When it’s time to choose a new security feature to roll out inside the Michigan state government, Rex Menold, the state’s chief security officer, isn’t the one who decides. It’s not because he’s new to the role (he started in January), and it doesn’t seem to matter that he’s been with the state since the late 1990s. The way it works, he told a conference audience in Philadelphia on Monday, is that the agencies decide.
The system, Menold said, derives from a self-awareness by the state’s technology bureau that it doesn’t have all the answers: “A lot of times we think we can make decisions for the agencies about priorities when we don’t necessarily really understand their business,” he said. Sometimes, he continued, even after all his years with the state, he’ll pitch an idea that he thinks an agency head will love and get a response like: “That interests us zero percent.”
His description of the democratic process used to prioritize security upgrades was a response to a prompt by organizers of a session at the National Association of State Chief Information Officers’ midyear conference. The topic was “the business of cybersecurity.” And the business of cybersecurity, according to those who practice it, is less a matter of technical details than saying the right things to the right people.
When talking to state legislators, Menold said, it helps to frame cybersecurity funding in practical terms: “If you explain how does that impact their town, how does that impact their email system… a lot of legislators would love to say they cut $10 million. Almost none of them want to say that we cut these three projects that make it more risky for you to log in and get services.”
Michael Watson, who was Virginia’s chief information security officer until he was this month named the state’s CIO, said there’s a piece of universal business wisdom he’s long employed: “understanding how to hit that one thing that’s important to everybody. Everybody has their own thing that they really don’t want to let happen.” Whether that’s a department of motor vehicles registration system going offline or mainframe services becoming unavailable, couching cybersecurity in such tangible and frightening terms is apparently more persuasive than asking for funding to address some arcane technical challenge.
Tony Sauerhoff, Texas’ CIO and former CISO, told a story in which he’d made an impression on a county judge, during an event, who griped that cybersecurity was “expensive.” Sauerhoff said he encouraged the judge to consider that each time he purchased something ostensibly important, such as a maintenance truck, he was choosing not to invest in something else, like cybersecurity, which was an implicit decision to increase his organization’s risk. The punchline was that the judge later lost his train of thought during a speech at the event and wondered aloud about what other important things he wasn’t investing in.
Sauerhoff also relayed a strategy that he used as the state’s security chief, to reduce the stress of his job. Because it’s impossible to eliminate risk, he said, his goal instead was to communicate what he’d done: “It’s my job to do the best that i can, with the resources that have been provided to me … implement the hell out of all those things … and there’s a gap, and then it’s my job to make sure that gap is understood by leadership.”
With some satisfaction, Sauerhoff explained that whenever he issued his reports detailing potential vulnerabilities, they were no longer his problems. It helped him sleep at night, he said, and it also “puts pressure on the folks that now have that information” to do something about it. “You start to get resources you didn’t get before,” he said.
But he also observed that that particular strategy has limits. It was effective when he was the state’s CISO, apparently reporting those security concerns to Amanda Crawford, who until January was the state’s CIO. “Now that’s me,” Sauerhoff said ruefully.
