Size Can be Deceptive: Two-Man IT Security UnitInterview with Rhode Island CIO Jack Landers and CISO Ernie Quaglieri
In an interview with GovInfoSecurity.com (see transcript below), CIO Jack Landers and CISO Ernie Quaglieri discuss how cybersecurity is integrated into the state IT operation. "Security encompasses all of IT and if you can use security as a baseline when you are creating applications or when you are building a network, it just makes the environment that much more secure and it certainly makes my job easier when security has been considered from the ground up instead of an afterthought," Quaglieri says.
The CIO and CISO also discuss their working relationship as well as how a recent move to centralize IT functions in state government is proving beneficial.
Landers and Quaglieri spoke with Eric Chabrow, managing editor of GovInfoSecurity.com.
ERIC CHABROW: Please describe the IT security organization within Rhode Island's government.
ERNIE QUAGLIERI: Our IT security consists of, well, myself; I'm the chief information security officer for the state and I also have an assistant who is the deputy chief information security officer, and we are in charge of obviously the security for the state. We oversee all of the projects that are put into production. We review all of the security plans. We monitor the firewall logs. We take care of any computer forensics that need to be done for the state and just basically all of the antivirus and all of the different things that involve the security for the executive branch of government here in Rhode Island.
JACK LANDERS: In conjunction with that, Ernie and his deputy work very closely with the State Police in doing forensics where required. Ernie and his organization works very closely with our whole IT support team and all of our agencies from a training standpoint as well as a support standpoint for any kind of security concerns.
CHABROW: There is a lot of security work done in IT; obviously more than what two people can do. Do you rely on the regular IT organization go outside to find help?
LANDERS: We rely very heavily on the rest of the IT organization to support Ernie and his group from both a networking standpoint as well as a technical operations standpoint. Rhode Island is not very large and our network is still fairly sophisticated and it does require more than two people to handle it. We have covered budget constraints and so forth, but we are kind of limited on the number of resources that we can bring in full time to this thing.
QUAGLIERI: We are very tightly integrated with the technicians and the network group; however, at the same time we are objective when it comes to security the plan will come forward and the network group and the technicians will be involved, and then myself and my deputy will step back and we will review the plans and give them an objective evaluation of what we feel the security issues are. So in a way we are very tightly integrated with them, and also in a way we are able to be objective in what we do.
CHABROW: On that point, I assume a lot of the people who are working on IT have IT security skills. What is the advantage of having them in the general IT organization rather than specifically belonging to the IT security organization?
QUAGLIERI: Security encompasses all of IT and if you can use security as a baseline when you are creating applications such as in programming or when you are building a network it just makes the environment that much more secure and it certainly makes my job easier when security has been considered from the ground up instead of an afterthought.
LANDERS: To stay on Ernie's point as well, one of the things that I have seen here in the state is that the diversity of all of the different agencies, I think it would be pretty difficult for a security organization to know all the intricacies of all of the agencies whereas here we are utilizing those resources that are already in those agencies to integrate with Ernie's organizations.
CHABROW: The agencies, do they have their own IT staffs or is this all centralized in government?
LANDERS: We are centralized but they basically are housed in each one of the agencies. We have not consolidated all of the staffs into a single facility. We are centralized, they all report up through the office of the CIO, however they physically sit in all their agencies. But, the reporting structure is to the IT department.
CHABROW: Please describe the working relationship between the CIO and the CISO and how often do you chat, who is responsible for what?
LANDERS: Ernie reports directly to me. We meet once a week. We have monthly status meetings where Ernie is updating me as to what is going on in the world of security. I have an open door policy when it comes to security if there are any issues that need my immediate attention I am available to him and vice versa as well. If I have an issue where I need Ernie's help, he and his team are readily available as well.
QUAGLIERI: And I also have his home phone number.
CHABROW: What would you say today is the biggest challenge confronting the IT security operation in Rhode Island?
QUAGLIERI: Just like everyone else, we are trying to do more with less. We have had a number of retirements throughout the state so we are using technology to try to keep pace with the services that we need to provide to citizens and we are doing that with less money and we are doing it with less personnel.
Like other agencies that have somewhat recently centralized there is somewhat of a learning curve for the different agencies to realize that now they are not totally in charge of their own IT budget and they are not totally in charge of their own personal IT staff so there is a little bit of a learning curve involved for the different agencies for everyone to get on board and get on the same page with the centralization procedure.
CHABROW: When did the centralization begin?
LANDERS: There was an executive order passed by the Governor in 2004, but the plan really wasn't implemented until September of last year.
CHABROW: What was the rationale behind centralization?
LANDERS: To try to consolidate resources and try to consolidate budgets, with the ultimate goal to reduce spending.
QUAGLIERI: It didn't make a lot of sense to have a SQL expert in four of the agencies and then have five other agencies running SQL that didn't have anyone to work on it. It just made more sense to centralize the these personnel and be able to deploy these people where you need them.
CHABROW: In cybersecurity, is it beneficial to centralize the organization?
QUAGLIERI: Absolutely. We have what is essentially an assistant security officer that has been designated as such in each agency and that would be a person for me to directly contact within the agency itself when I need to discuss security issues with them.
LANDERS: What is important there, too, is that reporting up through the office of the CIO, we basically have a reporting structure that allows Ernie to be able to have those security folks in the agencies dedicated to his availability when he needs them.
CHABROW: What kind of experience do these security folks in the agencies have? Are they network people or do they all have different skills in different agencies?
QUAGLIERI: They are generally networking people who have some skills in security, although it is not their primary focus. But I discuss a security matter with them and they certainly know what I am talking about. If I need them to carry out some type of a task, they have the ability to carry out that task for me.
CHABROW: Switching topics just a bit, unemployment in Rhode Island in June topped 12 percent. In an article posted recently on the Providence Journal website, a University of Rhode Island business professor said one of the bright spots is for IT professionals with cybersecurity expertise. Even though the budget is tight, are you hiring?
LANDERS: The answer is, at this moment, we are not hiring. I think if you look at our budget considerations as well as our unemployment rate, we are not in a position at this point in time to be expanding government.