Michigan's Pass-Fail IT Security Challenge - Interview with Michigan CTO Dan Lohrmann
Michigan is sending significantly less on IT, spending about $400 million; that's 20 percent less than it did a few years back, CTO Dan Lohrmann says in an interview with the Information Security Media Group (transcript of interview below). But that's mostly due to the centralization of IT operations, he says; for instance, the state reduced the number of data centers to three from 38. And, spending on IT security has risen; cybersecurity represents 2 percent of overall IT spending vs. 1 percent five years ago, he says.
Lohrmann says Michigan IT leaders have made a strong business case to state appropriators for the need for increased IT security spending. "The threat environment has changed so dramatically," say Lohrmann, who served seven years as state CISO. "We are seeing more malware than ever before, more attacks than ever before, a greater need to protect information, more compliance regulation than we've had. We've had more laws around data, more requirements and there are more expectations. People have more and more mobile devices.
"We have been able to make a good strong case for security in Michigan and build a good, strong team. I certainly would love to have more money than what we have right now, but I think we have done fairly well in a very, very difficult budget environment. "
Also in the interview with GovInfoSecurity.com Managing Editor Eric Chabrow, Lohrmann discusses that preventing data loss is among the biggest IT security challenges Michigan faces and that like its federal counterparts, the state relies on the Federal Information Security Management Act and guidance from the National Institute of Standards and Technology to keep IT safe. One advantage, Lohrmann concedes. the state has over its federal counterparts: Michigan isn't graded on compliance by the Office of Management and Budget.
ERIC CHABROW: What is the biggest information security challenge Michigan faces?
DAN LOHRMANN: One of the top ones is the data loss prevention area. The role that individual employees play, whether it be USB drives, whether it be information in e-mails and social networking online, and we have a several-pronged approach to that.
We put some tools in place to be able to look at data loss prevention. Over the last couple of years, we've done a quite a bit with everything from encrypting laptops to making sure that we have policy enforcement at the endpoints looking at outgoing e-mail and doing pattern matching and things to look for people pointing sensitive information n documents in things.
It is a real challenge for us for a variety of reasons because we have not locked down USB drives like some people are thinking the federal government has done. In some areas we have done it with certain individual situations, the financial data in some business areas, but for the most part, there is a lot of training that we have had to do and we have gone on a massive cultural training approach on helping people understand what the impact of their actions are.
CHABROW: In regards to USB drives, are you concerned about data loss or the introduction of a virus?
LOHRMANN: All of the above. Certainly, it is data loss prevention. It doesn't necessarily mean it is intentional, but it is the insider threat. People think they are doing the right thing by bringing a Word document home with them - maybe that has some sensitive information on it - and use a home PC; they can certainly bring a virus back into the enterprise. We do have some protection mechanisms in place on devices to look for endpoint viruses and things.
Once you have brought sensitive information outside of the enterprise in Michigan that is the definition of a data breach - as defined by the Michigan Identity Theft Protection Act - because we no longer control those home PCs, so we don't allow any sensitive information to leave the enterprise. We have requirements around reporting loss of data and things like that. It is really a lot around training, and imputing protections around endpoints and systems to help people be aware of what they are doing and what the impact is.
We can encrypt laptops and they can use those at home for sure. I think the challenge is how to protect the mobile data.
CHABROW: The nation's economic problems have severely hit Michigan. What is the impact of the economy on getting the funding to properly secure IT in Michigan?
LOHRMANN: We have been very fortunate up until now. Going forward, I think it is going to be a continual challenge. We are getting some stimulus funds to help us in some special areas, like broadband and health IT, and we are optimistic. We have been able to get some federal grants. Over the last five years, we got over $6 million dollars in Homeland Security grant dollars to help us with over 30 cybersecurity projects.
Even though the economy has been very hard, our government has centralized all of IT into one department. We have taken $100 million out of our annual spend in IT. We have gone down from about $500 million to about $400 million a year. In IT spending, we have been able to be more efficient by closing data centers. We have gone from 38 data centers to three and we have done some other things that has enabled us to apply more money in security in the data centers that are left. Those three data centers all have generator backup power now, for example; they all have procedures and processes in place that are more consistent that we didn't have before. We have been fairly fortunate and we have made the business case for security to enable better processes with the reduced amount of IT spend that we do have. So overall we spend about 2 percent of our IT budget on security, which is up from about 1 percent five years ago.
CHABROW: Why has the proportion of the IT budget on security risen?
LOHRMANN: We made the business case that we need. The threat environment has changed so dramatically. We are seeing more malware than ever before, more attacks than ever before, a greater need to protect information, more compliance regulation than we've had. We've had more laws around data, more requirements and there are more expectations. People have more and more mobile devices.
We have been able to make a good strong case for security in Michigan and build a good, strong team. I certainly would love to have more money than what we have right now, but I think we have done fairly well in a very, very difficult budget environment.
CHABROW: The federal government has the Federal Information Security Management Act, National Institute of Standards and Technology and Office of Management and Budget. What is the equivalent in Michigan?
LOHRMANN: For the most part we do follow FISMA and use a lot of NIST standards. That is our framework model: 60 percent of our IT spending comes from federal dollars so we support a lot of federal programs, everything from roads, transportation to Medicare, Medicaid programs, and we implement federal programs so we have to meet federal regulations and many of them follow the FISMA standards.
We also use a lot of credit cards and online government so we follow payment card industry standards. One of the first states to be enterprise wide Payment Card Industry compliant in April 2008.
CHABROW: Many federal officials complain that FISMA requires a lot of paperwork but doesn't really secure government IT. Have you found that?
LOHRMANN: I don't think we have the same level of oversight around reporting in FISMA. Certainly it is a lot of paperwork and we have had a lot of federal auditors come through, and state auditors as well, who really want to see the paperwork backup to different aspects of security and logging and the processes and procedures and identity management just in so many different areas.
We haven't been held to the same level of grading [as have federal agencies], but I would agree that FISMA needs some modifications and I hope that the Obama administration takes that on as a task and makes it more pragmatic for a lot of agencies that think there is some lower cost ways they can secure things.
CHABROW: Do you have regular audits of your IT systems for security and if so who conducts them?
LOHRMANN: We have some federal auditors that come in and do auditing of us and we have had just about every federal program auditors come through. We have the state auditor general, which is our legislature side, that comes in; we also have internal audits. So absolutely, we get audited a lot. We get to know our auditors pretty well.
There are some audits just of the Michigan Department of Information Technology, our part of the program, and in some cases it is a joint audit where we are audited with the agency [whose program we support]. It is a fairly frequent process that we have two or three audits going on at the same time.
CHABROW: What do you think of President Obama's cybersecurity plan?
LOHRMANN: I am pretty excited about it. The implementation is going to be a real challenge. It sounds to me as if they are taking the recommendations of the Cybersecurity Commission for the 44th Presidency and implementing a lot of the same types of recommendations and findings. We are optimistic that this is the right task. I think obviously we want to see actions implemented and hopefully that will start playing out here in the next few months.