Delaware state ISOs recently convened for a day of meetings and training to better prepare for incidents in their individual agencies, an event state CSO Elayne Starkey compares to fire drills.
Aside from being a networking opportunity and a chance to connect with peers, information security officers in Delaware took part in a half-day meeting to take part in training scenarios to learn new methods in order to respond to incidents more efficiently, says Starkey.
"We like to present them with these kinds of incidents and for them to think about how they might respond and mitigate incidents like this when they're practicing," she says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
"It's the same reason we run fire drills in buildings," Starkey explains. "Let's get them in a setting where it's not for real."
Some of the scenarios included responding to spam e-mails being sent to an organization, USB drives connected to devices when they shouldn't have been and an administrator's password being exposed.
Meeting face-to-face offers state ISOs the opportunity to learn from their peers. "I heard some really good ideas, and I saw some eyes kind of widen like, 'Oh, I hadn't thought about that,'" Starkey says.
In the interview, conducted at a half-day meeting of Delaware state ISOs in September, Starkey explains the:
- Requirements ISOs must meet to receive DCISO certification;
- Importance of providing face-to-face group meetings for ISOs such as the one held in September;
- Value of conducting incident tests at the face-to-face meetings, which can earn ISOs credit for their DCISO certification.
Starkey has been Delaware's state CSO for seven years. She earned two computer science degrees, a master of science from Rochester Institute of Technology and a bachelor of science from James Madison University.
ERIC CHABROW: We just finished a gathering of a quarter of the state agencies' information security officers. You gather them every other month?
ELAYNE STARKEY: We do a bi-monthly webcast with them and once a year we like to convene a face-to-face meeting. Today was our annual face-to-face gathering and all 230 ISOs were welcome to attend. That's a mix of primary and alternate ISOs, so typically they sent at least one or two ISOs from each organization.
CHABROW: Why is it important to get them together face-to-face?
STARKEY: The networking opportunities that it provides to them; a wise emergency management advisor once told me that the best time to meet someone that you're going to need assistance from in an incident is not when the incident is going on. This is an opportunity for them to come together and get to know each other. They all share common issues and common problems. We heard that today. They each now go home to their various school districts and state agencies and they deal with very similar problems. To build the relationships and the connections here in a face-to-face setting is much more conducive than our web meetings that we have. It gives them the opportunity to go home and tomorrow they might want to just pick up the phone and call and talk to someone that they met today, or even if it's a month from now or a year from now, it's just important to me that they have a venue to come together to build these relationships.
CHABROW: One of the highlights of today's session was the scenarios you outlined for these ISOs. They were broken up into about five groups of ten each. They were each given a different problem. Now these problems dealt with things such as spam going into the e-mail of an organization, a USB drive being connected to a device that should not have been. Another one dealt with an administrator's password being exposed, things like that. What's the purpose of them? Why are they important?
STARKEY: Practice makes perfect and we like to present them with these kinds of incidents, and for them to think about how they might respond and mitigate incidents like this when they're practicing basically. It's the same reason we run fire drills in buildings. Let's get them in a setting where it's not for real. They can collaborate with their peers on these issues. They can learn from their peers. I heard some really good ideas across the table today, and I saw some eyes kind of widen like, "Oh, I hadn't thought about that," or, "I hadn't thought about contacting that person." This is an opportunity for them to learn from each other and to run through the exercise of how would I handle that and when would I contact my cabinet secretary or my superintendent of schools to alert them of these issues. It's just simply practices, not only the detection but the response and the recovery, to these kinds of incidents.
CHABROW: You've been introducing a certification program for information security officers. Tell us about that?
STARKEY: We're really excited about our new certification program. We call it DCISO, which stands for Delaware Certified Information Security Officer. We launched it three years ago in pilot form. It's somewhat modeled after other professional certifications, like PMP, where there's a certain minimum number of education standards and classes that they have to attend or meetings that they have to attend, or security best practices that they have to administer within their organization, and each one of those activities gives them credits, and they have to earn so many credits over a 24-month period. We piloted it for a year, we tweaked the program a little bit and then we launched it two years ago and last December we actually had our first graduating class of certified DCISOs. They were recognized by Governor Markell in his office in the spring.
It's just a new program that we're very excited about because to be an ISO today is very different than it was even five years ago. We're asking them to do a lot more. All of this requires continuing education and the threats are changing on a daily basis and it's a world that they have to keep pace with and it's not easy to keep pace. We want to give them kind of a professional bar to reach for through the DCISO and also give them a way to demonstrate to their management that they're taking this seriously and they're pursuing the education opportunities they need to do a good job as an ISO.
CHABROW: One of the things I found interesting in meeting several of the ISOs today is that being the information security officer for their agency is maybe just one of the jobs they have. Talking to other people in positions like yours in other states, that's not uncommon because we can't afford to hire the staff. How much of this program developed because there could be people in the ISO positions that came up through a different part of technology than just information security?
STARKEY: That's pretty much the cornerstone of it. If you look at the traditional ISO, that's exactly what happened, and in many cases they're learning as they go too. It's a way to encourage them to pursue the security field of IT and it compliments their other IT skills very nicely. But you're exactly right. That's what makes being an ISO pretty difficult in a state government organization, and probably other places too, that security is not their only responsibility. In some cases, in small agencies especially, where there's one IT person, they're everything. Anything with a cord attached they're responsible for.
CHABROW: As you know, in some of other states the IT security organization could be just the CISO.
CHABROW: I was surprised when I started covering this to find that they're very small organizations in some states. Will every ISO have to have a certification to keep their job?
STARKEY: Eventually. That's our long-term goal, yes. I think the way it's worded right now is there's at least one certified ISO in that organization.
Judging Program Success
CHABROW: Is there any way for you to judge the success of this program?
STARKEY: The success is going to come in the numbers. When we're looking at the number of certified ISOs, we had about five ISOs participate in the pilot and last year that number grew to 14. We have 14 certified ISOs. We have 18 executive branch agencies. I was pleased with that number. We have a ways to go to get every organization and every school district, but my goal is to see that the number of certifications grow from year to year.
Developing the Program
CHABROW: What's the biggest challenge of developing such a program?
STARKEY: Probably the same challenge that we deal with other issues. This is a group of people. This is a wonderful team that I get the chance to work with. None of them report directly to me. Management by influence I guess is the way you call it. I'm trying to cast a vision for them to grab a hold of without having any supervisory responsibilities for them at all. It's tricky; it's tricky. They will go back to work tomorrow and they'll have other things on their plate other than security to deal with.
CHABROW: Are there specific programs that the state developed for them to take in this course work, or are they on their own also to identify other programs to take advantage of that maybe you offer at the local colleges?
STARKEY: They're free to pursue other education options like those at local colleges or webinars online. Many of them take advantage of SANS training. Many of them also take advantage of training that we're able to secure and bring into the state. For example, next week we're running a CISSP boot camp and they'll receive DCISO credits for that. We've got 43 of them signed up for that. We try to offer as many state-sponsored training opportunities as we can, but they're free to pursue their own options as well.
CHABROW: Does the state reimburse them for their expenses?
STARKEY: Usually, yes.
CHABROW: Anything else you want to say about this topic?
STARKEY: There's one other thing. We're going down to Baltimore to receive the Cybersecurity Innovation Award from the SANS Institute. They've taken a look at the program and they like what they saw and they see it as a model for the rest of the nation. The team that developed the program, I'm very happy that they're going to be honored in Baltimore.