going to request that things be done. We make sure that we have gotten our licensures taken care of. I do keep watching what is going on with the federal government and where they appear to be heading and try to make sure that Vermont is heading in the same direction so that when mandates do start coming out, we will be there or at least well on our way to what the government is looking for. I think overall we are going to be fine.
CHABROW: Is there anything the federal government should be doing to help states in implementing cybersecurity?
ROWLEY: I really would like to see the federal government give IA (information assurance) and IT areas the funding that it needs to support the technology that it is going to need, the people power that is going to be required, even down to people who are educators within information security.
Like here in Vermont, I have put up a website that is public facing site to try to teach the citizens as well as employees about information security. We have security training programs for employees. But it is very difficult to get that word out statewide without some more resources. Stimulus packages seem to go in directions that aren't always looking and focusing on technology. I guess some support financially is what would be my ultimate answer.
CHABROW: The idea now is that you help establish some sort of a base for information security and then from there they could decide how to organize it, how to govern it?
ROWLEY: Yes. That is probably what we are going to end up doing. To have an organization of CISOs within the state, we can do that. That would probably a good thing. That would be cross-industry people and I am assuming that most CISOs have many of the same challenges that they have to deal with no matter what industry they are working in, whether it is government or private industry.
The national CISOs and national CIO groups, and those have for me been very helpful, to turn to some of them and say how do you handle certain situations; what are you doing about setting up your risk analysis, or something like that. That has been extremely helpful.
I don't know if we are going to be getting a group of CISOs or CIOs in the state of Vermont in the near future, but it is certainly something that may be coming down the road with the federal mandates.
CHABROW: What the federal government is doing, would you say that will influence states a lot? What the Obama Administration and what Congress decides?
ROWLEY: Yes. I think so. It is going to standardize a lot of things. But I also think it is going to increase communications between states and it is going to, I believe, help states align with each other on a security level.
Right now, I was talking about within the state of Vermont the agencies being stovepiped. There are groups out there, organizations that are trying to sort of fix the stovepipe situation within state. They still are pretty stovepiped. People don't talk to each other or relate situations and incidences that may occur very willingly. There is also a sense of mistrust, which if you are a CISO, you have reason to mistrust.
I was at a conference, where a person got up in front of us and said I don't trust anyone in this room. Well, that sounded rather glib at the time, but she had every reason to say that.
States are going to have to start communicating better and we are going to have to start sharing some resources. There is going to be a tremendous amount of work that needs to be done and nobody wants to reinvent the wheel every time something needs to be stood up. There will be some good things that come out of this as far as communications within states, innovation of information and information sharing.
The other part of it that is going to be more of a downside is people are going to be scrambling to try to meet regulations or standards that maybe, for individual reasons, they can't or maybe they don't have the resources to do it at the time. That is going to be a large challenge I think for a lot of states.
CHABROW: What has surprised you the most about information security in Vermont since taking office?
ROWLEY: Well I have to say that the biggest surprise is, and it has been a very pleasant surprise actually, is that people from the governor down are very supportive of information security. They are actually aware of it. It is nice to have support from the top down.