This interview is an excerpt from GovLoop’s recent research guide, The Current State of Government’s Cybersecurity.
When you think of a Chief Information Security Officer’s (CISO) job description, you probably think of something like “establish business objectives while overseeing the protection of an organization’s technological assets.” It all sounds pretty straight forward.
But if you talk to the state of Washington’s CISO Agnes Kirk, you’ll quickly understand a CISO must wear many hats when it comes to managing government and cybersecurity. Not only does she set the mission and pace for the state while managing its technological assets, but she also helps the state combat a variety of cultural and organizational cybersecurity challenges. In an interview with GovLoop, Kirk shared the many roles she plays as CISO, as well as the ways the state is working to improve its cybersecurity posture.
The Different Hats of a CISO
For Kirk, a day on the job can entail working on any number of diverse tasks and priorities related to cybersecurity. When we asked what her responsibilities entailed, she responded with a laundry list of duties including:
- Establishing statewide IT security policy and standards
- Reviewing technologies and IT projects for proper security controls
- Partnering with federal counterparts to ensure connective response for cyberthreats
- Building relationships with universities, private sector, and vendor communities
- Educating government employees and private sector organizations on cybersecurity best practices, skills, and resources
Outreach is a big part of Kirk’s role as CISO. “The security community is all about trust,” Kirk said. “We build relationships before there is an event or emergency so that we know who to reach out to when something happens.” Every month, she and her team hold technical training for state agencies and their staff on security-related issues. Additionally, Washington partners with many federal counterparts to craft holistic messaging and get more resources into the hands of agencies.
A major point of their outreach efforts happens every October, during Cybersecurity Awareness Month. “This year, we’ve been invited by DHS to cohost their national launch of Cybersecurity Awareness Month in Seattle,” Kirk said. “We’re going to make it 3 days of events so we can do further outreach to educate our citizens, businesses, and those in the public sector.”
One of the themes of the event is privacy and security. “We’re going to have a privacy of law cyber panel that discusses privacy issues that impact consumers in the digital age,” Kirk said. “We really want to help people understand how they can manage their digital footprint.”
Kirk also works to establish formal mechanisms and organizations to support her office’s messaging. She helped establish the Pacific Northwest CISO Community, which meets quarterly to share challenges in cybersecurity as well as best practices, like compliance training and securing an organization’s infrastructure.
Building the Cyber Workforce
However, Kirk emphasized that she can’t perform the role of CISO alone. She depends on her team to get the jobs done. “You’re always having to juggle priorities, but I have an outstanding team of security professionals that help carry those roles,” she said. “I can only be as successful as we are as a team that works together and collaborates.”
That means Kirk needs skilled professionals to help get the job of cybersecurity done. Unsurprising, one big priority for the state is educating and building the cyber workforce.
To address the serious shortage in the cyber workforce, the state partnered with other state governments, higher education, and the private sector to launch a pilot program, through a grant from NIST, called Cyber4Vets. Though the program ended in March, Cyber4Vets helped connect at least 156 veterans and transitioning service members with existing cybersecurity educational programs in Washington State and was a great force in helping to increase the talent pool of cybersecurity professionals.
In addition to building the workforce through such programs, Kirk and her team focus on educating the next generation of IT professionals. They reach out to universities and even K-12 programs to encourage youth to choose cyber careers. Educating and developing the cyber workforce means no one is too young to start learning about cybersecurity.
“We have one of the five national cybersecurity centers of excellence with a community college,” Kirk said. “We talk about their programs, ask students to share their insights, and have employers talk about the success of hiring folks out of that program.”
Another creative strategy to drive growth in the cybersecurity workforce is to adopt private sector practices. On October 6th, as part of Cybersecurity Awareness Month, Washington state will also be hosting a “Shark Tank-like” event to drive innovation in cybersecurity. “We’re going to have entrepreneurs do a fast pitch about their startup product or service to multiple venture capitalist groups,” Kirk said. “It’s an opportunity to help educate and open up opportunities for those small businesses in cybersecurity.”
Altogether, Kirk explains that the best strategies to develop the cyber workforce include increasing early education, developing partnerships with the private sector to train more cyber professionals, and driving innovation to incentivize more people to join the cyber workforce.
Tools and Support
In addition to manager and educator for cybersecurity, a CISO wears the hat of IT professional as she oversees an organization’s technologies and support programs for cybersecurity. That’s no easy task but it does allow Kirk to work with and help develop a number of exciting new tools and gadgets.
Take the state of Washington’s recently expanded Office of Cyber Security (OCS) , for example. The office was established to better support other agencies and state and local counterparts improve their own cybersecurity posture. The Washington State Security Operations Center (SOC)monitors and manages all aspects of the perimeter security in near real-time, from a single, centralized location.
“We also have a team that helps agencies assess their current security posture and develop recommendations and prioritization for mitigating future threats,” Kirk said. “Additionally, we provide on-the-ground consultative support so we can design strategies customized for them. We try to fit the right training for the right types of responsibilities people have.”
This is especially important in addressing cultural shift in organizations where security is no longer just an IT responsibility, but everyone’s responsibility. “We like to help with training and education because it’s just as important for the receptionist to understand that she is probably the first line of an attack for a cyber hacker,” Kirk said.
For its approximately 7 million citizens, the state also provides a single sign on portal, Secure Access Washington for constituents and businesses to better deliver services while maintaining security. The portal allows users to access multiple online government services with the use of a single user ID and password or higher level security. Citizens and businesses then only have to remember one credential rather than multiple for each service they use. Kirk estimates that the portal has about 2.8 million active users now.
Secure Access is just one of many ways Kirk has engrained security into the daily operations of Washington State. These mechanisms are absolutely necessary. The many hats of a CISO would sound overwhelming to many. But, as Kirk proves, with the right strategy, team, outreach, and technologies, it certainly can be done.
My heart always goes out to the CISC’s. They are often ignored until there is a problem, and then they can be made the scapegoat. I saw one stat the CISO’s have the highest job turnover than any other employee.
Here is one observation I have made as the CEO of Access Smart when trying to convince another company’s management to increase security: Learn to speak as a CFO.
So often a CISO, CTO or CSO will speak geek to their CFO and CEO. CEO’s/CFO’s probably just barely understand the difference between a bit and a byte. Forget trying to explain DDOS, HeartBleed, Zeus, Pass-the-Hash, Private Key management or Multi-factor authentication. I can see the glaze over the eyes now.
The CISO’s need to start understanding biz-speak. Terms like ROI, balance sheets, profit/loss statements, cash flow, bad press, and bankruptcy to name a few. Have the CISO talk to the marketing department about their budget to build awareness, and what would happen if that was destroyed in one breach. Next, ask the sales dept. how much revenue they think a new plan will bring in, and what would happens if everything gets undermined. I think you get the point.
When I was a young engineer I learned to talk to management, marketing, sales, legal, customer service, manufacturing, shipping, and anyone else I could find who had any association with my product. It was staggering as to who all touched the product.
So CISO’s, if you want to increate your budgets and get better approval to fix that old, tired system, also get to know the business side of the equation.