|
|
"It is impossible for ideas to
compete in the marketplace if no forum for
their presentation is provided or available."
Thomas Mann, 1896
The Business Forum
Journal
Career Path of
a Chief
Information Security Officer
Back in 2004, Michelle Gamble-Risley of the Center for Digital
Government (CDG) interviewed me. As my thoughts then and now are
pretty much the same, it seems that this interview could be used
as an introduction for my forthcoming materials to be published
in The Business Forum Journal.
Kevin Dickey
CDG: HOW DID YOU COME TO THIS CAREER PATH?
DICKEY: I worked for the State Controller's Office as an information
security officer where my job was to protect the controller's assets and the
payroll system. Then the Lottery Act was passed, and I joined the State
Lottery in 1985 to help build its business. I stayed there until 1997 and
worked on securing statewide assets and its data center. Then I joined
Contra Costa County.
CDG: HOW DID YOUR POSITION COME ABOUT AND WHAT DOES IT ENTAIL?
DICKEY: My understanding is that in 1996 Contra Costa County was
subject to a fire at its court facility where someone was trying to burn it
down to [incinerate] their records. The county brought in Stanford Research
Institute, an external audit firm, to do a high-level risk assessment to
determine the county's vulnerabilities. One of their findings suggested
bringing in an information security officer to compile and coordinate
information systems security across the county.
In 1997, the county hired me to become the first-ever information security
officer. Since then, I established an information system security program
that has been extremely successful. I've also realized that I want to share
this program with others in government. When I was working with the
California County Information Service Directors Association (CCISDA), they
asked me to form a committee of CCISDA counties to help build a program
similar to mine. We recruited volunteers to meet on a quarterly basis to
show them the value of information security. We came up with a rewrite of
the county's program that was based on a common volume of knowledge and best
practices for an information security program. We published that document
back in March 2002 under the Information Security Forum of CCISDA. We also
asked members to take the document back to their boards of supervisors.
Additionally, we shared the program with the Municipal Information Systems
Association of California (MISAC), which is the city equivalent of CCISDA.
Of course, we shared it with the state of California as well.
CDG: WHAT DO YOU THINK IS THE MOST IMPORTANT SECURITY POLICY TODAY?
DICKEY: Working through CCISDA, we have come together as counties,
because we have similar business practices. We don't compete with each
other. I look at it and ask, 'Why should taxpayers have to pay for it more
than one time?' With that in mind, I've been working on information security
programs with MISAC, the counties and the state. Last April, we came up with
the best policies for the county enterprise level and published those
policies for CCISDA. These policies were best practices to be applied by the
CEO all the way to the janitor that addressed what should be done for
information security. IT departments in every county facility can adopt
these policies and write appropriate procedures for doing work like patch
management, anti-virus control, change control, system monitoring, and more.
It doesn't matter if you're in the public or private sector, anyone can
benefit by adopting a modified version of these policies.
In general, I have been promoting good information security practices. I
have also been working at the federal level to try and get the homeland
security leaders to understand that security is not just bullets and guns,
but also it's infrastructure that is supported by information technology. I
am not making headway quite yet, but I just started. The issue really comes
down to active organizations -- fire, police, Hazmat -- that come in after
an incident, and the ones that are receiving the grant money. The policies
that I'm talking about tell what IT and businesses need to do to protect
against malicious software.
CDG: WHAT IS YOUR NUMBER ONE TIP TO IMPROVE PROTECTION?
DICKEY: Like any program, you need executive buy-in. You need program
support from the executive level, because it's hard to push from the bottom
up. It has to be recognized as a worthwhile venture by the executives.
Also, what's hard in my line of business is demonstrating prevention. If you
lock your car, how do you know if someone tried to open it? I believe in
working in the prevention mode. Of course, I do address reactionary issues;
however I do try to prevent calamity before it hits. I want people to harden
their systems and not release confidential data that may eventually get them
into a law or sexual harassment suit. I think that every time we go through
something like that the taxpayers suffer. Their money should go somewhere
else not into legal games.
Unlike the law enforcement side, I try to make sure policies are practiced
so that we have intrusion detection systems in place to see how many people
try and get in but don't. That is harder to check. Most people have a
reactionary stance, meaning they don't do anything until someone breaks into
their house and then they will they change their home security. My job is to
stop it before it happens.
It comes down to working on the problem from the construction end to ensure
security. I'll come in and tell governments what systems they need to have
in place for prevention -- and they won't do it, because they have never had
a negative experience or they think it's too cost prohibitive. Putting in a
dollar-to-dollar investment for proper security means they often wait and
pay $10 to fix it after the fact. Until you are vandalized you don't see any
return on your investment, only overhead costs. We can monitor and say that
we prevented thousands of viruses from coming into this country that
essentially would have cost millions of dollars -- and the investment was
minimal.
Everyone understands viruses, but it's the stuff that you don't see that we
need to pay attention to. We have to make sure the infrastructure is solid
from a risk-assessment standpoint. We don't want it to be a roll of the dice
or a hit-or-miss situation.
CDG: WHAT INFRASTRUCTURE DO YOU HAVE IN PLACE IN CONTRA COSTA?
