INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT

Christopher BuseAssistant Commissioner & State CISO

June 12, 2014

Doomed by Design: Unearthing the Problems with

Government Security Programs

• State of the States• Minnesota Plan• Q&A

AGENDA

The State of the States

Security significantly underfunded

Diverse security posture between states

Underlying data soft and sometimes unavailable

Fragmented governance

A National Lens

14% CISOs believe that they have executive support

24% CISOs are confident in protecting state assets

86% CISOs cite funding as their key barrier

680%

Increase in significant threats over past 5 years

By The Numbers

State of IT Security: % of budget spent

Gover

nmen

t Spe

ndin

g

Privat

e Se

ctor

Spe

ndin

g0

1

2

3

4

5

6

Most States Only Spend Between 1-2% of the IT Budget on Security

46% CISOs have a documented strategy

30% CISOs plan to develop a written strategy

82% CISOs are responsible for measurement and reporting

8% CISOs attempting to measure program effectiveness

Program Strategy

Authority

Good news: The enterprise CISO position is now firmly entrenched in most states

Bad news: The enterprise CISO position is often one of coordinating cross-agency resources

Limited ability to drive actions across organizational boundaries

Security spend outside the control of the CISO

Pillars of Success

Executive Support

FreedomTo Act

ResourcesComprehensive Plan

Is Your State Security Program Doomed by Design?

It’s Not Just Retail …

One of over 2,000 negative headlines on the recent South Carolina breach

Hackers gain access to 780,000

individual health records

The Minnesota IT Consolidation Plan

Minnesota: a microcosm of the national sceneStrong executive supportStrategic and tactical plansSecurity spend is insufficient

2010 legislative study: State of Minnesota spend is 2% of state budget vs. industry standard investment of 5%

Overall reduction in security spend in FY13

Silos of agency-based IT Restricted our ability to leverage economies of scale Hampered our ability to implement enterprise security

strategies

What About Us?

Published in April 2014Describes the desired end state, yet recognizes

Reaching that end state will take a long-term commitment We need to use our existing resources better

Outlines a shift in the service delivery model Establishes centrally delivered services Creates line of business security teams Details the breakdown of work between central and line of business

teams

Focuses on a subset of services to address first

IT Security Consolidation Plan

The Basic Concept: Consolidated Services

Those services deemed to be enterprise services will be delivered by a centralized security team

We will reorganize security resources into a single management structure that creates consistency and aligns resources

Enterprise Services Delivered to All

Information Security program management

Close-to-Business Security

Even if we consolidate the common security services, we still don’t have the resources for each agency-based office to

manage close-to-the-business security services

Cluster 1 Cluster 2 Cluster 3 Cluster 4 Cluster 5 Cluster 6

Our plan is to cluster security teams into “lines of business” to provide close-to-the-business services to groups of agencies

with similar business/security requirements … sharing resources, but keeping the specialization where it needs to be

The Basic Concept: Close-to-Business Services

The Basic Concept: Effective allocation of resources

Enterprise Services Delivered to All

Information Security program management

Close-to-the-business services

Close-to-the-business services

Close-to-the-business services

Close-to-the-business services

Close-to-the-business services

Cluster 1

Close-to-the-business services

Cluster 2 Cluster 3 Cluster 4 Cluster 5 Cluster 6

Staff will be assigned to a cluster or to the enterprise services based on their current work and expertise.

Realigning Work

Physical Security

Endpoint Defense

Boundary Defense

Continuous Vulnerability M

anagement

Information Security

Monitoring

Information Security Incident

Response and Forensics

Secure System Engineering

Information Security Training and Awareness

Information Security Program Management

Identity and Access Management

Information Security Risk and Compliance

Business Continuity and Disaster Recovery

Close-to-the-business services focus on implementation at the business and application level

Enterprise delivers common functions and tools to all

Single management conserves resources and drives consistency

 Health Safety Environment General

GovernmentEconomy Education

  Health BDs (17) Corrections Agriculture Administration Commerce Education

  Health Public Safety Animal Health BD Campaign Finance Commerce BDs (3) Arts BD

  Human Services Transportation Natural Resources Capital Area Architect BD AURICenter for Arts

Education

  Ombudsman MH/DD POST BD Conservation Corps Investment BD Amateur Sports CMHigh Ed Facilities

Authority

  Veterans Affairs Private Detectives BD Pollution Control MN.IT Combative Sports CM MN State Academies

  MNsure Sentencing Guidelines BWSR MMB Explore MNOffice of Higher

Education

  Ombudsman Families Racing CM MN Zoo Mediation Services DEED Targeted Councils (5)

    Uniform Laws CM   Administrative Hearings Labor & Industry  

    Workers Comp Court   Governor Public Utilities CM  

    Gambling Control   Human Rights Revenue  

Lines of Business

23 10 7 10 12 11

A Look Ahead: Industry Trends

No Central Security, 4%

Central Se-curity Team,

94%

Creating Cen-tral Group;

3%Use

Local Secu-rity

Groups44%

Only Central Security

56%

Does Your Organization Have a Central Security Team?

Does Your Organization Have Local Security Groups?

Conclusion: MN.IT’s Proposed Model Aligns Well With National

Trends

Assistant Commissioner & CISOInformation Standards and Risk Management

Assistant CommissionerService Delivery

Enterprise ArchitectInformation Security Oversight Director

Client Computing & Customer Support

Director

Infrastructure as a Service Director

Secure Systems Engineering

Governance, Risk, & Compliance

Endpoint Defense Border Defense

Business Continuity Vulnerability ManagementIdentity and Access

ManagementPhysical Security

Information Security Incident Response Team

Health LOB Service Delivery Team

Safety LOB Service Delivery Team

Environment LOB Service Delivery Team

General Govt LOB Service Delivery Team

Economic LOB Service Delivery Team

Education LOB Service Delivery Team

Functional Organization Chart

Detailed Service Deliverable Future Level of EffortCentral Team

Future Level of Effort

LOB Team

Service Delivery Method

Information Security Program Management Significant MinimalPrimarily Centralized

Information Security Monitoring Significant MinimalPrimarily Centralized

Information Security Incident Response and Forensics Significant Minimal

Primarily Centralized

Continuous Vulnerability Management Significant MinimalPrimarily Centralized

Boundary Defense Significant MinimalPrimarily Centralized

Endpoint Defense Significant MinimalPrimarily Centralized

Secure Systems Engineering SignificantModerate

Central Direction / Hybrid Delivery

Information Security Training and Awareness SignificantSignificant

Central Direction / Hybrid Delivery

Business Continuity SignificantSignificant

Central Direction / Hybrid Delivery

Information Security Risk and Compliance SignificantModerate

Central Direction / Hybrid Delivery

Identity and Access Management SignificantSignificant

Central Direction / Hybrid Delivery

Physical Security SignificantModerate

Central Direction / Hybrid Delivery

Service Delivery Methodology

Selected through planning team consensus

Represent highest payback from a risk perspective

Plan focuses on rollout of priority services first

Plan does not include all service delivery details

Priority Services

• Secure Systems Engineering

• Continuous Vulnerability Management

• Information Security Program Management

• Boundary Defense• Information Security

Monitoring

MN.IT can provide a full suite of security services to all customers Cost to the customer far less than ramping up alone Better service, as expertise is shared More agile service: getting the experts when and where they

need to be More job opportunities and specialization skills for employees

Will it be perfect? Priorities will still have to be set, but they will be done at an

enterprise level No agency can “opt out” of security

IT Security Consolidation: Value Proposition

Customers Existing resources used as efficiently and

effectively as possible Consistent security practices Metrics to understand security posture

MN.IT Services More specialization and deeper bench

strength Clear priorities for the enterprise Reduction in single points of failure More career opportunities for staff Better understanding of our risk posture

Beneficiaries

Auditing applications is easy and safe

Policymakers may be better served by an assessment your state security program foundation

Executive support Freedom to act Funding Comprehensive plans

Final Thoughts

Chris.Buse@State.MN.US@BuseTweet

Thank you!