Public Sector & Cyber Security
By Phil Bertolini, Deputy County Executive/CIO, Oakland County
As CIOs, we have all attended events where we walked away with nothing to take back to our workplace. We have all read articles that left us confused or wanting more. I have been asked to provide some CIO information/advice that can be used by your organizations. Well, here I go.
"Cutting edge is doable but being completely secure is a misnomer"
Our world is changing faster than ever and CIOs are expected to keep the business organization marching forward with quality enabling technologies. Better yet, the technologies have to be somewhat cutting edge and secure. Cutting edge is doable but being completely secure is a misnomer. Our jobs have become saturated with the need to block, tackle, repel, and respond to attacks of all types. Technology changes so quickly that we are forced to chase innovation while providing security. Wouldn’t it be wonderful to build quality technologies without worrying about who was trying to break in? The days of sleeping well are gone and it is time we engage in the fight of our careers, Cyber Security.
While CIOs are blocking and tackling they are also required to maintain a qualified workforce. Priorities being what they are, Cyber Security is our number one priority but a close second is the need to recruit and retain qualified people. I believe that most people in government today, or in the private sector, see technology as only about technology and not about people. Sometimes, I think that a few representatives on the business team believe that fairies sprinkle dust over an issue and technology is born. Or, they ask the question, “Can’t we get some high school students to build a web site for us?” Technology is nothing without qualified people building what the business needs.
Under the leadership of County Executive L. Brooks Patterson, Oakland County, Michigan, we are tackling both of these issues with great zeal. As I stated previously Cyber Security is our number one priority with the recruitment and retention of qualified technology workforce rising to the same level. We saw the writing on the wall and almost three years ago, we made the decision to re-assess our security posture to determine how prepared we were for the new brand of cyber-attacks. We scheduled a meeting where I, as the CIO, asked the team what security measures we had in place. The room was quiet and many shrugged their shoulders. What we found was that we had several security controls in place but we had no strategy to drive the process. The alarm bells were sounded and we began attempting to assess what security controls we had and how they worked. Our efforts were disjointed and it wasn’t until we brought a professional CISO on board that we truly understood what we had, more importantly, what we didn’t have. The assessment showed our weaknesses. The fight was on.
The reason I share this experience is that many organizations are where we were just those short few years ago. It is time that we as CIOs help each other by sharing as much knowledge as possible. The government sector is even less likely to have the controls in place to repel cyber terrorists. We watched our neighboring governments struggle to tread the same ground we had just struggled over. Sharing information became necessary for our success. As a result, five Southeast Michigan counties and the State of Michigan decided to do something about security collaboration. A project began to create a Cyber Security assessment that helps governments answer three important questions. What do we have? What do we need to do? Where can we get help? The Cyber Security Assessment for Everyone, or CySAFE, was born. This assessment utilizes the best practice standards of NIST, ISO and the 20 Critical Controls while making them understandable for any CIO. Shortly after the release of CySAFE for governments at g2gmarket.com, it was downloaded in almost all 50 states across the nation and a version for medium to small size businesses was released at advantageoakland.com. The CySAFE assessment fulfills a basic need for CIOs to build a foundation around Cyber Security in their organization.
What did we learn from all of these efforts? We learned that CIOs cannot do it alone when fighting an army of cyber attackers. We also learned that collaboration is not as simple as sharing information. In the case of a cyber-attack, many CIOs will hunker down and restrict communications with anyone except those organizations that can directly help them, for example the Department of Homeland Security in Washington D.C. Closing ranks during a cyber-attack can be disastrous especially if your organization does not have the necessary skillsets to fight the battle. If ever the time is right, setting aside your ego may be the best decision you could make during this type of event. Cyber Security will forever be our number one effort and joining the fight together will help us all survive.
In the world of real estate the key aspect is always location, location, location. In the world of technology I would say the key aspect is people, people, people. Our workforce is comprised of talent and skill sets from multiple generations. Mainframe programmers still exist alongside cutting edge web programmers. Recruiting multiple skill sets is a challenge for every industry let alone what we deal with in the government space. Government is not seen as a cutting edge technology workplace like those that have come onto the scene in recent years. We do not have slides in the office and we cannot bring our dogs to work. What are we going to do to compete?
In Oakland County we have taken a three prong approach to the recruitment and retention of technology employees. First, we attacked salaries through a market study resulting in making our salaries more competitive with the overall market. Second, we worked diligently to provide flex time, 4 by 10 workdays and telework. Third, we are in the process of redesigning our workspace to be more teamwork oriented with collaborative environments. What we are selling in government IT is that you will work hard on innovative technologies but you can still be home for dinner with your family. We understand that without qualified people we will never succeed in our mission, to provide quality enabling technologies so our operational teams can provide the best services possible to the 1.2 million people in Oakland County.
The battle of Cyber Security is on. The battle for qualified talent is on. Some days these battles seem like wars and they may never end. As CIOs we have to be on top of these two issues in order to survive a very tough environment. Cyber warfare is a dirty business that requires very talented professionals on our side to offset the skill sets of the attackers. In essence, these two issues are inexplicably linked by people. CIOs, remember it is not always about the technology. It is always about the people.