Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How Colorado's CISO is revamping the state's information security -- on a $6,000 budget

Joan Goodchild | Feb. 22, 2013
Before Jonathan Trull took over as Chief Information Security Office for the state of Colorado in 2012, he had already been working in the Colorado Office of the State Auditor for a decade.

Honestly, part of this is going to be a return on investment for eliminating products no longer being used or focusing on new ones we are going to actually put to use.

What specific goals are you bringing before lawmakers to make the case for getting that budget figure you mentioned earlier?

We're tying all of this to a three-year initiative that I am calling "Secure Colorado." The focus is on the SANS critical security controls in terms of our operational security posture. As I said before, we're focusing on the first five within 12 months, and, over the next three years, we will deploy the rest of the 20.

Other goals include using our existing vendors as partners to help us get this done. One of the things we saw in the past is a lot of activity during the time of renewal--and then everyone disappears until it's time for renewal again. We just can't tolerate that anymore. We are really trying to build in to our contracts that you are partnering in our success and we are going to make it contingent on that. In other words, you only get a portion of this and the rest is hinging on successful deployment of this product.

We are also working on building the next generation of security workforce. We just started a cybersecurity internship program. Our first two cybersecurity interns started in January. College students. We are working with the different universities on that.

Those are the big areas. The successful implementation of the controls, the public and private relationships and building the workforce.

The data itself is proving quite useful in making our case, too. The number we get, in terms of our network, is it's getting hit 600,00 times per day by some kind malicious event. Whether its scanning viruses or malware, we can show the escalation in that as well. When you couple that with the stagnation of the funding and resources to the security program, I'm hoping funding will prove to be a no-brainer.

If so, what will be solid progress in a year? What will be some of the benchmarks you point to as proof of success when you need to go back and make the case for funding again?

We have a few benchmarks we set up that we will track closely. I wanted to put those in place before we even started because I knew we would be accountable.

We put together a scorecard, a security-metrics scorecard. It includes tracking the percentage of our systems that are under management. The way we define that is basically from a central location, the number of systems that I can view and observe their current risk and security status within a 48-hour period.


Previous Page  1  2  3  4  Next Page 

Sign up for Computerworld eNewsletters.