Teaching IT Security PracticesOhio's In-House Approach to Serving State Agencies
Right now the primary offerings the state provides agencies are vulnerability assessments at the network and endpoint level, as well as the application level. The services are provided for free, and the goal is that vulnerability assessment scans start occurring on a regular basis, Shaw says. "Our hope is really that we can educate agency staff so that they can do these scans on their own," he says in an interview with GovInfoSecurity.com's Eric Chabrow (transcript below).
One of the roles for Ohio's IT security department is to educate and raise awareness around information security. Recently they've bought into a collaborative agreement with the MS-ISAC and SANS to provide training to a number of enterprise resources.
Moving IT services in-house is a cost savings move, but the challenge it seems is keeping qualified staff on-board. A plus to having IT security staffers within government is that they are familiar with how state government works. "An outside entity that doesn't have that knowledge, they really can only work through the assessment to a certain point," Shaw says.
In the interview, Shaw also:
- Explains the various services the centralized IT security organization offers state agencies;
- Discusses the IT consolidation of Ohio state government systems, and its impact on information security;
- Weighs the benefits of having government employees making assessments vs. those furnished by outside contractors.
Shaw, in an interview posted last March, discussed how Ohio government standardized IT security across agencies (see How Ohio Decided on NIST Framework).
Before becoming Ohio's second CISO, Shaw served as state deputy CISO. He began his government career in Ohio at the Department of Education, where he served as information security officer, assistant director of information policy and management, data manager, data center coordinator, professional conduct consultant and investigator.
Ohio's IT SecurityERIC CHABROW: Before we get into the new roles your IT security organization is performing, please take a few moments to tell us about IT and IT security governance and about IT consolidation in Ohio government.
DAVID SHAW: Ohio, like most other states, is looking heavily at consolidating our IT infrastructure. A big driver behind that is obviously the cost savings that we hope to achieve by consolidation. As far as information security goes, Ohio is fairly new in their enterprise outlook on information security, and with the consolidation moving forward at a good pace, we are also moving forward with our enterprise outlook on information security, which includes consolidating some of the services at the enterprise level as opposed to continuing to do those at the individual agency level.
CHABROW: How new is the IT security office in the state of Ohio?
SHAW: Ohio had its first chief information security officer in 2008, my predecessor Kim Trapani. I'm only the second information security officer at the enterprise level. Prior to that, information security was really handled only at the agency level. We had a chief privacy officer prior to having a chief information security officer. He did a lot of work in setting up the structure for an enterprise outlook on information security. It was 2008 when Kim Trapani was the first enterprise chief information security officer we had.
CHABROW: And what motivated the state to have a centralized enterprise CISO?
SHAW: I think there were a number of things. We obviously realized that there was a need to have some enterprise voice. Even before we had an actual CISO position we had organized some smaller work groups like a data protection sub-committee that was focusing on the issues of protecting sensitive information. Most people know we had a significant data incident back in 2006. A back-up tape was stolen causing a significant amount of sensitive information to be exposed. That was certainly one catalyst for the position.
CHABROW: Do other major agencies also have CISOs? If so, what is your relationship with them?
SHAW: There are several agencies that do have a chief information security officer or somebody in a similar role. All agencies for some time now have had a person that we call a security point of contact. They may not have primary responsibility for the agency's information security, but they are at least a contact from the enterprise level that we can reach out to if we have issues, like we want to notify them of vulnerabilities that are currently in play or issues that may effect the enterprise or the enterprise network. But not all agencies currently have a full-time information security officer. And honestly, some of them are small enough that they may not be able to validate having one on a full-time basis, so especially those are big consumers of our enterprise service offerings.
Enterprise Security OfferingsCHABROW: Let's talk about those enterprise offerings. What kinds of services are you offering and why are they being offered now?
