Profiles in Leadership

What it Takes to be a State CISO in Changing Times
Profiles in Leadership
In government, as in business, information security has evolved into an increasingly strategic role. And state CISOs, like their private sector counterparts, are now pushed to add more managerial, policy and political roles to their existing technical duties.

Following are profiles of three state CISOs who have grown from tacticians into strategic leaders. They share their experiences, responsibilities and challenges, offering advice to security professionals who aspire to similar leadership roles.

Daniel Lohrmann, Michigan: People Skills Are a Must

Daniel Lohrmann
Daniel J. Lohrmann is the Michigan Chief Technology Officer (CTO) and Deputy Director of the Infrastructure Services Administration within the Michigan Department of Technology, Management and Budget (MDTMB). In this role, he oversees all aspects of IT infrastructure and enterprise architecture for state government agencies. Prior to becoming Michigan's CTO, he was the state's first Chief Information Security Officer (CISO) from May 2002 until January 2009.

"My role has a CISO helped me to be where I am today. This position taught me to embrace the unexpected to be an effective leader," Lohrmann says. "As a CISO I focused my energies in making a positive difference by building a secure and reliable cyber infrastructure, broadening my perspective on risk and in trying to understand the business point of view."

Lohrmann became Michigan's first CISO by leading the state's award-winning $30 million e-government initiative, involving consolidation of 19 state agency websites. Not many states had CISOs at the time, so it was a role that Lohrmann created as a model.

His main objective as a security leader is to be proactive about security, rather than respond to crises after they happen. During his tenure as a CISO, his primary focus was on user education, emergency management, investing in tools and resources to detect and prevent cyber attacks, as well as on effective risk assessment procedures and implementing the payment card industry compliance. He also spent substantial time developing very good relations with federal agencies. "On a personal level, I've been able to establish relationships with people and get the kind of information we need," Lohrmann says. "The groundwork is laid now for information sharing to become much better and more efficient than it has been."

His greatest challenge has been getting qualified security professionals with a focus on business and good communication skills. "There just aren't folks out there who have this combination of security, risk and compliance we look for," he says. "One needs to have a solid grounding in technology to be a CISO. But to be an effective CISO, management and people skills are extremely crucial."

State CISOs need to develop business cases for continuing investment in IT security and need to present their case to non-IT folks to get buy-in on security initiatives and projects. "To be a state CISO, security professionals need to have people skills, or they will have a big problem."

Mike Russo, Florida: 'Managing Risk is All I Do'

Mike Russo
Mike Russo is the CISO for the State of Florida. He has been employed in state government for over 36 years, working for the Auditor General, the Florida Department of Law Enforcement, the State Technology Office, the Department of Management Services and the newly-formed Agency for Enterprise Information Technology. He is responsible for the strategic direction of information security for Florida and in leading the information security managers in all state agencies in the areas of information security policy, training, risk management, domestic security coordination, incident response and survivability.

"Managing risk is all I do," Russo says. He plays an active role in understanding the business needs of state departments and how to enable IT security to help businesses succeed in managing risks around security.

His daily activities as a CISO go beyond just understanding and implementing technology into hiring/managing staff, managing security incidents and risk. His role also includes overseeing IT forensics and investigations, providing strategic visioning for the state and measuring the return on investment in information security to justify, as Russo says, "why security is important."

In his leadership focus, the office of information security has taken a statewide approach by bringing together all branches of state government to address one common issue: cybersecurity. He believes in continuous learning and allocates significant federal grant funding toward professional training of IT security practitioners in incident response, security governance, policy and risk management areas.

Despite the authority and influence of his position, Russo faces the challenge of a tight security and IT budget, which often interferes with his efforts to secure the state departments effectively and hire qualified staff to carry out IT security operations.

"My biggest challenge has always been money," he says. "More often than not, we don't have resources to do what we want," he adds. However, he is currently involved with significant state consolidation issues and is looking into adopting technologies like cloud computing and virtualization to increase efficiency of services.

He advises security professionals to be certified as either the Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM) and the Project Management Professional (PMP), as well as to get academically qualified in IT and information assurance with a focus on business for this leadership position.

"In a CISO's role, individuals need to have the ability to determine what constitutes risk and the requirement to report that risk to executive decision makers," says Russo. Generally, these skills have been lacking in traditional technically-oriented information security leaders. "Today to succeed as a CISO, security pros need impeccable soft skills and business focus to interface between business units and the technicians doing the job."

Kym Patterson, Arkansas: Ingrained in Security

Kym Patterson
Kym Patterson is the CISO for the state of Arkansas. In this role, she has responsibility for setting information technology security policy for the state government and overseeing the state cybersecurity office, which monitors and protects the hundreds of public organizations on the state network. Patterson is also responsible for the Arkansas Continuity of Operations Program, which offers training and tools to over 1,700 continuity planners throughout the state. She is the past president of the InfraGard Arkansas Members Alliance and holds more than 16 years of government experience in the IT sector.

"I am accountable for making state organizations aware of potential risks and the threat landscape, and in building security into everything state agencies do," says Patterson.

As CISO, she is actively involved in security awareness and education initiatives with the governor's office, state agency leaders and legislators to create and maintain a secure IT framework. She stays on top of all mandates and regulations that apply to state departments, and focuses on risk mitigation strategies, technology procedures and methods that can be put in place to protect IT security infrastructure. She also plays an active role in overseeing disaster recovery and business continuity plans for Arkansas agencies, boards and commissions.

"My role demands being ingrained in information security so that people can understand what security means and what their responsibilities are," Patterson says.

She strongly believes in working closely with industry and peers to create and enforce IT security policy and procedures effectively. "It is absolutely critical that we have excellent working relationships with federal agencies like Department of Homeland Security and National Security Agency to be successful," she says. She actively participates with the Multi-State Information Sharing and Analysis Center, the NASCIO information security and privacy committee and the National Association of State Telecommunications Directors special interest group.

Her challenge has been maintaining and implementing all federal and state mandates and regulations, as well as staying abreast of new emerging technologies and services. "A decade ago, a majority of the security activities would originate from the operations group. But over these years the level of focus has changed significantly. Today, there exists a strong need for acquiring technology like cloud computing to make educated decisions to secure the organization and mitigate apparent risks," Patterson says.

She advices security professionals to understand the importance of communicating information security to non-technical folks, explaining to them what happens in the absence of security in organizations, as well as to keep themselves current and visible in the industry by maintaining an effective network, participating in conferences, events and developing good contacts especially at the federal level.

"The main attraction for security professionals to join the government is the breadth and depth of experience it offers that most businesses cannot replicate," she says. "Also, folks who are passionate about security and their country are found here, who want to have a meaningful profession and work for something that is important to the government."

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.