Profiles in LeadershipWhat it Takes to be a State CISO in Changing Times
Following are profiles of three state CISOs who have grown from tacticians into strategic leaders. They share their experiences, responsibilities and challenges, offering advice to security professionals who aspire to similar leadership roles.
Daniel Lohrmann, Michigan: People Skills Are a Must
"My role has a CISO helped me to be where I am today. This position taught me to embrace the unexpected to be an effective leader," Lohrmann says. "As a CISO I focused my energies in making a positive difference by building a secure and reliable cyber infrastructure, broadening my perspective on risk and in trying to understand the business point of view."
Lohrmann became Michigan's first CISO by leading the state's award-winning $30 million e-government initiative, involving consolidation of 19 state agency websites. Not many states had CISOs at the time, so it was a role that Lohrmann created as a model.
His main objective as a security leader is to be proactive about security, rather than respond to crises after they happen. During his tenure as a CISO, his primary focus was on user education, emergency management, investing in tools and resources to detect and prevent cyber attacks, as well as on effective risk assessment procedures and implementing the payment card industry compliance. He also spent substantial time developing very good relations with federal agencies. "On a personal level, I've been able to establish relationships with people and get the kind of information we need," Lohrmann says. "The groundwork is laid now for information sharing to become much better and more efficient than it has been."
His greatest challenge has been getting qualified security professionals with a focus on business and good communication skills. "There just aren't folks out there who have this combination of security, risk and compliance we look for," he says. "One needs to have a solid grounding in technology to be a CISO. But to be an effective CISO, management and people skills are extremely crucial."
State CISOs need to develop business cases for continuing investment in IT security and need to present their case to non-IT folks to get buy-in on security initiatives and projects. "To be a state CISO, security professionals need to have people skills, or they will have a big problem."
Mike Russo, Florida: 'Managing Risk is All I Do'
"Managing risk is all I do," Russo says. He plays an active role in understanding the business needs of state departments and how to enable IT security to help businesses succeed in managing risks around security.
His daily activities as a CISO go beyond just understanding and implementing technology into hiring/managing staff, managing security incidents and risk. His role also includes overseeing IT forensics and investigations, providing strategic visioning for the state and measuring the return on investment in information security to justify, as Russo says, "why security is important."
In his leadership focus, the office of information security has taken a statewide approach by bringing together all branches of state government to address one common issue: cybersecurity. He believes in continuous learning and allocates significant federal grant funding toward professional training of IT security practitioners in incident response, security governance, policy and risk management areas.
Despite the authority and influence of his position, Russo faces the challenge of a tight security and IT budget, which often interferes with his efforts to secure the state departments effectively and hire qualified staff to carry out IT security operations.
"My biggest challenge has always been money," he says. "More often than not, we don't have resources to do what we want," he adds. However, he is currently involved with significant state consolidation issues and is looking into adopting technologies like cloud computing and virtualization to increase efficiency of services.
He advises security professionals to be certified as either the Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM) and the Project Management Professional (PMP), as well as to get academically qualified in IT and information assurance with a focus on business for this leadership position.
"In a CISO's role, individuals need to have the ability to determine what constitutes risk and the requirement to report that risk to executive decision makers," says Russo. Generally, these skills have been lacking in traditional technically-oriented information security leaders. "Today to succeed as a CISO, security pros need impeccable soft skills and business focus to interface between business units and the technicians doing the job."
Kym Patterson, Arkansas: Ingrained in Security
"I am accountable for making state organizations aware of potential risks and the threat landscape, and in building security into everything state agencies do," says Patterson.
As CISO, she is actively involved in security awareness and education initiatives with the governor's office, state agency leaders and legislators to create and maintain a secure IT framework. She stays on top of all mandates and regulations that apply to state departments, and focuses on risk mitigation strategies, technology procedures and methods that can be put in place to protect IT security infrastructure. She also plays an active role in overseeing disaster recovery and business continuity plans for Arkansas agencies, boards and commissions.
"My role demands being ingrained in information security so that people can understand what security means and what their responsibilities are," Patterson says.
She strongly believes in working closely with industry and peers to create and enforce IT security policy and procedures effectively. "It is absolutely critical that we have excellent working relationships with federal agencies like Department of Homeland Security and National Security Agency to be successful," she says. She actively participates with the Multi-State Information Sharing and Analysis Center, the NASCIO information security and privacy committee and the National Association of State Telecommunications Directors special interest group.
Her challenge has been maintaining and implementing all federal and state mandates and regulations, as well as staying abreast of new emerging technologies and services. "A decade ago, a majority of the security activities would originate from the operations group. But over these years the level of focus has changed significantly. Today, there exists a strong need for acquiring technology like cloud computing to make educated decisions to secure the organization and mitigate apparent risks," Patterson says.
She advices security professionals to understand the importance of communicating information security to non-technical folks, explaining to them what happens in the absence of security in organizations, as well as to keep themselves current and visible in the industry by maintaining an effective network, participating in conferences, events and developing good contacts especially at the federal level.
"The main attraction for security professionals to join the government is the breadth and depth of experience it offers that most businesses cannot replicate," she says. "Also, folks who are passionate about security and their country are found here, who want to have a meaningful profession and work for something that is important to the government."