This post is an excerpt from GovLoop’s recent Guide to Government’s Critical Cyberthreats. This research guide explains the various cyberattacks government endures and provides steps to safeguard your information systems.
It’s hard to imagine that just a few years ago Cook County, Ill., – the second most populous county in the country – had no centralized management strategy or directive for its various agencies’ IT security protocols and tools. Today, the county has both a central security office within its Department of Homeland Security and Emergency Management and a formal ordinance to direct cybersecurity processes across the entire municipality’s government, thanks in large part to the county’s Chief Information Security Officer, Ricardo Lafosse.
Lafosse joined Cook County’s government in 2013 with the primary objective of creating a central information security office, under the leadership of Cook County Board President Toni Preckwinkle. Historically, separate entities, such as the County Clerk or the President’s Office, installed and used different tools with different levels of security, despite sharing the same underlying IT infrastructure. “It was a lot of ad hoc, decentralized efforts to do very niche security things,” Lafosse said.
That was a significant problem because a vulnerability in one solution could put the entire system at risk, without any other department having knowledge of the risk or an overarching response plan to execute in the incident of a breach. Lafosse was hired to correct that problem.
CREATING CENTRALIZED IT SECURITY MANAGEMENT
Rather than starting with a formal plan, laden with details and protocols, Lafosse decided to begin by addressing the culture surrounding IT. “Cybersecurity is less complicated off paper than on,” he explained. “The second you put it on paper, then you have to always follow those procedures. So when you first come on board to an organization that has had no structure at all, you have to ebb and flow with the culture, and then solidify it.”
Once Lafosse had a good idea of the county culture, he began making more procedural changes that would improve but not disrupt current processes. In less than three years, his office has made tremendous progress.
“We’ve centralized a lot of the information security governance structure into a working group,” he said. “And now we have a significant amount of security tools and controls in place. For example, we have centralized endpoint management, advanced endpoint management and advanced malware protection.”
The centralized organization has also given his office greater understanding of what occurs in their networks. Lafosse said they now know what baseline, normal network behavior looks like, so they can quickly identify and act on abnormalities. They have also created an incident response plan, in the case that abnormal behavior is actually malicious code or another hack in progress.
In addition to establishing these organization-wide tools and plans, Lafosse has created a governance structure to safeguard the county’s future IT plan. “A lot of what we deal with are new projects and ongoing projects to ensure that the proper security controls are in place before they get on the network or become production use,” he said.
Now, the information security office must review the security implications and give approval for any IT project in the county, before it is deployed. “Doing that, we reduce the need to go back and plug security holes after something goes into production. If we proactively bake in a lot of the security, it makes our lives and the county’s security posture much better from the get-go.”
CODIFYING PROGRESS WITH AN INFORMATION SECURITY ORDINANCE
Despite the benefits of these initiatives, Lafosse said it was no easy task to get everyone onboard with these improvements. Many departments, offices, and elected leaders were used to their own tools and procedures, which they could choose and deploy without impediment. To help get everyone on the same page, Lafosse and his team decided to create an ordinance that outlined their office’s initiatives, oversight, and expectations regarding cybersecurity.
The ordinance also required each elected offi- cial’s office to designate a security liaison who would work with the central information security office on incidents, strategy, operations and awareness. That way, “everyone would be accountable from an information security perspective,” Lafosse said. “It gives them more skin in the game so that if they lack security controls, we can help them, but if they decide to neglect it, everyone’s infected. So that provides, again, incentives to implement security controls.”
For those agencies that were already on board with the new central management plan, the ordinance gave them a formal structure for working with Lafosse and his team. It established an Information Security Working Group, which meets monthly to discuss any ongoing or new issues and create more advanced security policies.
LOOKING TOWARD A MORE SECURE FUTURE
Now that Cook County has a centralized cybersecurity structure and policy, Lafosse is looking for new ways to enhance the county’s security. He offered a glimpse of his priorities in 2016:
• Hire more cyber staff. By changing job descriptions and opening some requirements, Lafosse hopes to recruit more talent to his office.
• Automate compliance controls. Using various cloud-based web solutions, the security team will be able to collaborate with vendors on new projects and automatically check products for security and risk compliance.
• Identify at-risk assets. Lafosse said they want to assume a risk-based approach to security decisions by identifying their most sensitive assets and applying controls accordingly.
Ultimately, Lafosse said he wants to make Cook County’s information security policies a standard that others can emulate. “People look up to us. We’re trying to create a framework that other counties can use to quick start their information security office program, which would be very helpful for smaller agencies or other, local or state governments that want to move forward with this type of model,” he said.
That goal is certainly a worthy one, not only for altruism’s sake but for Cook County’s as well. “If more counties are secure as a whole, the entire vertical – every county and every person – benefits,” Lafosse said.