SHAW: In the information security area there are a couple of services that we are really focusing on and it's really about threat and vulnerability management. Our primary offerings are vulnerability assessments at the network and endpoint level, as well as vulnerability assessments on the application level. We provide those services free to all agencies. Initially we'll start working with agencies to try to get them to understand the benefit that they can get from doing regular vulnerability assessments. Most of the agencies have been doing vulnerability assessments at least on an ad-hoc basis for some time, especially in the applications space. Most of them haven't been doing application vulnerability scanning on a regular basis at all, and a lot of the driver behind that is a lack of tools and even a lack of, in some cases, expertise to interpret the results, which is where we come in. A couple of years ago the agency invested into IBM's apps scan. We've been able to utilize that, and I have a couple of resources on my team that are able to work with agencies and perform scanning for them and even deploy it in a way that they can perform scans on their own through a web-based tool.
CHABROW: For those not familiar with the IBM app scan, can you tell us a little bit about that?
SHAW: The IBM app scan tool is really an application vulnerability scanner. It looks at the application and tries to determine issues with coding or configurations that may present vulnerabilities. A lot of the vulnerabilities typically revolve around things like cross-site scripting or sequel injections, things of that nature.
CHABROW: What does this mean for your staffing?
SHAW: It's really about getting the agencies aware that we have these service offerings and helping them understand the benefits of running these scans on a regular basis. Our staffing right now is able to handle the load because of the fairly new service offering. As we continue to expand our services out to the agencies, of course we're probably going to have to add staff, but our hope is really that we can educate agency staff so that they can do these scans on their own. It's really not the desired effect for us to go in on an ad-hoc basis. It's really the desire to have them doing this on a regular and repeated basis, especially with the application scanning in their software development lifecycle. After developing applications, they should be running these scans as they're putting out any new modular or any new code.
Voluntary ApproachCHABROW: Listening to you, it seems as if this is all voluntary for the agencies. Is that the proper approach?
SHAW: I think for now it has to be voluntarily. Certainly I think you see standards like the consensus audit guidelines, which strongly encourage repeated and regular scanning. I think it is considered a best practice. We would like to see all agencies pick that up, but I don't know that making a mandate around regular vulnerability scanning is going to get the desired effect. There is an awful lot of overhead when you start doing these scans. If the agency doesn't have the skill set and their staff doesn't have the skill set to interpret the results, then the scanning isn't nearly as beneficial.
CHABROW: And how can you get those skill sets?
SHAW: It takes somebody who has a background in application development, especially around the application scanning for the network and end-point scanning, certainly someone with confidences in networking and end points. Really the only way to get that is through experience and training. There are certainly some programs out there to help educate staff, but a lot of it is they have to do this on a regular basis with somebody who understands how to interpret the results and really get a feel for how to work through these scans.
CHABROW: Is it the responsibility of each agency to get that kind of experience on their own, or is there a role for your office to provide that?
SHAW: One of the roles in our office still is education and awareness around information security. We try and determine what the need may be, and if this is a significant need for the enterprise then certainly we would look to try and establish either courses or procured courses through organizations like SANS or other organizations, bringing those in-house so that we can build that confidence in the enterprise.
CHABROW: Are you at the point now where you are doing that or not?
SHAW: We are really right now focusing on general education and awareness training. We've just recently started doing some more focused, technical training, and we recently bought into the collaborative agreement with the MS-ISAC and SANS to provide training to a number of enterprise resources. We haven't gotten to the point where we've gotten a specific inventory of the skills that are needed throughout the enterprise to really target enterprise purchasing.
CHABROW: What I'm hearing from you sounds like things I hear from other states. There is just so much out there that needs to be done. In a way you need to pick and choose what could be done most efficiently now. Does that put a lot of stress on you?
SHAW: Certainly. It's a big job. There is no two ways about that. Securing enterprise isn't something that is done overnight. It's one way to look at it from an individual agency aspect and even to follow it up to an enterprise aspect. When you have a scenario like many states have, where you're kind of in that mix between some agencies are still very autonomous and many agencies are starting to come into the fold with the consolidation efforts, it almost makes it a scenario where you have to have two plans.
CHABROW: Are there other services that you are offering agencies?
