Interview: CISO builds information security program from scratch - Information Security Magazine

Interview: CISO builds information security program from scratch

How do you build an enterprise information security program from scratch? Most CISOs never have to find out, but that was the reality facing Bob Maley in 2005 when he became the first CISO of the commonwealth of Pennsylvania. His work in the last two years has saved the commonwealth more than $27 million. Maley talks about the challenges of putting together a comprehensive strategy and architecture for 80,000 users on a limited budget.

Bob Maley

What was the environment like when you took the CISO job?
I came into an environment that was very siloed. There was no program in place, aside from antivirus and patching. We have 47 agencies, and every one of them took a different view of security. They had policies that were four to five years old, so there were a lot of challenges. The agencies handled content filtering on their own and there was no assurance that it was being done. That's a problem on a network that sees 1 billion events a month. We had server builds that were different from agency to agency; no common desktop image either. So we put in network intrusion prevention, an identity and access management program and a security assessment framework. But you can't consolidate everything at once.

The government budget process moves slowly, and is done far in advance.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

How difficult does that make your planning?
The security landscape changes rapidly, but my timeframe isn't rapid. Everything we're doing now is set in stone, so you have to find a way to be agile. I've developed a relationship with the Multi-State ISAC, which is a significant resource for us. It's not just about incidents; it's about what other states are doing. We share information with our agencies. We found that information wasn't making it down to the individual security practitioners. So now we have a CISO roundtable, which is a monthly meeting that's highly technical.

Did you end up needing to do a lot of education with your users around security?
We did. We had this lack of ability to get training for the users. Now we bring in outsiders to do training for us. We've had folks from Cisco, Microsoft and ISS. And then we started a security awareness month in October as well. We have an enterprise-wide security awareness program online now, too, and all commonwealth employees have to take the training. We have an enterprise security portal with all of the information employees and citizens need.


Download the complete interview with Bob Maley at searchsecurity.com.

This was first published in November 2007