Geoffrey Brown & Quiessence Phillips
Chief Information Security Officer & Deputy CISO (respectively)
New York City
Whats your current position and how did you get there?
Brown: I am the chief information security officer for the City of New York and head of NYC Cyber Command, which was recently created by executive order to centralize the citys cyber efforts under one roof. I loved reading King Arthur books as a kid. In those books there is a notion of integrity, of right and wrong; and because of that I wanted to work professionally on these types of issues. This led me to the international security space where I researched peacekeeping operations, worked with the 9/11 Commission, and from there grew into this space called cyber, which people at the time were quite concerned would have pervasive negative security impacts because of how dependent we are on technologies today.
Phillips: I am currently the threat management lead (deputy CISO – threat management) for NYCs Cyber Command. In the last 10 years, Ive worked heavily within the financial industry in various cyberdefense-based positions, ranging from security operations, incident response, leading a threat analysis center, threat intelligence, and most recently leading a U.S.-based incident response team for a global financial firm.
Whats your biggest ongoing project?
Brown: Executing the executive order across more than 100 agencies and offices here in New York City. The executive order is a very thoughtful two-page document. Theres a provision for NYC Cyber Command to form and maintain relationships with public and private partners in this critical security domain. Ensuring that we as a city expand our relationship to partners and industry verticals is one of our top priorities. How do we take the problem of many in our city and make it an effort of one? This is the intent of the executive order. We need to create a center of gravity and turn the strength of all our separate efforts together towards a single objective of defending what we know is important to our city.
Phillips: Our biggest project at the moment is transforming the way we conduct security operations. This includes new policies, procedures, runbooks, automation, orchestration, metrics, evaluation of our effectiveness and efficiency, enhancing the skillset of our team, and changing the overall culture.
Whats the best cybersecurity decision you ever made?
Brown: Coming to work for New York City of course! And not accepting the status quo way of doing things. The cybersecurity industry keeps spinning out models tied to buying new technologies, and we’re still not beating the bad guys and the threats are very serious. The whole enterprise whether private sector or public sector has to first decide to embrace defensive and responsive stances that really allow for how significant a cyber impact can be in a society where technology is completely entrenched in life. I think NYC’s executive order is the best decision I’ve played a role in because it really signals the seriousness with which this city takes this issue of cybersecurity,and it paves the way for a more coordinated defense and response posture that will serve the city, its peopleand the information we protect.
Phillips: I dont think I can pinpoint one decision in particular. However, some of my best decisions have been around developing systems to easily allow defensive actions, such as detection and response, to be seamlessly rolled into prevention. Additionally, Im a huge supporter of people and enabling them to be the best versions of themselves; so the decision to truly invest in our people is huge.
Chris Buse
Chief Information Security Officer
State of Minnesota
Whats your current position and how did you get there?
I am an assistant commissioner and chief information security officer for the State of Minnesota. I joined Minnesota IT Services about 10 years ago after working about 20 years for the Minnesota Office of the Legislative Auditor, leading a technical IT audit team.
Whats your biggest ongoing project?
We currently have a series of major projects underway, all driving towardthe objectives in our IT Security Strategic Plan. From a big-picture perspective, all of these projects and our IT Security Strategic Plan are in place to help us implement our Enterprise Security Program vision for the State of Minnesota.
Whats the best cybersecurity decision you ever made?
Developing our IT Security Strategic Plan. The 18 core strategies in this plan help leaders in the executive branch as well as policymakers understand where we need to go, and why. Along with charting a five-year vision, our plan outlines one-year tactical objectives things that we can do to set the bar higher with the resources at our disposal. Our IT Security Strategic Plan is produced with extensive input from all state security professionals, and it helps us all sing from the same songbook. And arguably more important, the plan also bonds us together as a unified security community. Every year we update our plan, making sure that is a core artifact that guides our enterprise-wide direction. In cybersecurity, if you do not have a very robust plan you will not advance strategically because everyday fires will consume your resources. A good plan not only charts your course for success, it also helps you say no to the constant barrage of fires that will prohibit an organization from achieving long-term strategic outcomes.
Agnes Kirk
Chief Information Security Officer
State of Washington
Whats your current position and how did you get there?
Im Washington states chief information security officer. Ive been in technology for most of my career. Early on in my career with the state, I was involved with creating our infrastructure for authentication and online transactions. I also brought in developers to create SecureAccess Washington, which provides self-administered single sign-on access to multiple agency applications. It was the first in the nation for a state government. Today it has more than 5million active users. That was a real positive for citizens and business, allowing access to all kinds of things, from paying taxes to filing claims using a single credential.
I became the state CISO in 2005, which included operational responsibilities for several centralized security services. My responsibilities gradually grew, and after a number of years, the Legislature and governor recognized that we needed some key things handled at the statewide level. Lawmakers broadened my role in 2015 by creating the state Office of Cyber Security. I lead the office, which provides strategic oversight for the state on cybersecurity in addition to protecting state networks. I report to the state CIO and advise the governor, elected officials and cabinet directors on strategy, policy and incident management. I have a team that handles incident response, conducts security assessments for agencies and helps train IT security staff, and mitigates problems. We also have a team that manages the state Security Operations Center, which monitors the state’s networks in near real time. In addition, we have security architects that conduct design reviews of applications and systems. Systems or services agencies want to launch or relaunch, we review to ensure it complies with the state’s security architecture and has appropriate security controls in place before being launched.
Whats your biggest ongoing project?
Working collaboratively with the public and private sector to address the severe shortage of cybersecurity professionals in Washington state and nationally. According to information compiled by the National Initiative for Cybersecurity Education, there are nearly 350,000 cyber job openings in the U.S. currently, including more than 6,500 in Washington state. It can take a company several months to fill an open position because there are more cybersecurity jobs than there are qualified people to fill them. We are exploring different ways to enable people interested in pursuing cyber careers to gain the knowledge and experience they need to fill these jobs. This includes traditional education programs, certificate programs and advanced programs. Were also partnering with the private sector to boost the pipeline of people entering the workforce with financial support. US Bank, for example, recently awarded several cybersecurity scholarships to students enrolled in the Whatcom Community College cybersecurity program, and at the University of Washington cybersecurity program.
Whats the best cybersecurity decision you ever made?
Two things come to mind. The first is the establishment of the state Security Operations Center and Statewide Cyber Incident Response team within the OCS. The ability to have centralized, statewide visibility and response for state networks plays a critical role in protecting citizen and business data.
The second is some of the best decisions I have made is hiring a great team. Every time I hire a great person on my team it is a key decision. Because the best decisions in cybersecurity are ones that help you create a team of cyber professionals who not only have excellent technical chops but also want to be part of a common cause bigger than any one of us and bigger than all of us protecting citizen and business data from the bad guys. Easy to say incredibly difficult to do and it cant be done alone.
Shannon Lawson
Chief Information Security Officer
State of Alaska
Whats your current position and how did you get there?
I am the inaugural chief information security officer for the State of Alaska. I previously worked for the Navys Space and Naval Warfare Systems Command (SPAWAR) out of San Diego as the director of cybersecurity for the CIO. I felt like I had gone as far as I could with SPAWAR and was looking for the next big step in leadership and responsibility. The CISO role was the logical next step for my career. When I saw the job announcement to work in Alaska, I jumped at the chance to work for such a unique state at the executive level in cybersecurity. The staff, the mission, and the management team were all a great fit. While there is a ton of work to be done, I am very excited to have joined this team.
Whats your biggest ongoing project?
My focus now is getting my 100-day plan and its follow-on one-year plan off ofthe ground. My primary goal is to understand the enterprise environment, baseline its security posture, and begin remediating vulnerabilities and closing gaps. There are lots of items that demand my attention but without baselining what the state has and knowing where the largest vulnerabilities lay, it is near impossible ascertain risk. Therefore, addressing these other items that demand attention may not be the best course of action for the states security posture.
Whats the best cybersecurity decision you ever made?
The best cybersecurity decision I made is the decision that improves my organizations cybersecurity posture. I have been involved with several high-profile incidents such as Heartbleed and WannaCry. While we successfully navigated these incidents, preparing the organization to either respond to the events or report to senior executives that we were patched was a much better indication of proper planning, decision making, and execution of the established cybersecurity initiatives. Also, successfully passing the Navys Cybersecurity Inspections (CSI) with considerably high scores was a badge of honor for all involved.