Q: How secure are the state’s computer networks?
A: We’re actually in a lot better shape than I anticipated when I came into the organization 11 months ago.
Right now, every department or agency is responsible for its own security. Every department and agency has its own chief information officer. So each one of them has stepped up and begun integrating information-security policies into their own organizations. They report directly to the executive director of that agency. We’re never perfect. Things could be better.
Q: Why is information security important at the state level?
A: Information security is about protecting the information-technology assets of an organization, both from internal and external threats. And there are a lot of them, from the desktop, the applications that run on the desktop, the network itself, to the devices within the network: routers, switches, servers.
We have several data centers in the state where aggregate processing is done. So protecting those with security devices like firewalls, which block access, and intrusion-detection systems is all part of information security.
Q: Do other states have chief information-security officers?
A: I’m actually part of a national group of state chief information-security officers . All states have an information-security person, but they don’t always call them chief information-security officers.
Where they fit within the organization is more important than what they call themselves. I and the chief information-security officer in New York are the only CISOs who work out of the governor’s office. I report to the governor’s chief of staff.
Q: How does one get into the information-security business?
A: I’ve been in the information-security business since the early 1990s. I’ve been in the technology business my whole life. I joined the Navy right out of high school and started working with computers in 1976. I did my graduate thesis on an information-security issue.
When I left the Navy, I was the information-security operations officer at the Fleet Information Warfare Center in Norfolk, Va. I was responsible for all of the computer-network defense operations for the Navy.
I retired from the Navy, and then I went to work for Raytheon. I did some consulting, then I went back to Raytheon after they brought me out here to Colorado in 2004 to work on a program for the missile-defense agency in Colorado Springs.
Q: What are some of the biggest changes you’ve seen in information technology and security?
A: Ten years ago, my job didn’t exist. Nobody needed an information-security officer. In the late 1980s, we had hackers that weren’t really bad guys doing bad things; they were just intellectually curious. They would take programs and code, dissect it to try to see how it worked.
In the last two to three years, we’ve transitioned to an area where the bad guys are really bad guys. They no longer want to take your computer down. They want to keep your computer systems up and compromise them so they can keep operating, so they can keep siphoning off your information. In the information-security business, that has been the biggest transition.
Q: What’s the biggest challenge for the state in terms of information security?
A: Well, the biggest challenges I have is to create standards and consistent policies for the state of Colorado. There are three components to security: technology, policy and people. The biggest problem with information security is that you could have the best policies in place, but if people are not following the policy, or circumventing the technology … you can’t have security without all three legs of that stool.
The thing that worries me the most right now are things like identity theft because you’re dependent on people to do the right things. You have to be aware that information security is just a bigger part of your job now than anything else.
My biggest concern is losing public confidence because of the data the state holds.
Q: What do you do when you’re not worrying about information-security policy?
A: I’m a private pilot, so I like to fly. I like to fly-fish. I do this (job) almost 24 hours a day. I can’t turn it off. I churn and think about it.
Q: What’s your favorite website?
A: I look at the SANS Internet Storm Center (isc.sans.org) every morning. They’re monitoring (cyber) events across the world. I also look at Security Focus (www.securityfocus.com).
Edited for length and clarity from an interview by staff writer Kimberly S. Johnson.
