State of Florida - ISC

September 2010

How the State of Florida Builds Information SecurityExpertise Despite Escalating Risk and Tight Budgets.CHALLENGETraining and education have always been atop priority for the State of Florida’s Officeof Information Security (OIS) within theAgency for Enterprise Information Technology(AEIT). The (OIS) was established immediatelyfollowing the events of 9/11. Its mission? To helpthe State’s executive branch agencies addressWith training as an integral factor in thesuccess of each focus area, the OIS laid out anaggressive and detailed training and educationprogram for its information security staff. Infact, its training plan is mapped out in a comprehensivethree-year matrix that illustrateshow the State will leverage its workforce tomeet federal, state and private informationcyber security issues and to ensure statewidesecurity standards.Helping state agenciescomply with all requirements such as HIPAA,PCI, and those set forth by the U.S. Departmentof Homeland Security (DHS) is critical tothe Office and AEIT’s success.compliance with Federal and State securitystandards. Even though legislation points theefforts of the OIS toward the executive branchof government, the courts, the Florida Legislature,cities, counties and municipalities arewilling participants.With technology evolving at what seems tobe the speed of light, how does AEIT keep itsThe Office’s five focus areas related to enterpriseinformation security are:information technology staff up-to-date onbest security practices?• Policy• Training• Risk management• Incident responseAnd in light of budget cuts, how does AEITmaintain its expertise in protecting critical,proprietary information?• Survivability1

SOLUTIONEstablish GoalsFirst, AEIT worked with the Information SecurityManager community within state agenciesto identify business requirements that needto be addressed, such as staff professionaldevelopment goals.“One of the most valuable education programsthe State has engaged in has been CISSP ® CBK ®Review Seminars and examinations,” said Russo.“We stress this certification because it requiresour experienced managers to have a deepunderstanding of the latest, up-to-date informationon the full spectrum of security-relateddevelopments and topics.”“We determined which standards and certificationswould best meet our needs and puttogether a program that would take us there,”said Mike Russo, CISSP, and Chief InformationSecurity Officer (CISO) for the State of Florida.The State began offering CISSP CBK ReviewSeminars to a select group of its professionalstaff in 2004. This year, it contracted with(ISC) 2® to provide a CISSP Review Seminarand examination for 25 employees from many“We are constantly on the watch for emergingareas that require staff training. “In fact,” saidRusso, “the State of Florida was one of theof the State’s executive agencies, as well asLegislative, Inspector General and AuditorGeneral offices.first to offer training for ethical hacking andincident response.”“If we had more domestic security grant funds,we would have doubled the number of participants,”said Russo. “It’s critical for all of ourtechnologists, and those who fund, regulate andaudit them, to understand what the latest bestpractices are, and why we do what we do.”Russo says that the State’s security educationprogram focuses on national and internationalcertifications because they provide a globallyrecognized, independent and objective demonstrationof an individual’s level of competence.Finding Funding“We try to help staff attain credentials in manyareas. It takes a well-rounded body of knowledgeto function effectively.”Millions of dollars of federal security funds areavailable to every state through the DHS, butthere is no uniformity in how states go about2

distributing those funds.Ideally, Congressforum to make a strong business case,” says Russo.would mandate that some of the funds beallocated to information security, but withstates cutting their budgets, such allocationis unlikely to happen without strong advocacy.Florida is divided into seven domestic securityregions, each chaired by state and local law enforcementofficials. These regional committeeslook at potential terrorist activity and makerecommendations on solving security threats.Each year, those recommendations are vetted,and decisions are made on how to spend millionsof dollars that the State receives from DHS.In addition to DHS money, CISOs can findfunds for information security initiativesthrough grants from the U.S. Department ofHealth, Department of Labor and the Departmentof Education.“As the State’s CISO, it’s my job to help allMake a Strong Business CaseThe State of Florida is known to have one ofthe best domestic security initiatives in thedecision-makers realize the importance ofinvesting in their agency security teams todevelop effective information security,” said Russo.nation, and one that supports cyber issues.That success is due in large part to the abilityof CISOs to make a strong business case fortheir priorities. So, how does the Office ofInformation Security get heard over the din ofTechnology alone cannot protect sensitiveinformation, and no amount of software willever be as powerful as the people behind it, sotraining and education must be funded.voices clamoring for a piece of the funding pie?“So far,” said Russo, “we have been successfulAccording to Russo, much has to do with theway the State’s domestic security organizationis structured. It gives the State Chief InformationOfficer, the head of AEIT, a seat at thedecision-making table. “It’s up to informationsecurity leaders to make sure we use thatat establishing a consensus that our technologyand education needs are very important factors.”Russo advises CISOs in other states to finda way to bring awareness to the groups whodetermine how domestic security fundsare spent.3

“CISOs need to be excellent advocatesfor their technology and training needs,” saidRusso. “One of the mistakes we make astechnologists,” he says, “is that we don’t addressthe business needs. Business leadersmake the decisions on where money is spent,and it is our responsibility to help them understandwhy information security is critical totheir success – not in a techie way – but bymaking a strong business case for it.”RESULTSMore Qualified People“Our role is to protect information assets,”said Russo. “The (ISC) 2 Review Seminars helpensure that our people know how to do that.Earning and maintaining the credentials meansthat they not only have the required knowledgebut that they are continually updating theirknowledge in line with the constantly evolvingthreats and changes in the industry. In addition,membership in a professional certification bodyensures they have made a commitment to highethical standards. Everyone who attended theReview Seminar is more capable as a result ofit,” he said. “The (ISC) 2 instructor was incredible.He was personable, and his experienceand background provided insights and reallifeexamples that made all of the informationunderstandable and memorable.”In addition, the (ISC) 2 credentials are a part ofthe State’s career mapping process. By providinga path for employees to advance, Florida isbetter positioned to retain them as they growmore experienced.“We associate certain credentials with job descriptions,”says Russo. “They help us identifycandidates for new roles and responsibilities.”Increased Level of Professionalism“Credentials have a positive influence on ourtightly knit community of information securitymanagers,” said Russo. “Employees who haveattained credentials are held to a higher standardby the organization and their peers, andthey become evangelists, supporting othersto move toward certification. Once credentialed,they have access to all the advantages andresources available to certified professionals,which benefits the entire agency.”“We are very pleased with the results wehave achieved from the CISSP Review Seminar,”said Russo. “We will continue to offer coursesfor (ISC) 2 credentials until the majority ofthe State’s information security professionalsare certified.”4

Federal Funding for Cyber Security: A “Crisis of Prioritization”The security of state networks has serious implications for homeland security, as it affects bothcontinuity of government and the operations of critical infrastructure. The states and federalgovernment must collaborate in cyber security protection, recovery and restoration. Despite theserious and urgent situation, it is often difficult for state CIOs to secure federal funding for theircyber security efforts. Cyber security protection must compete for funding against more visibleand politically appealing homeland security applications. NASCIO has been advocating beforeCongress for the establishment of a cyber security grant program dedicated to improving cyberprevention, protection, response, and recovery capabilities at both the state and local governmentlevels. In view of budget constraints, NASCIO has also been advocating that at minimum DHSand FEMA should set aside funding for cyber security programs and projects that DHS give higherpriority to state cyber security grants program to assist states. The purpose of the grant programwould be to demonstrate best practices, innovation and knowledge transfer regarding cybersecurity within State organizations. Funds would be used for supporting the enhancement ofcyber security preparedness in the states by assisting them with network sensing, intrusiondetection and security related operations equipment, expanding security awareness campaigns,assisting in restoration and recovery efforts in the event of a cyber attack, and providing technicaltraining and certification for protecting programs administered by the states.