An interview with Miguel Penaranda, State CISO, South Dakota.
In South Dakota, State Chief Information Security Officer Miguel Penaranda is ever on his guard. He’s protecting systems not just against the known threats but even more so against exploits that have yet to be publicly identified.
“What is out there that we don’t know? That’s what I think about — because I am 100% sure there are threats out there far more scary and more advanced than what we actually know about,” he said. With new vulnerabilities emerging as the state transitions resources to the cloud, Penaranda said he looks to defense-in-depth strategies to protect critical IT systems and data from the known and unknown threats. That starts with a focus on his cybersecurity personnel.
More Than Technology
“To me, defense in depth means not simply relying on technology,” he said. While technology is great for sending alerts around potential malicious activity, “my question is: What is the human doing, apart from just receiving an alert? Are they actually doing something about it?” Penaranda asks his people to look beyond what they see on the screen.
When they notice questionable or unusual activity, he wants them to think about what’s actually happening inside the system and what they need to do about it. “That’s defense in depth to me: always trying to understand the meaning of that activity,” he said. This human-centric approach has an impact on training for IT teams, with a greater emphasis on building critical thinking and analytic skills. Penaranda’s training agenda these days includes a wider range of problems, with a focus on creative problem-solving.
In addition to training, this approach also has influenced the way he does his hiring. “When we acquire talent, we are thinking more about aptitude than about certificates or whatever other credentials they may have,” he said. “Do they have the ability to see beyond what they have on the screen? That is very important.”
A Community-Driven Approach
Along with that human ingenuity, that human attentiveness, Penaranda also looks to community involvement as a cornerstone of his defensein-depth efforts. A collaborative approach is needed, he said, given the enormity of the threat and the limitations on state and local resources. “Without partnerships in this cyberworld, you don’t go anywhere,” he said. “How can we protect against what is coming at us? From the perspective of a state government, we can only see so much. Others can see far further, and we need to work with them to know what’s happening out there.”
By forging partnerships with the state’s public safety officials, for example, as well as through organizations like the MS-ISAC — the Multi-State Information Sharing and Analysis Center — Penaranda is able to expand his view of the threat landscape to get a bigger picture of emerging cyber risks and remediations. Underneath it all, he supports defense in depth with layers of technology.
“The best thing we can do is to have layers of defense. There’s no single silver bullet to stop attackers, to stop malicious things from happening,” he said.
Strength in Diversity
Even with the best technology, his experience has shown that some exploits can always slip through a crack. Multiple tools working in tandem make it less likely that attackers will find a way in. With layers of defensive technology, “if one thing doesn’t catch it, the next thing will,” he said. To that end, Penaranda also looks to utilize a mix of technology vendors as he assembles the elements of his multi-layered defense. He doesn’t just want a diverse range of tools; he wants to get those tools from a diverse assortment of providers.
Different vendors will have different approaches, and by combining tools from multiple sources, he’s more likely to cover all the bases. “We have different paths of technology using different vendors with different perspectives,” he said. That diversity of approaches offers a more robust base for his defensive operations.
Looking ahead, Penaranda said he is acutely aware of the ever-changing nature of the cyberthreat. It’s that ongoing evolution that drives his efforts, especially around defense in depth. “If I look at cybersecurity the way it was even in 2010 — now it’s just 12 years later, and everything has been growing exponentially, all the attacks that are out there,” he said. “What that says to me is you have to keep moving. We all have to keep moving forward.”
This article first appeared in our playbook, “How to Take a Community-Driven Approach to Cybersecurity.” Get the whole playbook: