The Way toward a Diligent Security Environment
By Michael Makstman, CISO, City and County of San Francisco
As a City and a County, we have different mission-critical elements to take care of. We ensure that we are providing digitally empowered services to the city’s visitor. With the advent of the digital revolution, the threat landscape that we operate in has expanded rapidly. Now, everything connected to the internet—that covers any and every element in our environment—is a part of the landscape. We have witnessed instances where cyber attackers don’t just go after the traditional datacenters but also the cloud and other networks. The biggest challenge for us to think about today is combining all the disparate environments in a manner such that they can be secured as one whole entity.
But, the predicament is that there’s a lack of a one-stop-solution that can protect everything together. We need to think about picking up products and integrating them to form an all-encompassing solution. Furthermore, we have to ensure that the process that we have in place and the people involved can embrace the solution that we create. There is a lack of knowledge when it comes to the security aspect, and this gives rise to the need for educating the personnel so that they can comprehend different domains such as sensors, networks, and security systems. The digital world has arrived, and it has grown to be a grave predicament for us, as we are not able to adapt to it in a secured manner.
Identifying the Correct Solution Provider
When we start to chose a vendor, we have to think about the prevalent variety in the generations and systems of technology. This includes the integration of traditional and the cloud, and if we try to get a separate hammer for every nail, it would be an attempt to boil the ocean.
Notably, in the government sector, one has to be very conscious of the budget and spend it responsibly. When we take the responsibility of spending the resources carefully, what that essentially means is that we have to set up a competent security system within the limited budget. We have to be diligent while operationalizing integrations of solution providers. Additionally, it also has to ensure that the product that we are choosing has a strong API and integration ecosystem. In fact, we have brought very different companies together and asked them to play on the same table when we need them to as no one can solve a good portion of the problem that we have, exclusively.
It is always important to consider interoperability in a particular solution and the experience that the teams associated with it have. Additionally, user experience plays a role too as at the end of the day, usable alerts and dashboards are essential to get the end consumer involved.
"The digital world has arrived, and it has grown to be a grave predicament for us, as we are not able to adapt to it in a secured manner"
Strategic Points to be Considered
One should not think of security as the number of individual activities to secure servers, cloud, and e-mails, they should think of it as a program or a business function. There’s a lot of threat existing today that can cripple the system, and we need to bring programs that can bring the security perspective for it. Security needs to be integrated with other exterior technology strategies and directions, and this is what should be the first aim of any agency. They should build a trusted environment by protecting the critical data of the customer. For a lot of agencies, they deal with people who are not a part of the traditional systems and that trust is tough to win.
For us, to be a part of the business, we come with a mindset of innovative and open technology such as open data initiatives. Our team always tries to accelerate and makes it easy for agencies to deliver the services. Thus, locking down the systems is not the right approach to pursue, and that is where risk management comes in. We have to think about the strategies that segregate the data according to its vulnerability. There is a need to be aware of the threat landscape and dedicate resources to understand the technology that can mitigate the risks effectively.
Piece of Advice
• Start with the risk and understand where it lies. Comprehend the mission and the associated technology of your business.
• Don’t assume that traditional systems will always be the solution. Bigger walls can’t keep the threats at bay; break the wall so that you can go faster and in a more effective way.
• Pick knowledgeable peers that can build a backup/ response plan in case a breach takes place.