February 21, 2013, 10:56 AM — Before Jonathan Trull took over as Chief Information Security Office for the state of Colorado in 2012, he had already been working in the Colorado Office of the State Auditor for a decade. As the Deputy State Auditor, he was responsible for overseeing annual audits of the state's systems.
It was during that time that Trull said he became concerned with what he observed as repeated mistakes and violations that were not addressed, and even took part in a penetration test on state systems with results he says were "horrifying."
Trull recently spoke with CSO about his new role, and how he hopes to create effective change in Colorado's security infrastructure--even on a miniscule budget.
CSO: You have an interesting story about how you came to the position of CISO of the state of Colorado. Tell us about it.
Jonathan Trull, State of Colorado: One of the catalysts was that I was doing the audit work in my previous position, and I came to a point where I was concerned about the seriousness with which people took the audit findings. A typical audit finding might be "your password complexity is not sufficient." It's pretty boring actually.
But, after a while, you see enough of those and there didn't seem to be a lot of progress in areas that I thought were critical--significant to the prevention breaches. We seemed to do well on compliance issues: check-box sort of stuff like "I've got this policy or procedure in place." But the question was: Has it been operationalized? Is it actually working?
[Also read Case study: Security on a shoestring budget]
To test that in 2010, my team and I did a covert penetration test against the state systems. The only person that knew was one person in the governor's office. We also wanted to test our security staff's ability to detect and respond to attacks.
The results were fairly horrifying. Really pretty bad. Significant breaches were accomplished by our team. We were able to steal thousands of confidential records of taxpayers, citizens. Shortly after that, the CISO in place left for another job and they asked me to come in and fix what I found.
Where did you start?
The SANS 20 critical security control seemed, to me, from my experience with doing pen tests myself, to be the best place to start. When I starting going through the list I thought "These will prevent the majority of how we got into our systems." Then it became a matter of prioritization.
It felt like a no brainer for me to focus on those areas first.