This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."
Download it now to read this article plus other related content.
How do you build an enterprise information security program from scratch? Most CISOs never have to find out, but that was the reality facing Bob Maley in 2005 when he became the first CISO of the commonwealth of Pennsylvania. His work in the last two years has saved the commonwealth more than $27 million. Maley talks about the challenges of putting together a comprehensive strategy and architecture for 80,000 users on a limited budget.
What was the environment like when you took the CISO job?
The government budget process moves slowly, and is done far in advance.
How difficult does that make your planning?
The security landscape changes rapidly, but my timeframe isn't rapid. Everything we're doing now is set in stone, so you have to find a way to be agile. I've developed a relationship with the Multi-State ISAC, which is a significant resource for us. It's not just about incidents; it's about what other states are doing. We share information with our agencies. We found that information wasn't making it down to the individual security practitioners. So now we have a CISO roundtable, which is a monthly meeting that's highly technical.
Did you end up needing to do a lot of education with your users around security?
This was first published in November 2007