How Colorado's CISO is revamping the state's information security -- on a $6,000 budget

By , CSO |  Security

Once I did an inventory of all of the security products we owned, and all of the licensing and contract terms, I found we had a lot of shelf ware; things purchased years before that were now not being utilized. Excess licenses were everywhere.

Honestly, part of this is going to be a return on investment for eliminating products no longer being used or focusing on new ones we are going to actually put to use.

What specific goals are you bringing before lawmakers to make the case for getting that budget figure you mentioned earlier?

We're tying all of this to a three-year initiative that I am calling "Secure Colorado." The focus is on the SANS critical security controls in terms of our operational security posture. As I said before, we're focusing on the first five within 12 months, and, over the next three years, we will deploy the rest of the 20.

Other goals include using our existing vendors as partners to help us get this done. One of the things we saw in the past is a lot of activity during the time of renewal--and then everyone disappears until it's time for renewal again. We just can't tolerate that anymore. We are really trying to build in to our contracts that you are partnering in our success and we are going to make it contingent on that. In other words, you only get a portion of this and the rest is hinging on successful deployment of this product.

We are also working on building the next generation of security workforce. We just started a cybersecurity internship program. Our first two cybersecurity interns started in January. College students. We are working with the different universities on that.

Those are the big areas. The successful implementation of the controls, the public and private relationships and building the workforce.

The data itself is proving quite useful in making our case, too. The number we get, in terms of our network, is it's getting hit 600,00 times per day by some kind malicious event. Whether its scanning viruses or malware, we can show the escalation in that as well. When you couple that with the stagnation of the funding and resources to the security program, I'm hoping funding will prove to be a no-brainer.

If so, what will be solid progress in a year? What will be some of the benchmarks you point to as proof of success when you need to go back and make the case for funding again?

We have a few benchmarks we set up that we will track closely. I wanted to put those in place before we even started because I knew we would be accountable.


Originally published on CSO |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness