Consolidating IT as a Security MeasureMinnesota CISO Chris Buse Describes State's Strategy
Like other organizations in and out of government, the state of Minnesota is experiencing an increase in cyber-attacks, with databases of tax, healthcare and education records that contain the personally identifiable information of millions of citizens being targeted.
But the continuing consolidation of all 70-plus state agencies' enterprise systems and information security functions should make it easier for security personnel to protect those records, state CISO Chris Buse says in an interview with Information Security Media Group.
Enterprise systems and information security consolidation "helps us simplify our IT environment and actually manage the number of fronts that we need to battle on on a day-to-day basis," Buse says. "When we're coming from a world where we have 30 or 40 managed hosting environments, where we have to have monitoring and processes in place to oversee all of these individual environments, it certainly will be easier for us when we look at bigger teams with deeper benches that are actually watching over one or two major consolidated environments, collectively as a team."
Until recently, each of the state's agencies was responsible for its own IT and security. In some instances, agencies couldn't provide adequate data protection in a decentralized approach. With decentralization, Buse says, "the teams are so fragmented that it's very difficult to get the deep bench that you need to the level of sophistication and the level of the tools to oversee those environments."
In the interview, Bose:
- Explains the synergy between enterprise systems and security consolidation. Through consolidation, security specialists get an enterprisewide view rather than a narrow one focused on a specific agency. "When you looked at how small and fragmented some of those individual vulnerability management teams were within our agencies, if they had any at all, it was very difficult for them to understand what the results meant, how to put effective remediation in place. ... They never really had the big picture of government as a whole when you had really big issues that came on the radar screen, such as Heartbleed [vulnerability]."
- Describes steps his office is taking to assure agencies that had made significant investments in IT security that they won't be shortchanged by consolidation. The state added "some strategic headcount" to help agencies that previously didn't invest heavily in IT security so that existing resources to agencies that had good IT security programs wouldn't be compromised.
- Discusses how Minnesota state government is staffing up its centralized IT security team by recruiting outside experts and training incumbent IT staffers in security skills.
Buse also holds the title of state assistant commissioner for IT and oversees the design and implementation of the enterprise security network for the government. Before becoming Minnesota's CISO in June 2007, he served as manager of information technology audits for the state Office of Legislative Auditor. Buse, a certified public accountant who also holds a number of auditing and security certifications, serves on the board of directors of the Minnesota chapter of ISACA, where he once served as its president.