DICKEY: We have a good network. We recognize that if everybody tried
to run their own network infrastructure, the cost would be huge because
everyone would be maintaining it; but there are certain toolsets associated
with consolidating it. We looked at it from an enterprise-wide stance and
said we needed a robust, single network. If we had 38 networks, the cost
would be 38 times greater. You would have to have duplicate staff, hardware,
software and connections for each access to the Internet. So, the county
established the network, and it's more economical to maintain and secure.
CDG: WHAT ARE THE TOP SECURITY PROJECTS FOR 2004?
DICKEY: What I am trying to do is establish a best practice where we
will do business impact analysis for every business unit in the county. It
will help the business customers we have in the county define which business
practices they have that are most important and all the contingencies they
have and help them prioritize them. Then I will do a risk assessment against
each one of those and help them mitigate any risk I see with how the system
is currently run. Then we should correct any existing threats and measures
so they are not vulnerable. My ultimate goal is to have every department in
the county have a continuity plan that is a result of this risk-analysis
process. What that means to the taxpayer is that if we have a natural or
man-made disaster in this county that the business practices are documented
and the county services will still be maintained.
CDG: DO YOU HAVE ANY OTHER SECURITY PLANS FOR NEXT YEAR?
DICKEY: I want to help departments comply with the new IT policies.
Many them need to write procedures to ensure compliance. If people aren't
maintaining their systems then they're vulnerable. So, what I'm stressing is
standardization. If you start to standardize IT it's easier to secure it,
because the tools are there. If things are built the same then everybody can
benefit from it.
CDG: WHAT IS THE NUMBER ONE PRIORITY WHEN IT COMES TO KEEPING THE TERROR
RISK OUT OF OUR SYSTEMS?
DICKEY: We have to look at it from a risk assessment and ask
ourselves, 'Would a terrorist target a county program?' They are likely to
look at a place that would cause the most injury to achieve their goal of
creating terror. That place would probably involve communications systems,
power grids, water supplies, and areas like that. Since 80 percent of that
infrastructure is owned by the private sector, they need to secure their
assets. The government may be reluctant to mandate that those are assets are
secured.
CDG: WHAT WOULD PEOPLE BE SURPRISED TO KNOW ABOUT YOU?
DICKEY: They would be surprised to see that I look at this from a
business standpoint. It has to make business sense. I think people see
information security as a roadblock, but I know it is an enabler. If you
bring security in at the beginning of a process it saves time and eliminate
false steps.
Kevin D. Dickey is the Deputy
CIO and Chief Information Security Officer for Contra Costa County.
He has over 34 years of government experience in the field of
Information Technology. He currently oversees the Contra Costa
County Information Security Program for the County’s 38 Departments
to ensure consistent rollout of this County-wide Program and was the
first Information Security Officer in a California County Government
(58 Counties) Kevin pioneered the formation of a State-wide
Information Security Forum through the California County Information
Services Directors Association (CCISDA) to ensure that all
California County’s have the ability to build and maintain a uniform
Information Security Program. He is also the Co-Chair for the
establishment of California State standards for Electronic Health
Information Exchange (E-HIE) let by the California Privacy and
Security Advisory Board (CalPSAB). He was a member of The Pacific
NorthWest Economic Region (PNWER) which is a Public-Private
Partnership consisting of the American states and Canadian provinces
of Alaska, Alberta, British Columbia, Idaho, Montana, Oregon,
Washington, and the Yukon. PNWER's mission is to foster sustainable
economic development throughout the entire region in the event of
any disruption due to manmade or nature disaster. He has been a
regular speaker or panel member at various seminars for many years,
discussing the issues such as Continuity Planning, Information
Security Program ‘Best Practices’, HIPAA and Privacy of Government
Controlled Information. Kevin was also the first ‘Security Counsel’
in the premier edition of Chief Security Officer (CSO) magazine, was
on the Editorial Advisory Board for SC Magazine and has been
published in many industry and government periodicals.
Return to
The Business
Forum Journal
 Search
Our Site
Search the ENTIRE Business
Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.
Editorial Policy: Nothing you read in
The Business Forum Journal
should ever be construed to
be the opinion of, statements condoned by, or advice
from, The Business Forum, its staff, workers, officers, members, directors, sponsors or shareholders. We pass no opinion whatsoever on the content
of what we publish, nor do we accept any responsibility for the claims, or
any of the statements made, within anything published herein. We merely
aim to provide an academic forum and an information sourcing vehicle for
the benefit of the business and the academic communities of the Pacific States of America
and the World.
Therefore, readers must always determine for themselves where the statistics, comments, statements and
advice that are published herein are gained from and act, or not act, upon such entirely and always at their own risk. We
accept absolutely no liability whatsoever, nor take any responsibility for
what anyone does, or does not do, based upon what is published herein, or
information gained through the use of links to other web sites included
herein. Please refer to our:
legal
disclaimer
Home
Calendar The Business Forum Journal
Features
Concept
History
Library
Formats
Guest Testimonials
Client Testimonials
Search
News Wire
Why Sponsor
Tell-A-Friend
Join
Experts
Contact The Business Forum
The Business Forum
Beverly Hills, California United States of America
Email:
john@bizforum.org
Graphics by
DawsonDesign
Webmaster:
bruceclay.com
© Copyright The Business Forum Institute 1982 - 2012 All rights reserved.
|
|
|
|
|