A CISO Perspective: From Threat Landscape Insights to Transformation Programs | Part 1

The state of Maryland is 42nd in size. Pretty small, particularly if you're looking at it from California. However, this small state punches far above its weight when it comes to cybersecurity. There is a very high concentration of both federal agencies and military installations, including the NSA and U.S. CyberCommand, as well as a very high density of defense and intelligence contractors. The cybersecurity talent pool in this state is both broad and deep and is backed by strong education and business ecosystems. Anomali recently conducted an interview with <a href="https://www.linkedin.com/in/thechipstewart/">Chip Stewart</a>, who was the former CISO (Chief Information Security Officer) for the state of Maryland from 2019 to 2023, effectively the person responsible for cybersecurity for the state that has the highest cybersecurity presence in the U.S. Surprisingly, the cybersecurity program for the State of Maryland is relatively new. The program was put in place in 2019 and was officially signed into law in May 2022. This initiative was triggered by events that served as a strong cautionary tale for cybersecurity for government entities, specifically the <a href="https://en.wikipedia.org/wiki/Atlanta_government_ransomware_attack">SamSam ransomware attack</a> in Atlanta in 2018, and the <a href="https://en.wikipedia.org/wiki/2019_Baltimore_ransomware_attack#:~:text=On%20May%207%2C%202019%2C%20most,for%20keys%20to%20restore%20access.">Robbinhood ransomware attack</a> in Baltimore in 2019. Although the ransomware used in both cases was different, they both exploited the same loophole – lax or underfunded security initiatives, and both had essentially the same effect; critical government services were taken down for weeks, resulting in significant business and economic disruptions. Not only are attacks of this type increasing in magnitude and frequency, but the effects of these attacks are also becoming more extensive due to interdependencies in the state's technology infrastructure (which was part of the impetus to codify cybersecurity at the state government level). Very few systems that deliver services to constituents exist in isolation, so when one gets hit, everything downstream is at risk. Another risk variable is how the state's cybersecurity model is implemented. Per Stewart, there are generally three operating models: <ul> <li>Centralized – where management and execution are controlled at the executive branch level.</li> <li>Federated – where cybersecurity services are shared across state entities.</li> <li>Decentralized –where every agency or entity does what it thinks is best.</li> </ul> The same operational models also apply to county and local governments, municipalities, etc. Overall, Mayland (and many other states as well) operate in a very decentralized model. While all three models co-exist, coordinating authority and control of execution in the event of a threat can be complex due to the lack of direct authority. The type of framework mandates strong partnerships but often includes the risk that everyone is doing their own thing. This is very different from the private sector, where cybersecurity is much more tightly controlled. The impact of a cyberattack on a private sector entity is also different; most often a cyber failure has a financial impact (disruption of finances or livelihood). In addition to financial impacts, disruption at the government level can also have a direct impact on people's lives due to the critical nature of government services. This is often exacerbated by what is often a far more complex organizational structure and the more pervasive impact of failure. Because of this, it is critical that cyber-resilience is baked into the public sector's security infrastructure. In both public and private sector instances, the buck generally stops with the CISO, who often does not have direct authority over the range of cybersecurity issues that state and local governments face. This is already a high-visibility position, and when things go off the rails it can be easy for people with a lack of context or understanding to point fingers. This is part of the reason that the CISO's role has recently become more evangelical; these are business issues at their core (whether private or public) and so there is a strong need for contextualization of the business benefits of investing in threat prevention and event remediation. This is similar to the CISO role in the private sector, particularly in large, complex enterprises. Everyone understands the need for security at a basic level, but there is always a tendency to hit the pause button when the costs of new or expanded technologies enter the conversation. This is perhaps somewhat more straightforward in the private sector, most businesses are about making money, and anything that disrupts that (like breaches) is likely to be addressed more quickly. Nevertheless, in most companies, the people who can write big checks are not going to be interested in low-level product details. Focus on the value delivered to the business through better security management, and you're more likely to get buy-in at the executive level. In the case of the State of Maryland, the rationale for building out a cyber threat Intelligence (CTI) program began with the notion that CTI is the core component of operational security; it is a driver of actioned intelligence and can reduce asymmetric engagement with threat actors. Because of recent high-profile incidents, they were able to build out their team quickly, hiring from the local intelligence community, with strong support at the executive level. Their initial focus was on how to curate disparate signals into actionable threat intelligence, and like most early program investments, they needed to show ROI quickly. This, of course, begs one of the quandaries of cybersecurity; if something bad happens, the SOC gets blamed and budgets tend to get reduced. If nothing bad happens (because they were doing their job well), there's no apparent need to keep funding. This particular dynamic is the basis for moving the conversation away from features and even benefits to one of value. It also helps to broaden the conversation to include the community (e.g. ISACs) and technology partners who have a vested interest in their customer's long-term success. This blog is the first of a two-part series, and the full video interview is also available <a href="https://www.anomali.com/resources/webcasts/a-ciso-perspective-from-threat-landscape-insights-to-transformation-programs">here</a>.