LANSING – As the Chief Information Security Officer (CISO) for the State of Michigan, I?m often asked the question: What keeps me up at night? With the ever-increasing number of press stories related to identity theft and hackers gaining access to large confidential databases throughout the country, I have found myself lying in bed at 2 AM wondering: what if?
So here are the top ten work issues that keep me up at night. They are listed in reverse order of importance (or sleeplessness).
Number 10: Legislation ? From the Health Insurance Portability and Accountability Act (HIPAA) to Sarbanes-Oxley Act of 2002 (SOX) to Michigan?s Social Security Number Privacy Act and many others, we seem to be inundated with new legislation. I?ve found a few of these to be good bedtime reading, but they?ve also kept me awake wondering how best to address the myriad of situations raised by new state and federal legislation.
Number 9: Budget Cuts ? These are very difficult budget times for Michigan State Government. Everyone is being forced to tighten our belts. The Michigan Department of Information Technology (MDIT) has reduced our IT spend by $100 Million (20%) via gains in efficiency and centralization in the past three years. IT security is also difficult to sell when compared to education or health care priorities. Still, we have been able get Homeland Security grant dollars to fund our major security investments in infrastructure. Selling security to the business areas has definitely kept me up at night, and my mind goes through scenarios that will sell security investment to business colleagues and clearly articulate risk.
Number 8: Bad Guys in the Lead — Someone recently compared the current Internet Cyber War to the 1930s in Chicago, where the bad guys were way in front of the good guys. I agree with that analysis. If, as a security executive or even a home user, I do almost everything ?right? my network is still way too vulnerable. The bad guys seem to have more dollars and time, and we seem to react to their agenda. I sometimes wonder where the attackers are sitting and what they are doing ? right now. I imagine some off-shore chalet or maybe some third-world hut with a high speed connection. Still, they are organized and getting better. Food for thought: How can we match their skill and dedication? ? Should we be applying the same level of resources that we are in attacking the insurgents and terrorists in Iraq?
Number 7: Zero Day Attacks ? In my twenty-plus years experience in IT, it seems that executives often ramp up to fight the last battle. However, in cybersecurity, we seem to have a new set of threats, vulnerabilities, and challenges every few months. For example: who would have guessed that spyware would be such a big deal back in the early part of 2004? Yet, it became a major concern for CISOs by late 2004. While the number of threats and vulnerabilities is growing, the amount of time between the announcement of vulnerabilities and the exploit being seen on the internet is shrinking to almost zero. In other words, we are getting less advance warning of attacks than we were two or three years ago. So I sometimes get up at night and read emerging threat articles in those darn security magazines ? which gives me even more insomnia.
Number 6 ? Portable Devices (and Data) – More and more devices carry sensitive data. From PDAs to phones to memory sticks, it?s becoming much more difficult to enforce configuration control, asset management, and other ?security-friendly? disciplines in the 21st century office. As people become more mobile, CISOs are faced with the reality that smaller and more powerful devices with merging functionality will continue to come at us at an accelerated pace. Voice over IP and other technologies are blurring traditional IT and Telecom roles, and customers keep screaming ?give me more for less.? In many cases, security is an afterthought or not deployed with these toys, and staff are tempted to bring data with them wherever they go. Why? Because it?s easy and cheap. So just when you thought you had your arms around that database or network security architecture, someone loses their laptop or PDA with sensitive or proprietary information. By the way, just saying ?no? to these trends, doesn?t work. You?ll be labeled as ?out of touch? before you install your first firewall.
Number 5 ? Old Equipment ? A huge mountain for security execs to climb is the legacy equipment challenge. PC replacement schedules for State employees have lengthened as the budget challenges have grown. Old servers and network equipment abound. So how do we remediate or patch something that is no longer supported, if the dollars aren?t there to replace it? While mentioning old equipment, I can?t forget about new equipment that often ships non-compliant or without the latest security patch or proper configuration.
Number 4 ? Home Networks (Should we do house calls? ? NOT!) — As more and more people work from home, how do I deal with home networks? Writing a policy may be fairly easy, but good luck enforcing it. Savvy users have even more savvy teenagers who connect devices to cheap (and often insecure) wireless networks. You may be thinking, ?oh yes, but we have VPN?s and blah, blah, blah to make sure that work and home computers never communicate or do so securely.? Don?t believe it. If you really have all the answers for enforcing corporate security policy on home networks, please send me a note. I?ve yet to meet anyone who did this well. There are lots of tips, ideas, and devices to help, but for now, this issue continues to climb my top ten chart.
Number 3 — Protecting Critical Assets (Are terrorists becoming hackers) ? As a state and a country, we have numerous critical infrastructures we need to protect. From bridges and roads, to energy production and distribution, to our food supply, critical systems and assets have embedded IT networks and security vulnerabilities. Could foreign terrorists hack their way into causing trouble? Absolutely they could, but we need to stop them. Cybersecurity is key to all sectors of Critical Infrastructure Protection (CIP). As we actively engage with the Department of Homeland Security (DHS), State Police, FBI, local governments, InfraGard, and many other groups, we see a myriad of potential issues, which are difficult to mitigate. We are making progress in this area by prioritizing and protecting the crucial assets. Still, I have been awake several nights worrying about CIP. A cyber war could happen.
Number 2 — Personnel (How do we keep & train our security staff?) ? My final two concerns may surprise you. Even with all of the new ?hot button? issues, the traditional topic of people and relationships is what I think the most about. How can we best attract and maintain good young IT security staff in Lansing? What can we do to be innovative in our state government approaches? With hiring freezes, banked leave time, and other resource reductions, how can I motivate employees. Although I?ve lost a few staff, we?ve been fortunate so far. By partnering with State Police and DHS, we?ve been able to provide good opportunities and training.
Still, this issue could bite us over the next few years. While I was speaking at SecureWorld Atlanta in May, an attendee raised his hand. ?I have a comment to make. My consulting company can?t get enough good security people right now, and we?re offering 40-50 percent raises and relocation packages to trained government security experts.? I?m glad none of my staff were in Atlanta that day.
Number 1 ? Cultural Change ? When I was at the National Security Agency back in the 1980s, I was constantly reminded ?Security is our middle name.? We had posters and signs everywhere telling us that ?someone is watching you.? When I arrived in Lansing in 1997, we had minimal physical and cyber security. Ease of use and f