SHAW: Well right now, those are the two main services. We also offer them penetration testing, the same resources that provide our vulnerability assessments have done some penetration testing for some of the smaller agencies. This is another area where in the past we've always looked outside. We've hired in resources in the past to do penetration tests, but it was typically only done on an annual basis. By doing it in-house, we think we provide a little different perspective in that it is done by state employees and we can do it on a more regular basis more cost effectively.
Moving IT Security In-HouseCHABROW: You are not the only state CISO that has told me that they've moved things from contractors to in-house. Is there a cost savings moving it in-house or is it something where these people better know the systems they are dealing with?
SHAW: I think there can be a cost savings if you have the staff and can retain the staff that has the skill sets necessary. That is all too often the situation that I think governments run into, even federal government runs into, being able to attract and retain the staff that has the skill sets necessary to perform these kinds of tests. It's a very wide-open field right now and the public sector is clamoring to bring in resources anywhere they can and they are paying big premiums to do that. As long as we have the staff to be able to perform these, yes definitely there is a cost savings. There is also that benefit of having people who may be more familiar with the inner-operations of state government, which is in some ways a little bit of a cheat because we know some of the inner-workings of the environment. We try not to use that during the penetration testing. It does present an advantage because they do have that knowledge. They can start to take things to the next level, where as an outside entity that doesn't have that knowledge they really can only work through the assessment to a certain point. And then once they get to that point they don't typically know that by getting to this location you may be able to branch off to something else.
CHABROW: You are hiring IT security experts. How difficult is it to find people in this competitive marketplace where we hear there just aren't enough of those kinds of people out there?
SHAW: Well right now it is very difficult. I've been lucky in that the resources I have working for me were already with the state. Most recently the one resource that we brought on in the last month came from another agency as their chief information security officer and he now serves as our deputy chief information security officer. I have had some positions that I've posted and it is difficult because of just the need that is out there. It's difficult to attract them. It's difficult to pay them the premiums that are getting paid in the private sector. We all struggle with that.
CHABROW: Are you also finding when you look at contractors that they too don't necessarily have the skills on-board?
SHAW: You know we have seen that to some degree. Certainly we do everything that we can to help contractors when we have a need, but there have been cases where agencies have come to us and asked us to come over and look at results that they have received from outside contractors, and we haven't been real pleased with some of the results. But I wouldn't say that's a systemic issue. It's really kind of at ad-hoc. I mean some of them are good and some of them aren't.
Weighing Skill SetsCHABROW: I'm listening to the tone of our conversation and what you are saying, and although there seems to be many challenges, it sounds like you are somewhat optimistic that you will be able to achieve what you are setting out to do.
SHAW: Oh I'm very optimistic and I think part of that is driven by the fact that I think I have a wonderful team here, a very diverse skill set. We've tried not to duplicate too much of our skill set, but still have enough overlap and coverage that we can provide a good coverage to the agencies that are going to need our assistance as we go forward. But yeah, I would say I'm very optimistic.
CHABROW: How big is your team?
SHAW: Right now I have a team of ten. Really three of those individuals or four of those individuals focus primarily on the assessments that we do. Another couple of individuals focus primarily on education and awareness policy deployment, and then I have a small group that really provides just security operations for our state's enterprise resource planning system, our OAKS system (Ohio Administration Knowledge System).
CHABROW: How do you know what you are doing is successful? Are there metrics that you use?
SHAW: We are really just starting to dive into the development of metrics to start developing those for the enterprise and for the individual agencies. One of the things called out in the statute that creates the state's chief information security officer position is a requirement for agencies to develop an information security strategic plan. We are really starting to focus in on that this year, and trying to develop a template that will allow agencies to report to us on a regular basis both their control implementation as well as issues that they're seeing in their environments, in a way that we can roll that up to an enterprise view. We're also trying to take a look at the scans that we are doing for the individual agencies, ways that we can roll those metrics up to be a representative sample per say for the enterprise, but of course to develop really good metrics, we're going to have to get a lot more coverage than we have right now.
CHABROW: Well it sounds like you are well under way with limited resources to do what you've been hired to do, help protect Ohio's government IT.
SHAW: Well we like to think so.