The Trials And Tribulations Of Public Sector CISOs

Khalid Kark

Just the other day, I was speaking with a state CISO about the security challenges she's facing in today's environment. In many regards, she echoed what I've heard from other CISOs in the private sector -- the business (Govenor) is expecting us to do more with less, Web 2.0 bring along a whole new challenge in terms of security, etc. At the same time, she reminded me just how different things are for the public sector by articulating the extra challenges she has on top of all the usual ones:

  1. CEO (Governor) and executive management (Administration) changes every four years. That means you have to start from scratch every four years with the new administration. You also have build to relationships one level below the political appointees to ensure continued support.
  2. You are competing for budgets against pretty important priorities, i.e. healthcare, education. Legislators often don't understand why it's important to upgrade the state's IT infrastructure.
  3. The IT environment consists of several dozen smaller agencies working independently. Many of the smaller state agencies don't even have a dedicated IT person, making it harder to centralize anything and enforce security policies consistently.
  4. No room for error. A mistake is guaranteed to make newspaper headlines. A lot more information needs to be fully disclosed to the public, just as part of doing business as a state entity. So when things go badly, everyone knows.
  5. Procurement processes are cumbersome. You cannot just go out and buy a tool or hire a consultant. You have to go through the state mandated process that could take months. This makes it more difficult for the security organization to be nimble and agile.
  6. Public sector is subject to additional regulations. Some of these regulations simply don't apply to the private sector.

Now combine these challenges with two facts: 1. states possess a wealth of personally identifiable information (PII) and other confidential information on citizens and businesses, and 2. states process billions of dollars a day. And you have yourself a very attractive target for malicious attacks. As the state CISO, this leaves you with a huge burden of responsibility on your shoulders and a tough road ahead of you.

How should we address some of the above challenges, while ensuring taxpayer money is being spent appropriately? Do you find yourself facing other similar challenges as a public CISO? As always, I would love to hear your thoughts.

[posted by Khalid Kark]