Many professions have formal apprentice or internship programs that allow junior employees to learn on the job under the tutelage of an experienced master. CISOs don’t have the luxury of a structured activity but many times they do have the advantage of working for someone who can set an example and provide a path that can set someone onto a successful future. Michael Anderson, the CISO for Dallas County Texas had such a mentor. The experiences and insight he gained continues to help him today as he shepherds a team of a dozen security analysts who service 7,000 public servants who support a constituency of 1.8 million people.
Mr. Markose sets the Example
Michael Anderson first became involved in information technology in the armed services where he was an intelligence analyst. Upon exiting the military, he had to start from the ground up. He became a desktop support specialist but quickly advanced through the ranks by becoming an engineer and then into management where he never looked back. “Through all of those employment opportunities I got to touch everything; servers, routers, switches, and storage.” Michael’s hands-on education in information technology was well rounded when he transitioned from infrastructure into security. It was at this time he met Mr. Markose.
Anderson explained that Mr. Markose had entered the information security field because “of all the IT disciplines, this security stuff looks to be the coolest.” His approach to security was to work within a framework that charged that all disciplines within IT uniformly subscribe to the need for security. “I had not seen that happen so succinctly before” and it was at this time that Mr. Markose had taken Anderson under his wing and became his mentor. “He assisted me with transitioning from being an infrastructure guy to an infrastructure and security guy to the point where I became a Certified Information Systems Security Professional (CISSP). I now consider myself as a security purist.”
Frameworks and Execution
Observing how Mr. Markose implemented a security program based on frameworks impressed Anderson. “It is incredible how much discipline and structure were brought to the entire organization”. Anderson has learned this lesson well and he believes that building a strategic plan based on a framework and executing on that design is the only way to build and operate a functioning information security program.
“I was brought on with a charter to secure the county by maturing the security program. I started by establishing a framework, have a risk assessment done and from the risk assessment, create an 18-month roadmap. That’s exactly what we did.” Anderson explains that the approach was laid out so methodically that the Dallas County Commissioners could recognize how it would benefit the county. They are ardent supporters.
The framework that Anderson’s program is based upon is the NIST Cybersecurity Framework. He explains that they subscribe to many of the NIST elements because there are indications the State of Texas will predicate the state standard on that framework. “I want to future proof ourselves and select a framework that we know could grow with us and help us to evolve against all the other regulatory requirements that we have.” It is a daunting task as they are looking at 277 controls. He admits that it is a journey that you can’t say is ever complete but by breaking the strategic plan into tactical pieces you can make progress. Michael explains that he has implemented this at two other organizations where “I know it can work.”
A plan on its own will not work. It requires execution. “When you say it’s going to be done on day X, you must get it done on that day, period. No excuses, no alibis, no blame shifting; you’ve just got to execute. Execution; it’s not an option.” He explains that it is up to senior leaders to set the example. One way be fosters operation efficiency is to ensure that the team works together by encouraging cross training. Anderson notes that when everyone knows what is going on, when everyone knows how the stuff really works it improves cohesion and overall capabilities.
Machine Learning and Artificial Intelligence
One of the limitations Anderson has is bringing in new staff because the public sector pays considerably less than the private sector and is also much more selective. Attempting to offset this constraint requires Anderson to turn to advanced technology, most specifically using products that leverage machine learning (ML) and artificial intelligence (AI). Industry analysts believe that applications of AI, particularly machine learning, can be highly useful in detecting complex attacks, especially when the IA systems and human experts work cooperatively.
Michael believes that the best way to move forward is to have a cadre of analysts who manage systems that perform the heavy lifting of data processing and analytics. In this model you reduce analyst burnout because the staff is released from many of the mundane day-to-day tasks. Another advantage is that errors are reduced because machines don’t tend to make the same errors as humans. He does understand that ML and AI systems require constant adjustment so that only the most important issues are brought to the attention of the analyst for a human review. Systems that depend on human analysts for tweaking are far more reliable than those that depend solely on just algorithms. A major caveat Anderson explained is that you must “make absolutely certain that all of the data points we are feeding into our security operations center platform is as accurate and as relevant as possible. We want to make sure that we put in A plus data, so we get out A plus results.”
Watching the Adversaries
Another way to stay on top of the strategy is to understand what the adversaries are targeting and exploiting. Anderson tries to “stay incredibly close to them so that I at least understand what’s trending”. He respects that hackers have a clear advantage in their ability to discover issues they can exploit, to share it with their community, and to act on it immediately. “When I find something that must be remediated, I can’t act on it swiftly because of various procedures and policies. There is always a window of opportunity that they have that I can’t defend against.” Therefore he uses a number of services that contribute to closing the knowledge gap. It is this specific issue that makes Anderson a little bit anxious when he thinks about them.
“Music frees your soul from the dungeon of your mind” – Wiss Auguste
Being a CISO can be very stressful, especially when you think about all of the problems that can arise. Anderson has outlets that allow him to decompress. The first is his faith which fortifies him when he needs it. He also practices mentalism which he defines as “mastery of my emotions, of my feelings, of my beliefs. Self-control at a different level, subconscious reprogramming if you will.” He explains that having emotional discipline and self-control is a learned skill that he continues to improve. Finally when he lets his two centimeters of hair down, he relaxes doing light weight music engineering. He has a music lab in the back of his house where he can listen and mix music and time and space become concepts. “I’ll go in there on a Friday at seven o’clock and the next thing I know it’s one o’clock in the morning. I literally lose time there because there’s so much joy and I get so much inspiration from being back there just interacting with music. It’s calming, it neutralizes the week and it puts me in a really happy place.”