| How do you build an enterprise information security program from scratch? Most CISOs never have to find out, but that was the reality facing Bob Maley in 2005 when he became the first CISO of the commonwealth of Pennsylvania. His work in the last two years has saved the commonwealth more than $27 million. Maley talks about the challenges of putting together a comprehensive strategy and architecture for 80,000 users on a limited budget.
What was the environment like when you took the CISO job?
I came into an environment that was very siloed. There was no program in place, aside from antivirus and patching. We have 47 agencies, and every one of them took a different view of security. They had policies that were four to five years old, so there were a lot of challenges. The agencies handled content filtering on their own and there was no assurance that it was being done. That's a problem on a network that sees 1 billion events a month. We had server builds that were different from agency to agency; no common desktop image either. So we put in network intrusion prevention, an identity and access management program and a security assessment framework. But you can't consolidate everything at once.
The government budget process moves slowly, and is done far in advance. How difficult does that make your planning?
The security landscape changes rapidly, but my timeframe isn't rapid. Everything we're doing now is set in stone, so you have to find a way to be agile. I've developed a relationship with the Multi-State ISAC, which is a significant resource for us. It's not just about incidents; it's about what other states are doing. We share information with our agencies. We found that information wasn't making it down to the individual security practitioners. So now we have a CISO roundtable, which is a monthly meeting that's highly technical.
Did you end up needing to do a lot of education with your users around security?
We did. We had this lack of ability to get training for the users. Now we bring in outsiders to do training for us. We've had folks from Cisco, Microsoft and ISS. And then we started a security awareness month in October as well. We have an enterprise-wide security awareness program online now, too, and all commonwealth employees have to take the training. We have an enterprise security portal with all of the information employees and citizens need.
Download the complete interview with Bob Maley at searchsecurity.com.