Security in a Digital Age

David Behen, DTMB Director & CIO, State of Michigan

David Behen, DTMB Director & CIO, State of MichiganDavid Behen, DTMB Director & CIO, State of Michigan

One of the many things that I love about my job as director of the Michigan Department of Technology, Management and Budget (DTMB) and state Chief Information Officer (CIO) is having the opportunity to speak to a wide variety of groups about how we’re improving technology to digitally bring state government to the people. At the end of my talks someone in the audience will inevitably ask, “What keeps you up at night?” and one of the first things that jumps to my mind is cybersecurity. After all, Michigan state government faces its fair share of cyber attacks. In fact, from January to April of 2014, more than 650,450 cyber attacks against the state of Michigan were blocked daily. That’s a twenty  percent increase over the same period in 2013. As technology advances, so do the skills of would-be criminals.

Those of us who work in the Information Technology field know all too well the looming threat that a significant cyber attack poses to our nation. Just last August former Secretary of Homeland Security Janet Napolitano warned her predecessor that the United States will face, at some point, “a major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society.”

Let’s face it; while cybersecurity is hot a topic that is front and center for chief information and security officers across the country, it’s not an issue that weighs heavily on the minds of most Americans, across the nation. People who are concerned about being prepared for a possible disaster such as a tornado, wildfire, flood, hurricane or earthquake are grossly unprepared. In fact, according to 2013 State University of New York Institute of Technology/Zogby Analytics study, only one in four Americans are concerned about an emergency situation like a terrorist attack, natural disaster or health pandemic. Far fewer are thinking about, let alone preparing for, a possible cyberattack.

“United States will face at some point a major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society”

This is where we come in. As guardians of public data and private personal information, those of us working in government IT departments have to do everything possible to ensure that cybersecurity is a top priority for our enterprises. This is my opportunity to share some tips that have worked for the state of Michigan. One of the most important pieces of the puzzle for a successful cybersecurity initiative is executive buy-in. In order to launch and execute a successful cybersecurity strategy, you need support and commitment from your leadership. I’m extremely lucky in my position to have a boss (Gov. Rick Snyder) who not only fully understands the importance of funding IT, but who particularly understands just how vital cybersecurity is to public safety.

After securing executive support, make sure you partner with the private sector. In order to have a comprehensive cybersecurity strategy, it’s imperative to connect the dots between the two. Launched in November 2012, the Michigan Cyber Range allows for “live fire” exercises and simulations that will test the detection and reaction skills of participants in a variety of situations. The range has sites at Eastern Michigan University, Ferris State University and Northern Michigan University, a hub at the Michigan National Guard 110th Airlift Wing in Battle Creek, and two more hubs planned for unveiling later this year. The cyber range is a perfect example of how state government, public universities and the private sector (Merit Network) can partner together to prepare for possible real world scenarios. Successfully responding to a cybersecurity incident will require individuals from both the public and private sectors to work together and the cyber range, allows for and helps foster both cooperation and preparation.

Along the same line, another great tool to help drum up ideas and encourage cooperation across the state, is my “CIO kitchen cabinet.” This informal group of Michigan CIOs meets monthly to discuss a variety of issues, from cybersecurity policies to best practices to how to manage/implement a bring-your-own-device plan. While I originally started the  group to help advice me in my new role as the state CIO back in 2011, the kitchen cabinet has transformed into an invaluable tool for me and the other CIOs involved. In 2012 I went to the group with the state’s cybersecurity challenge and came away with the Michigan Cyber Disruption Response Strategy to address significant cyber disruption events in the state.

Lastly, if you don’t already have a cybersecurity awareness training program in place to educate employees and ultimately help reduce security incidents as a result of user error, I strongly encourage you to consider the option. According to a recent study referenced by the Ecommerce Times, “an overwhelming 80 percent of corporate security professionals and IT administrators indicated that ‘end user carelessness’ constituted the biggest security threat to their organizations.”

People can have a significant impact in helping combat cyber attacks, but in order to achieve this goal you have to change user behavior, which requires making security awareness part of your enterprise culture. The awareness training program we’re using from Security Mentor has been well-received by our employees. To help change the culture in Michigan, we rolled out cybersecurity awareness training to roughly 47,000 state employees in 2012.

Cybersecurity is serious business, but with support, collaboration, partnership, education and forward-thinking, we can stand prepared for the challenges ahead.

Weekly Brief

Read Also

Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
In a Crisis: Cold Talent Automation versus Warm Talent Key Success Factors

In a Crisis: Cold Talent Automation versus Warm Talent Key Success...

Rob Hornbuckle, CISSP - ISSMP, CISM, CRISC, CISO and VP, Allegiant Travel Company