THANK YOU FOR SUBSCRIBING
Gov CIO Outlook Weekly Brief
Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Gov CIO Outlook
Michael Gregg, CISO, State of North DakotaNorth Dakota is a unique state. It is not only home to two-thirds of the nuclear triad; it has one of the highest levels of broadband connectivity per capita, and the combined state network is more than 250,000 endpoints.
In 2019, Senate Bill 2110 was signed into law and provided cyber authority to engage and defend the seven branches of the North Dakota government, including judicial, legislative, executive, higher education, K12, cities, and counties. With such a large environment, how do you grow the coverage of your security tools from less than 30,000 to more than 200,000 for a “whole of state” approach? How do you ensure your customers are getting the products and services tailored to what they need?
First, we needed a way to track our progress. The North Dakota cyber team uses Objectives and Key Results (OKRs). OKRs help usset and achieve goals. To measure the reduction in risk and the impact of our work,we useda cyber maturity assessment (CMA). This would give usa before and after snapshot and demonstrate the value of the “whole of state” approach.
Then,we went on a listening tour of all of our political subdivisions to better understand their needs. The idea is simple, seek first to understand customer needs before you try to sell a solution. Do not force what you have on them; work to provide what they need to solve their problems! We found that most wanted a basic level of control and also dashboards and reports. While working to create these reports, we discovered that our endpoint detection and response “EDR” solution did not have the required functionality.
We contacted the CISOs of public and private firms and asked if they needed this feature and if it would be valuable to them.All responded with a “yes!” We reached out to the vendor directly and explained how this functionality would be an asset to any customer that needed a nested view of security. The vendor connected us directly to their development team, and within three months, a new feature was added to their product. This gave us the ability to meet our customer’s needs and continue our deployment.
Vulnerability scanning was the next item. With so many assets across the state, a centralized scanning approach was inefficient. We wanted to move to a near-continuous scanning model. We distributed scanners across the state to reduce scanning time. To streamline remediation, we tied the scanners to our ticket management systems so that critical, high, and exploitable vulnerabilitieswould bepatched as needed.
While we made great progress, we had not yet reached 100 percent of our goal; therefore, our final action item was to partner with the North Dakota Insurance Reserve Firm “NDIRF” to reduce cyber insurance rates by four percent for any state entity that adopted our toolset. This further increased adoption.
What were our final results? We achieved a 263 percent increase in coverage in EDR, a 429 percent increase in scanned devices, a tenfold reduction in the response time to phishing,and a 50 percent reduction in scanningtime for our entire network. Our CMA scores have improved, and we have a much more secure network. If you are taking on a large security project, set clear goals, get the input of your customers, and look for partners to work with you that will find win-win solutions.
Read Also
