FISMA , Standards, Regulations & Compliance
State CISO Keeps an Eye on WashingtonInterview with Kansas CISO Larry Kettlewell
In an interview with GovInfoSecurity.com (transcript below), Kansas CISO Larry Kettlewell explains that when each state agency conducts an IT security self-assessment, the procedures they follow come right from FISMA and NIST, customized for their own business practices. "We have tried to align ourselves basically with all of the procedures and guidelines and best practices that the federal government does," Kettlewell says. "At some point down the line, the federal government regulations are going to be such that if you want to do business with the federal government at the state level, you are going to have to come in line with whatever procedures and processes that the federal government has."
Kettlewell, in the interview, discusses:
Eric Chabrow, GovInfoSecurity managing editor, interview Kettlewell.
ERIC CHABROW: Tell us a bit about the IT security organization in Kansas.
LARRY KETTLEWELL: Our governance system is kind of a federated one where each individual agency and the Kansas state government has its own information officer and its own information security organization. I suppose some people would look at that being an unusual situation because there is really no sort of central figure that has overall authority of our IT system. With that said, it is a collaborative effort.
We have not had any issues really that have not been able to be resolved or otherwise insurmountable with respect to either our system of governance and how we deliver IT to our various clients if you will throughout state government here in Kansas.
CHABROW: How many agencies are there?
KETTLEWELL: There are about 40 organizations from very, very small to very large but in the latter case you would have for instance your Department of Labor, Department of Transportation, Social Rehabilitation Services and Revenue.
CHABROW: What is your relationship with the various information security officers in those agencies?
KETTLEWELL: I wear a couple of different hats. I am the chairman of the State IT Security Council, which responds to the state's highest information technology advisory committee, the I-Tech as we call it, the Executive Committee; as well I oversee an office here in the Department of Information Services and Communications, which is known as the Enterprise Security Office. We function as the coordinating body. We have incident response capabilities and responsibilities. We also have responsibilities for looking at the security as it relates to our overall IT infrastructure.
CHABROW: Do you have any direct authority over the agencies?
KETTLEWELL: No direct authority; it is more or less conveyed by a number of polices which have been promulgated by the Information Technology Executive Council. It is one really unusual sort of governance situation but one that is a cooperative and collaborative effort on the parts of all of my colleagues out there in terms of coordinating and touching base on a day-to-day basis on whatever issue confronts us.
CHABROW: Federal government has FISMA - the Federal Information Security Management Act -- and the Office of Management and Budget to direct IT security compliance, do you have an equivalent of that in Kansas?
KETTLEWELL: We really don't in that each individual agency has sort of a component given their service deliveries. Basically, when it comes to a top level sort of compliance, we do have a policy wherein each year we do what is known as a security self-assessment, which is FISMA based and NIST (National Institute of Standards and Technology) based, so that we have basically all of the practices that a federal government agency would, which is sort of customize and modified for our own business practices here in the state.
CHABROW: A lot is happening in the federal government regarding cybersecurity. The president in May announced the major initiative that there was going to be a White House cybersecurity coordinator. Do you follow those developments and if so, what kind of impact would they have on Kansas?
KETTLEWELL: In short, yes I do. I am, or have been certainly in the past, very involved between the state and the federal government with respect to critical infrastructure and mainly in that capacity I have been more or less an informal advisor to the National Association of State Chief Information Officers, which has that sort of interface with the federal government. I have represented them and the state with the federal government over the past five or six years.
It is something that we do stay in touch with and it will, we hope, have a very positive impact on t he state.
CHABROW: Is the impact such that is provides guidelines or suggestions of how to tackle information security or is that something more direct?
KETTLEWELL: At least up until now, it has been sort of implied, and you talk about FISMA and NIST and one thing and another. We have tried to align ourselves basically with all of the procedures and guidelines and best practices that the federal government does. At some point down the line the federal government regulations are going to be such that if you want to do business with the federal government at the state level you are going to have to come in line with whatever procedures and processes that the federal government has.
We have tried to keep that in mind and I think probably more and more we are going to see a situation where if you do not come into line with the best practices and the rules and regulation that the feds have, you are probably going to have trouble doing business with them.
CHABROW: You don't seem disturbed by that.
KETTLEWELL: Certainly, in some instances, there are financial implications, but in the most part, no I am not troubled by it all because basically the rules and procedures at least certainly so far have not been particularly onerous and they are, after all, basically a collection of best practices that most states feel like we should comply with anyway.
CHABROW: What are the biggest IT security challenges that Kansas government faces?
KETTLEWELL: Just continued vigilance. Just keeping your eye on the ball. It is trying to keep people aware of the situation, the seriousness of an individual vulnerability out there and to keep management at upper levels in the loop and at the same time not be running around out there saying the sky is falling because management gets turned off by that readily when you do that over and over again. You have to demonstrate that there is a threat out there, the seriousness of it to continue to urge people to stay on top of things and out in front of the threat.
CHABROW: It seems that every state is facing tough times in this economy. Funding governmental projects is getting tough. What is happening in Kansas? Is there sufficient funding to properly secure government IT?
KETTLEWELL: We have had a reasonably good track record on sort of looking down the road and trying to figure out what we were going to need in terms of technology ahead of time. We have just within the last year or so been upgrading our network, with that security upgrades that go along and fit in with that. We haven't been faced with a situation where oh my gosh we need this black box that costs X number of thousands of dollars tomorrow, or we missed out on an opportunity to acquire technology that would deal with specific vulnerability or vulnerabilities. Yes, we have been going through some pretty tough times financially but I think we have been reasonably well positioned if you well, technology-wise, so that we are not behind the curve certainly at this time.
CHABROW: What IT security skills are in demand and what challenges, if any, do you face in hiring or training or retaining people with those skills?
KETTLEWELL: That is problematic throughout all of the rest of the states in terms of retention and hiring and skill sets. If I had my druthers right now, I would want two or three more network security engineers but they are in short supply. We need people who have top-notch skills in terms of network firewall administration and mostly with a heavy security background. I mean you do find network security administrators certainly, but those who have a security background that sort of piggybacks on that.
Network skills in terms of routers, switches, people that again have some sort of security background that ties into that, because more and more of that whole system of black boxes is becoming merged and blurred to the degree that you really have to have security from top to bottom in those areas.
CHABROW: Are you finding that the skill sets really aren't out there; people may know networking but really don't understand the security behind it?
KETTLEWELL: That's a problem in so far as state governments cannot offer top dollar for people coming in with first-rate skills. I tried to address that in the last couple of years in trying to upgrade our pay rates for select skills, we were behind in that area. We have addressed that in part but still, with that said, comparable skill sets in the public and private sector, you are just not going to come to any sort of parody and always state governments are not going to be able to offer as much money as they would like to get.
CHABROW: How much of a difference in compensation is there between private and public?
KETTLEWELL: If you look at the management levels you are looking at maybe $100K for a manager, and in the private sector you are probably looking at $120-$130K for a similar management position. In terms of technical positions, you are probably looking at $60-$70K for mid-manager in state government and you are probably looking at $90-$100,000 in the private sector.