IT Security Balancing ActInterview with Chris Buse, Minnesota Chief Information Security Officer
State Chief Information Security Officer Chris Buse says this hybrid approach allows the state to save money by centralizing vulnerability and threat management services while leaving it to individual agencies to schedule, analyze and remediate vulnerabilities. "I am a firm believer that the most important security work has to happen down at the local agency level because those folks are most familiar with the day-to-day business operations of the government agency," says Buse in an interview with GovInfoSecurity.com (transcript below).
In the interview, the first of two parts, Buse also addresses how Minnesota maintains an acceptable level of information security when funding from state coffers is tight due to the recession.
Buse spoke with Eric Chabrow, GovInfoSecurity.com managing editor.
ERIC CHABROW: Briefly tell us about the information security operation in Minnesota.
CHRIS BUSE: For years, the history in the state of Minnesota has been that all of the government agencies handled information security on their own and there was no centralization of security. What we've been doing over the past approximately two and half years is trying to shift from a completely decentralized security environment to more of a hybrid approach, where I guess the challenge that we have is trying to figure out what we can do centrally to leverage our economy of scale and our resources and then what are those things that still need to be handled down at the agency level.
So in the past two years, we have been delving out the central function trying to put in place some core utility services that all government organizations can share and in building up the capability of our security functions. Basically, we are kind of starting over with a blank sheet of paper and trying to craft how the security program needs to look for something as large as a state government.
CHABROW: Please provide an example or two of what has been centralized and what the agencies control.
BUSE: I am a firm believer that the most important security work has to happen down at the local agency level because those folks are most familiar with the day-to-day business operations of the government agency, but I think there has got to be security officers in all the agencies.
What we have been trying to do is figure out what are the processes that we can put in place that could be run as centralized services. We feel vulnerability and threat management is something that we have to perfect because there are so many new threat factors every single day and we need to figure out a way that we can find and fix our vulnerabilities before they are exploited by hackers.
We've worked with the entire security community and we set out our requirements and we designed and we installed a centralized vulnerability and threat management solution that can be used by all government entities.
The beauty of this solution is that, in the past, we had vulnerability and threats and scanning operations that could only be done some of the largest agencies that had sophisticated staffs and a lot of money to install and manage the hardware and software, but by doing this one time, we install one good fault tolerant architecture yet we give every organization the ability to schedule and manage their own scanning operations, thereby giving the capability to everybody.
I believe that we have world-class operation, also partnering with higher education so that we can manage vulnerabilities and threats across 150,000 endpoints, spanning all the government agencies and including higher education.
You can see the possibilities by working together, by leveraging our size, it levels the playing field of haves and have nots and it provides equal if not better security to those organizations that had something going on their own. We also see other areas that we think are ripe to have central solutions that can be shared by other folks as well, but vulnerability and threat is one of the first things that we have been working hard on in the state of Minnesota.
CHABROW: Tell us what those other areas are.
BUSE: Some of the areas that are really ripe include the monitoring strategies. Security monitoring is costly and it is difficult for organizations to do on a case-by-case basis. We are looking at technologies, such as intrusion detection and prevention to run as a centralized service, also security information and event management.
We are looking at ways to put together identity and access management through shared environments and also recovery strategies for continuity of operations. There are some other examples of things that we are looking at as potentially pulling out and trying to craft solutions that are centralized enterprise solutions that can be used by all the security officers.
CHABROW: What are some examples of processes that will remain within the agencies?
BUSE: All processes have to reside in the agencies, particularly the big agencies. Even though there is going to be a centralized vulnerability and threat management solution and a centralized team to help manage that solution, the individual agencies still have the responsibility to schedule their own scans, to review the scan output, to actual remediate the vulnerabilities that are out in their environment. The processes remain in the agencies for all security domains.
They are the folks that know what is going on and they are the folks that have to do the work, but what we are trying to do is shed them of the responsibility of building and managing and maintaining the tools that are needed to do that work.
CHABROW: The federal government has Federal Information Security Management Act, the Office of Management and Budget and National Institute of Standards and Technologies to provide IT security guidance. What is the equivalent in Minnesota?
BUSE: Our authority for our enterprise security program rests in state law. The law says that our central group in the Office of Enterprise and Technology has the authority and responsibility to define and set the security policies and standards. In fact, we even have the authority to install and manage central security systems for the government as a whole. But the law is one thing, how that is applied isn't an issue of governance. In order to have appropriate governance and rather than rely on more of a stick and carrot approach, what we have put in place is a statewide Information Security Council. I kind of view them as my board of directors.
Whether it is security solutions, security decisions or even financial decisions and how we spend the money that the state legislature gives us to provide enterprise security, I feel like I should be able to look at the Information Security Council with everything and they should give me a thumbs up and say, "Yeah, we think you are on the right track, we think that you are making the right decisions."
In fact, the Information Security Council helped me form the state's first enterprise-wide security strategic plan and for this upcoming two-year funding biennium, we are putting together a tactical plan, which will lay out all of the core milestones across our security domains that we want to achieve across all of our security areas.
The program framework itself though, we chose to set our program framework up in a model that is very parallel to NIST. We think that is pretty important in our environment because we think the FISMA requirements, which are primarily directed at federal agencies, ultimately will be brought down to the state level. We think by centering our program around the NIST model, by trying to follow the NIST guidelines, we think that we will be in a better position to ultimately demonstrate compliance with the FISMA Act requirements if that ever comes down to the state level.
And, we also like the NIST documents and the NIST framework. I think the research that is put into NIST documents and the publications is simply outstanding. It is really good literature and NIST is well funded.
CHABROW: You also mentioned that you are preparing for the next budget. Are there sufficient funds in Minnesota to adequately secure IT?
BUSE: Absolutely not. I think that is the problem that everybody faces. The challenge that we have is what can we do with the resources that are available to get the most bang for the buck. I am big into having the whole community join forces and put together the tactical plan, but funding is definitely an issue.
What are the things that give us the best security for the dollars that we have and then what are those things that are tertiary items that we want to maybe look at as second things in line, but that is definitely a problem. There is simply not enough money.
The other thing I think that is really important is that it is difficult for me as a leader of a state government to say that there is not enough money to provide adequate security. The state of Minnesota, when you look across all of the different fund types that we manage, whether it is the pension funds and the general funds in a Midwest farm state like Minnesota, we are looking at a $35 billion budget. It is difficult, especially if you are a taxpayer, to hear somebody in government say, "Oh, there is not enough money to provide adequate security."
The challenge that we have is the money is separated between a lot of different entities that typically haven't worked well together putting the resources together to provide joint solutions. That is one of the things that we need to work on, is how do we share the resources and make the money side of the operation come together so that we can fund and centrally manage a lot of the solutions that need to be in place. You know, when you look at government as a whole, there certainly is enough money to do what needs to be done. It is a matter of channeling all of the disparate resources together with governance so that we can make enterprise-wide decisions that are in the best interest of everybody.