Last month, we interviewed Thom Langford, the Director of Sapient’s Global Security Office. Among other things, he explained to us how critical people are to an organization’s cyber security success, not to mention how the CISO is instrumental in framing security issues so that different target audiences can understand them. As part of our ongoing “The Voice of the CISO” series, we now interview Brian Engle, who is the Chief Information Security Officer and Cybersecurity Coordinator for the State of Texas. Tripwire: What are your business priorities, and how do they relate them to your cyber security efforts? Engle: Broadly speaking, our first and foremost business priority is to support our Texas state agency customers and higher education institutions with telecommunications, procurement and overall strategy. This involves assisting each agency to protect its privacy and security, as well as supporting its ability to cost efficiently deliver its services to its customers. We are also constantly leveraging partnerships in an effort to help them achieve their goals of becoming more efficient, reducing risk, and continuing to operate on a limited budget and resources. Overall, we serve about 145 distinct organizations that each has its own individual and unique business mission. As such, these organizations have their own IT departments, IT leaders, and information security offices, whereas we act as more as service providers to them. T: In your opinion, what is the single most important component in cyber security success? E: The single most important component in cyber security success is communication, that is, my team’s ability to communicate effectively about what we can and cannot do. This is especially true for my place of work, where the Legislature for the Texas State Government meets for six months only every two years. This obviously provides a very limited timeframe for governance of a statewide information security program, especially regarding my team’s efforts to impress upon legislators and other personnel the fact that strong cyber security involves layers of complexity. (After all, my target audience also includes business executives whose intellectual energy is mainly focused on running their businesses.) With this in mind, it’s all about prioritizing our initiatives and weaving cyber security into the issues and capabilities that are deeply involved with running a business. To address our time constraints at the State Legislature, the Texas Department of Information Resources utilizes quarterly communications with its Board of Directors in an effort to not only provide the group a better understanding of the complexities of cybersecurity but also effectively communicate the organization’s priorities for the coming years. Using guidance provided by legislative decisions, we help to create a strategy for the state’s cybersecurity efforts. T: How does cybersecurity effectively align to the business? E: The word “alignment” suggests there is an effort to bring together two things that are otherwise separate. This next point cannot be over-exaggerated: cybersecurity is part of the overall organization, and more and more we’re seeing that it is one of the top risks to business awareness and understanding. It’s not a problem that we need to solve; it is an ongoing management concern for businesses everywhere. T: How literate are your executives about cyber security, and how does it affect how you communicate with them? E: The literacy of my executives varies broadly. Executives that work with us on a consistent basis are quickly becoming more effective and well versed in security, even if not in a technical sense. We owe this development in part to the Texas Cyber Security Framework, which helps with literacy and provides structures of understanding. Also, at a very high level, the NIST 800-53 provided a model off of which we could leverage existing cyber security standards and develop our framework. T: What questions do you get asked, and how often? Are you confident in responding to them? E: When a breach occurs, someone inevitably approaches me with the question “Who is responsible?” In one light, this question tries to understand who committed the attack, but in a more productive light, it touches upon the way in which information security professionals work together to protect user data and respond to any incidents that might arise. Ultimately, each and every agency is responsible for protection, detection, and response; there is not a single person responsible for the mission of cyber security. Frameworks help a little to the extent that they detangle the idea of many teams working together to accomplish a mission, but it’s still up to the people and agencies involved to decide how they’ll frame and build their security programs. Also, legislators and leadership personnel sometimes ask me the question, “How can I help?” This is a great question to hear, for there are things the legislature and others can do to help pull up additional resources and support. T: What does your business look like in three years, and what are you doing to prepare for that? E: For us, we are steadily becoming accustomed to the fact that a number of partners and outsourcing providers are going to begin relying on us, and us on them. Acknowledging this shift, we need to rethink the standards of effectiveness and efficiency we have built up over the years. How can we cobble everything together so that we can continue to see our efforts grow and mature? As always, we’ll need to appeal to everyone’s coordinated efforts to address these challenges. For more information on how Engle tackles today’s cyber security challenges, please watch this video here.
