How the State of Florida Builds Information Security Expertise Despite Escalating Risk and Tight Budgets.

Transcription

1 September 2010

2 How the State of Florida Builds Information Security Expertise Despite Escalating Risk and Tight Budgets. CHALLENGE Training and education have always been a top priority for the State of Florida s Office of Information Security (OIS) within the Agency for Enterprise Information Technology (AEIT). The (OIS) was established immediately following the events of 9/11. Its mission? To help the State s executive branch agencies address With training as an integral factor in the success of each focus area, the OIS laid out an aggressive and detailed training and education program for its information security staff. In fact, its training plan is mapped out in a comprehensive three-year matrix that illustrates how the State will leverage its workforce to meet federal, state and private information cyber security issues and to ensure statewide security standards. Helping state agencies comply with all requirements such as HIPAA, PCI, and those set forth by the U.S. Department of Homeland Security (DHS) is critical to the Office and AEIT s success. compliance with Federal and State security standards. Even though legislation points the efforts of the OIS toward the executive branch of government, the courts, the Florida Legislature, cities, counties and municipalities are willing participants. With technology evolving at what seems to be the speed of light, how does AEIT keep its The Office s five focus areas related to enterprise information security are: information technology staff up-to-date on best security practices? Policy Training Risk management Incident response And in light of budget cuts, how does AEIT maintain its expertise in protecting critical, proprietary information? Survivability 1

3 SOLUTION Establish Goals First, AEIT worked with the Information Security Manager community within state agencies to identify business requirements that need to be addressed, such as staff professional development goals. One of the most valuable education programs the State has engaged in has been CISSP CBK Review Seminars and examinations, said Russo. We stress this certification because it requires our experienced managers to have a deep understanding of the latest, up-to-date information on the full spectrum of security-related developments and topics. We determined which standards and certifications would best meet our needs and put together a program that would take us there, said Mike Russo, CISSP, and Chief Information Security Officer (CISO) for the State of Florida. The State began offering CISSP CBK Review Seminars to a select group of its professional staff in This year, it contracted with (ISC) 2 to provide a CISSP Review Seminar and examination for 25 employees from many We are constantly on the watch for emerging areas that require staff training. In fact, said Russo, the State of Florida was one of the of the State s executive agencies, as well as Legislative, Inspector General and Auditor General offices. first to offer training for ethical hacking and incident response. If we had more domestic security grant funds, we would have doubled the number of participants, said Russo. It s critical for all of our technologists, and those who fund, regulate and audit them, to understand what the latest best practices are, and why we do what we do. Russo says that the State s security education program focuses on national and international certifications because they provide a globally recognized, independent and objective demonstration of an individual s level of competence. Finding Funding We try to help staff attain credentials in many areas. It takes a well-rounded body of knowledge to function effectively. Millions of dollars of federal security funds are available to every state through the DHS, but there is no uniformity in how states go about 2

4 distributing those funds. Ideally, Congress forum to make a strong business case, says Russo. would mandate that some of the funds be allocated to information security, but with states cutting their budgets, such allocation is unlikely to happen without strong advocacy. Florida is divided into seven domestic security regions, each chaired by state and local law enforcement officials. These regional committees look at potential terrorist activity and make recommendations on solving security threats. Each year, those recommendations are vetted, and decisions are made on how to spend millions of dollars that the State receives from DHS. In addition to DHS money, CISOs can find funds for information security initiatives through grants from the U.S. Department of Health, Department of Labor and the Department of Education. As the State s CISO, it s my job to help all Make a Strong Business Case The State of Florida is known to have one of the best domestic security initiatives in the decision-makers realize the importance of investing in their agency security teams to develop effective information security, said Russo. nation, and one that supports cyber issues. That success is due in large part to the ability of CISOs to make a strong business case for their priorities. So, how does the Office of Information Security get heard over the din of Technology alone cannot protect sensitive information, and no amount of software will ever be as powerful as the people behind it, so training and education must be funded. voices clamoring for a piece of the funding pie? So far, said Russo, we have been successful According to Russo, much has to do with the way the State s domestic security organization is structured. It gives the State Chief Information Officer, the head of AEIT, a seat at the decision-making table. It s up to information security leaders to make sure we use that at establishing a consensus that our technology and education needs are very important factors. Russo advises CISOs in other states to find a way to bring awareness to the groups who determine how domestic security funds are spent. 3

5 CISOs need to be excellent advocates for their technology and training needs, said Russo. One of the mistakes we make as technologists, he says, is that we don t address the business needs. Business leaders make the decisions on where money is spent, and it is our responsibility to help them understand why information security is critical to their success not in a techie way but by making a strong business case for it. RESULTS More Qualified People Our role is to protect information assets, said Russo. The (ISC) 2 Review Seminars help ensure that our people know how to do that. Earning and maintaining the credentials means that they not only have the required knowledge but that they are continually updating their knowledge in line with the constantly evolving threats and changes in the industry. In addition, membership in a professional certification body ensures they have made a commitment to high ethical standards. Everyone who attended the Review Seminar is more capable as a result of it, he said. The (ISC) 2 instructor was incredible. He was personable, and his experience and background provided insights and reallife examples that made all of the information understandable and memorable. In addition, the (ISC) 2 credentials are a part of the State s career mapping process. By providing a path for employees to advance, Florida is better positioned to retain them as they grow more experienced. We associate certain credentials with job descriptions, says Russo. They help us identify candidates for new roles and responsibilities. Increased Level of Professionalism Credentials have a positive influence on our tightly knit community of information security managers, said Russo. Employees who have attained credentials are held to a higher standard by the organization and their peers, and they become evangelists, supporting others to move toward certification. Once credentialed, they have access to all the advantages and resources available to certified professionals, which benefits the entire agency. We are very pleased with the results we have achieved from the CISSP Review Seminar, said Russo. We will continue to offer courses for (ISC) 2 credentials until the majority of the State s information security professionals are certified. 4

6 Federal Funding for Cyber Security: A Crisis of Prioritization The security of state networks has serious implications for homeland security, as it affects both continuity of government and the operations of critical infrastructure. The states and federal government must collaborate in cyber security protection, recovery and restoration. Despite the serious and urgent situation, it is often difficult for state CIOs to secure federal funding for their cyber security efforts. Cyber security protection must compete for funding against more visible and politically appealing homeland security applications. NASCIO has been advocating before Congress for the establishment of a cyber security grant program dedicated to improving cyber prevention, protection, response, and recovery capabilities at both the state and local government levels. In view of budget constraints, NASCIO has also been advocating that at minimum DHS and FEMA should set aside funding for cyber security programs and projects that DHS give higher priority to state cyber security grants program to assist states. The purpose of the grant program would be to demonstrate best practices, innovation and knowledge transfer regarding cyber security within State organizations. Funds would be used for supporting the enhancement of cyber security preparedness in the states by assisting them with network sensing, intrusion detection and security related operations equipment, expanding security awareness campaigns, assisting in restoration and recovery efforts in the event of a cyber attack, and providing technical training and certification for protecting programs administered by the states.