Q&A: California’s CIO and CISO reveal next steps for the state’s new cybersecurity strategy
Since Gov. Gavin Newsom announced California’s first state-wide cybersecurity strategy last month, IT officials have been promoting the plan as something that will do more than increase security, streamline operations, or even cut costs. Officials said the strategy, known as Cal-Secure, lays the foundation for the future of California’s cybersecurity defense.
“We don’t want it to become a document that is shelfware, but it’s something that agencies can relate to and take action and find value,” said California’s Chief Information Officer Amy Tong. “We want Cal-Secure to provide agencies a prioritization on how to achieve what they need to achieve in terms of maturing their cybersecurity posture.”
Tong, who spoke to GovReport with Vitaliy Panych, California’s Chief Information Security Officer, said Cal-Secure is the culmination of many hours spent across multiple agencies to create a set of best practices and frameworks to plug critical gaps in the state’s cybersecurity programs, while simultaneously, assisting the state to defend itself against ongoing cyberattacks. The plan directs everything from hiring, training, information sharing, to the technical applications of cybersecurity technologies.
And while a gamut of public and private organizations contributed to Cal-Secure’s design, the plan itself will be overseen by California’s Department of Technology, California Homeland Security Strategy (HSS), California Highway Patrol and the state’s Military Department. Tong stressed this collective oversight insured Cal-Secure’s longevity and effectiveness.
“What this really presents is an ecosystem of a holistic cybersecurity defense in protecting California’s public assets. That really is the essence of Cal-Secure.” Tong said. “It’s a 360-degree plan that is policy driven, action oriented and focused on the long term.”
Yet the plan will also be somewhat disruptive for the state’s current cybersecurity contractors and vendors. Tong said that where possible, Cal-Secure would aim to consolidate cybersecurity services and explore shared cybersecurity solutions between agencies. This could save the state millions of dollars—as Louisiana discovered in its successful cybersecurity consolidation effort—and help staff to manage systems more efficiently. But for vendors, it might also mean funding is channeled into the hands of fewer companies—something that may have some companies elated and others anxious.
Tong said the practice of consolidation and shared services should be expected as it’s a common state tactic to improve efficiency and improve services. This she said applied to all IT, not just cybersecurity.
“Any time when there are commonly used services that can be standardized, coordinated statewide—and then through that standardization and coordination the state can leverage its purchasing power—we are always striving for that,” Tong said.
To provide additional details, Panych sat down with GovReport to elaborate on the finer points of Cal-Secure, something he said that began with the development of the state’s Vision 2020 and is now part of California’s Vision 2023 strategic plan. Below is his interview, lightly edited for clarity and brevity.
GovReport: In your own words, how would you describe Cal-Secure, its development, and the collaboration that was required to produce the cybersecurity strategy?
California Chief Information Security Officer Vitaliy Panych: So, Cal-Secure is our state of California roadmap, our foundational document, which outlines where we are, where we’re going and how we need to get there. There are nine key priorities surrounded by three underlying pillars: people, process, and technology. It also outlines 15 key initiatives that we as a state focus on our underlying departments. This was a highly collaborative process where every state organization was brought in: every major system of every major department that we oversee. In fact, we have 40-plus public and private sector organizations represented and providing this input on how we must shape and secure the state of California. That includes state agencies, private sector organizations, even counties and cities participated. We’ve facilitated over 20 formalized workshops with over 450-plus hours of working sessions conducted amongst those organizations. I was heavily involved in the development of this roadmap and the plan even before I joined CDT…We also brought in all aspects of the cybersecurity leadership within the state. including our partners within the CalOES, council partners, California Highway Patrol, the Military Department, and during the pandemic we ensured that this roadmap and plan is informed by the Homeland security strategy, which outlines all aspects of security for the state of California and not just in cyber…And so this is highly collaborative, highly adaptable and agile.
GovReport: Where are you now in delivering on this plan?
Panych: So, I will also say that we were able to conduct some really good trial runs during the height of the pandemic in exercising this plan, so we’re well ahead in the execution of this plan. And having it published externally for the public just gives us a greater sounding board and executive sponsorship to further execute this plan. And like I said, we keep evolving it because cybersecurity, in general, is a highly evolutionary space. The cybersecurity threat landscape shifts on a really fast cadence. We’re always learning how fast we need to react during issues. That’s why I want to emphasize that this plan is highly agile, adaptable by design and by intent so we can keep up with this ever-evolutionary threat landscape that the whole world is dealing within the cybersecurity.
GovReport: Looking at current IT staff and the state’s cybersecurity workforce, how will this impact staffing, training, and hiring.
Panych: As you know, there is a skill shortage in the cybersecurity realm and we’re trying to address it. And we are addressing it by instituting various [training] initiatives and programs outlined in Cal-Secure that focus on internal staff, but also on the public…For example, in academia, we’re working with the community colleges, we’re working with the universities and high schools to really promote cybersecurity and ideally promote cybersecurity early, starting in high school. CyberstartAmerica.org is one of our examples in how we’re engaging high school students there in order to build a career pipeline so that they can start those folks off early, inspire them early, educate them early, and then ideally help them land jobs in the cybersecurity career field, whether it’s private or public sector. We’re also engaging in various initiatives for our internal staff, like running an information, security leadership academy, running an IT leadership academy, there’s multiple [workforce development] tracks of technology leadership that that CDT is responsible for and delivering. This isn’t just focused on state government, but we also have participants in academia, and within our local sector partners, our counties and cities. So those are just some of the items where we’re engaged and the list goes on… You can’t invest in just technology without investing in the workforce and the people or the new processes and policies in your oversight framework. These pillars, essentially, are force multipliers.
GovReport: Is there an opportunity to consolidate services or create shared services through this strategy?
Panych: [Consolidation] is another underlying tenant that’s reinforced by vision 2023, for example. You know, making technology easy to use, to access and share and reuse across government. With that in mind, we’re also looking at repeatable and reusable capabilities and services within the state. So, like Amy mentioned, leveraging the state’s purchasing power is always a goal. There are certain technical capabilities that could be sourced from one level of an organization centrally instead of in a silo within an agency or department. And we are looking for those capabilities. One of the latest and greatest capabilities that we have built up recently—as you may have heard the governor mention—over the last several years the state of California invested over $260 million in cybersecurity efforts, of that 11.3 million, was one time funding and 38.8 million was ongoing funding. And that’s really to bolster some of our centralized capabilities such as security, operations monitoring, detection and response, as well as our centralized audit program. You know you can’t improve what you cannot measure. So auditing is extremely important to identify gaps. Another centralized capability that we recently built within Cal-Secure and CalOES is a dedicated incident response team, which has been crucial and beneficial, tackling and responding to some of the major incidents that our government organizations experience, including cities, counties, and local jurisdictions. So, we have built up a dedicated threat intelligence and incident response team as a centralized capability. And there is a myriad of other potential centralized capabilities that we can potentially partner on, however, there are other capabilities that counsel outlines that state entities must be responsible for at a local level, because you can’t outsource every aspect of your IT every time, 100 percent of the time. So, Cal-Secure aims to prioritize those capabilities and articulates and outlines where is the most effective way to implement and maintain a certain cybersecurity-like function and capability. And so that’s, that’s always a topic where we want to be more effective, more efficient so that we can protect more things and do more things within our existing sandbox.
GovReport: Gov. Gavin Newsom spoke of hard deadlines to compel agencies to act, can you describe what type of deadlines are part of Cal-Secure?
Panych: So, the key end goal with that is really to emphasize some of the security basics, some of the “Security 101” things that everybody must focus on, you know, decommissioning of legacy software, legacy operating systems, facilitating better [software update and] patch management…just some of the basic fundamental things that everybody must focus on. And then not in every case, but when an agency is unable to achieve some of those set fundamentals, then we’ll help to support the agency to learn how it can mitigate some of those deficiencies. So, this is more of a collaborative approach to facilitate information sharing and remediating some of these basic issues. This is why [agency] reporting was highly emphasized in the governor’s address [announcing Cal-Secure] so we can foster information sharing in government…We want those entities that report to collaborate and then have information sharing mechanisms with our partners so that we can advise.
GovReport: What will make Cal-Secure a success in its growth by the end of 2022?
Panych: Executing on the initiatives that we have outlined, promoting it, briefing it, raising awareness to all stakeholders, to all of our entities, briefing all of our partners, including private and local partners…You know, this approach means we rely and depend on each other and on other organizations. We exchange services, we provide data to one another. So, if Cal-Secure is going to be a success, it’s prudent and incumbent upon all of us to implement similar strategies in a cohesive and prioritized fashion, evangelizing it, prioritizing it, talking to all of our partners and looking for those opportunities to be more efficient.