Things are getting ugly out there. I had a chance this week to chat with Gary Hayslip who is the first CISO for the City of San Diego. He also co-authored the book the “CISO Desk Reference Guide” about the changing roles of the CISO and how to be prepared for today’s current threat landscape. This discussion came on top of a Forrester Report [Disclosure: The report was funded by Varonis, a client of the author] detailing just how poorly prepared private and public companies are to protect their data and the devastating breaches in companies like Yahoo and organizations like Democratic National Committee.
Let’s talk about what I learned from Gary and we’ll close with some of the highlighted survey results. By the way Gary will be at RSA and is a fascinating guy to talk to, so, if you are there and see him you’d likely find a chat fascinating.
Management is important
One of the reasons San Diego is in far better shape than most of the organizations I speak to is that the mayor and the city council, likely because of the growing tech presence in San Diego, were solidly behind the effort to make the city more secure. One of the primary reasons I see security efforts fail is because the security organization is often treated as little more than a symbol and are generally under resourced and underfunded. That isn’t the case in San Diego. At around 1.5 million people San Diego is ranked 8th by size in the U.S.
San Diego’s problem
Currently the city is managing 5 petabytes of data that is effectively owned by its citizens. This is a massive amount and when Gary took over no one seemed to know who was accessing this data and how it was being used. This represented a huge city resource/asset, responsible for an equally large city cost and it wasn’t being adequately managed or protected.
Phishing, and ransomware attacks have increased sharply (ransomware by 10x) over the last several years. In addition, the city has a whopping 4,000 vendors who have permissions to access and potentially change city data any number of which possibly could be fake.
He looked at a broad cross section of solutions and only Varonis did what he felt needed to be done. This allows him to not only immediately respond to internal breaches, but nip successful ransomware in the bud limiting the damage done. How he got there was having a detailed understanding of the exposure so that he could set a rigid criterion that was vendor independent allowing him to get underneath marketing and sales promises and select the best vendor. His process is likely as important as his selection.
Now one interesting security product they are exploring is Flowscape from Webroot, a deep learning network anomaly tracker. On paper, it looks like it is incredibly advanced and I’ll be interested to see how his evaluation goes. One troubling thing Flowscape apparently identified was that a lot of the devices they have with Chinese components connect to the component supplier in China regularly, something they were unware of (these are things that range from connected parking meters to stop lights).
But this showcases, like any well-secured shop, you use multiple layers of security products often from different vendors.
Using tech right to combat the threat landscape
It is always interesting to see if the local government in a high-tech region makes use of technology to aggressively advance productivity and defend against threats. I’m often more disappointed than surprised. However, Gary Hayslip and San Diego were exceptions in that they seem to have a strong handle on what needs to be done and what tools are needed to do it.
If you get a chance you might want to check out Gary’s book and if you see him at RSA -- again, you’ll likely find him an interesting guy to chat with partially because he came out of the DOD. And that last may explain why he has a sense of humor, because you have to in order to survive this, and why he has been so successful in San Diego. Finally, kudos to San Diego’s mayor and city council. It isn’t often I speak of politicians as folks that get things done. You folks did and it makes me regret I’ve never lived in your fine city, especially now when I’m up to my hindquarters in snow.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.