Presentation on theme: "INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT Christopher Buse Assistant Commissioner & State CISO June 12, 2014 Doomed by Design: Unearthing the Problems."— Presentation transcript:
INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT Christopher Buse Assistant Commissioner & State CISO June 12, 2014 Doomed by Design: Unearthing the Problems with Government Security Programs
Security significantly underfunded Diverse security posture between states Underlying data soft and sometimes unavailable Fragmented governance
14%CISOs believe that they have executive support 24%CISOs are confident in protecting state assets 86%CISOs cite funding as their key barrier 680%Increase in significant threats over past 5 years
Most States Only Spend Between 1-2% of the IT Budget on Security
46%CISOs have a documented strategy30%CISOs plan to develop a written strategy 82%CISOs are responsible for measurement and reporting 8%CISOs attempting to measure program effectiveness
Good news: The enterprise CISO position is now firmly entrenched in most states Bad news: The enterprise CISO position is often one of coordinating cross-agency resources Limited ability to drive actions across organizational boundaries Security spend outside the control of the CISO
Executive Support Freedom To Act Resources Comprehensive Plan Is Your State Security Program Doomed by Design?
It’s Not Just Retail … One of over 2,000 negative headlines on the recent South Carolina breach Hackers gain access to 780,000 individual health records
Minnesota: a microcosm of the national scene Strong executive support Strategic and tactical plans Security spend is insufficient 2010 legislative study: State of Minnesota spend is 2% of state budget vs. industry standard investment of 5% Overall reduction in security spend in FY13 Silos of agency-based IT Restricted our ability to leverage economies of scale Hampered our ability to implement enterprise security strategies What About Us?
Published in April 2014 Describes the desired end state, yet recognizes Reaching that end state will take a long-term commitment We need to use our existing resources better Outlines a shift in the service delivery model Establishes centrally delivered services Creates line of business security teams Details the breakdown of work between central and line of business teams Focuses on a subset of services to address first IT Security Consolidation Plan
The Basic Concept: Consolidated Services Those services deemed to be enterprise services will be delivered by a centralized security team We will reorganize security resources into a single management structure that creates consistency and aligns resources Enterprise Services Delivered to All Information Security program management
Close-to-Business Security Even if we consolidate the common security services, we still don’t have the resources for each agency-based office to manage close-to-the-business security services Cluster 1 Cluster 2 Cluster 3 Cluster 4 Cluster 5 Cluster 6 Our plan is to cluster security teams into “lines of business” to provide close- to-the-business services to groups of agencies with similar business/security requirements … sharing resources, but keeping the specialization where it needs to be The Basic Concept: Close-to-Business Services
The Basic Concept: Effective allocation of resources Enterprise Services Delivered to All Information Security program management Close-to-the- business services Cluster 1 Close-to-the- business services Cluster 2 Cluster 3Cluster 4Cluster 5 Cluster 6 Staff will be assigned to a cluster or to the enterprise services based on their current work and expertise.
Realigning Work Physical Security Endpoint Defense Boundary Defense Continuous Vulnerability Management Information Security Monitoring Information Security Incident Response and Forensics Secure System Engineering Information Security Training and Awareness Information Security Program Management Identity and Access Management Information Security Risk and Compliance Business Continuity and Disaster Recovery Close-to-the-business services focus on implementation at the business and application level Enterprise delivers common functions and tools to all Single management conserves resources and drives consistency
HealthSafetyEnvironmentGeneral GovernmentEconomyEducation Health BDs (17)CorrectionsAgricultureAdministrationCommerceEducation HealthPublic SafetyAnimal Health BDCampaign FinanceCommerce BDs (3)Arts BD Human ServicesTransportationNatural ResourcesCapital Area Architect BDAURICenter for Arts Education Ombudsman MH/DDPOST BDConservation CorpsInvestment BDAmateur Sports CMHigh Ed Facilities Authority Veterans AffairsPrivate Detectives BDPollution ControlMN.ITCombative Sports CMMN State Academies MNsureSentencing GuidelinesBWSRMMBExplore MNOffice of Higher Education Ombudsman FamiliesRacing CMMN ZooMediation ServicesDEEDTargeted Councils (5) Uniform Laws CM Administrative HearingsLabor & Industry Workers Comp Court GovernorPublic Utilities CM Gambling Control Human RightsRevenue 23107 1211
A Look Ahead: Industry Trends Does Your Organization Have a Central Security Team? Does Your Organization Have Local Security Groups? Conclusion: MN.IT’s Proposed Model Aligns Well With National Trends
Assistant Commissioner & CISO Information Standards and Risk Management Assistant Commissioner Service Delivery Enterprise Architect Information Security Oversight Director Client Computing & Customer Support Director Infrastructure as a Service Director Secure Systems Engineering Governance, Risk, & Compliance Endpoint DefenseBorder Defense Business ContinuityVulnerability Management Identity and Access Management Physical Security Information Security Incident Response Team Health LOB Service Delivery Team Safety LOB Service Delivery Team Environment LOB Service Delivery Team General Govt LOB Service Delivery Team Economic LOB Service Delivery Team Education LOB Service Delivery Team
Detailed Service Deliverable Future Level of Effort Central Team Future Level of Effort LOB Team Service Delivery Method Information Security Program ManagementSignificantMinimal Primarily Centralized Information Security MonitoringSignificantMinimal Primarily Centralized Information Security Incident Response and ForensicsSignificantMinimal Primarily Centralized Continuous Vulnerability ManagementSignificantMinimal Primarily Centralized Boundary DefenseSignificantMinimal Primarily Centralized Endpoint DefenseSignificantMinimal Primarily Centralized Secure Systems EngineeringSignificant Moderate Central Direction / Hybrid Delivery Information Security Training and AwarenessSignificant Central Direction / Hybrid Delivery Business ContinuitySignificant Central Direction / Hybrid Delivery Information Security Risk and ComplianceSignificant Moderate Central Direction / Hybrid Delivery Identity and Access ManagementSignificant Central Direction / Hybrid Delivery Physical SecuritySignificant Moderate Central Direction / Hybrid Delivery
Selected through planning team consensus Represent highest payback from a risk perspective Plan focuses on rollout of priority services first Plan does not include all service delivery details Priority Services Secure Systems Engineering Continuous Vulnerability Management Information Security Program Management Boundary Defense Information Security Monitoring Secure Systems Engineering Continuous Vulnerability Management Information Security Program Management Boundary Defense Information Security Monitoring
MN.IT can provide a full suite of security services to all customers Cost to the customer far less than ramping up alone Better service, as expertise is shared More agile service: getting the experts when and where they need to be More job opportunities and specialization skills for employees Will it be perfect? Priorities will still have to be set, but they will be done at an enterprise level No agency can “opt out” of security IT Security Consolidation: Value Proposition
Customers Existing resources used as efficiently and effectively as possible Consistent security practices Metrics to understand security posture MN.IT Services More specialization and deeper bench strength Clear priorities for the enterprise Reduction in single points of failure More career opportunities for staff Better understanding of our risk posture Beneficiaries
Auditing applications is easy and safe Policymakers may be better served by an assessment your state security program foundation Executive support Freedom to act Funding Comprehensive plans Final Thoughts