Transcript: 10/14/09 - Cyber Security West 2009

Cyber Security West 2009
Sacramento, CA

October 14, 2009

MS. TAKAI: Good morning, everyone. (Good morning).

You know, when Mark said that I would be Chief Information Security Officer, I thought I got promoted. (Laughter). Not bad, huh?

Well, this morning, first of all, I want to welcome all of all of you, not only just for myself, but also welcome you all for -- as part of (inaudible) shorter stand in for the governor. The governor had hoped to be here today, but, as you can well imagine, his schedule is, you know, variable depending on the day. Clearly there are a number of crises facing us just on a daily basis.

And so, first of all, I want to just thank everybody for being here. And I also want to add his thoughts to the importance of Cyber Security Week. I think many of you know that he issued a proclamation regarding Cyber Security Week, and he continues to be very interested in not only information technology but the importance of the information security component in that.

What I’d like to do today is to -- for those of you in state government -- is to kind of put all of our efforts and the things that we’ve been working on as the Office of the Chief Information Officer in the context of why we are doing it from a security perspective. For those of you that are in state government, I think sometimes it looks like we’re sort of just randomly doing things. (inaudible) reality, well, unfortunately sometimes it looks likes that, there’s a method to the madness and there’s a reason why we’re organizing in a way that we are. And one of those reasons, and one of the top reasons on our list, really, is around information security.

So I’d like to be able to do that, and then also just talk a little bit and really emphasize what Mark and other speakers today are going to be talking about, which is really the concept and really the point around shared responsibility. I don’t think that there is a greater threat certainly to us at the point of protection of citizen information. There’s not a threat -- a greater threat to us, I think, across the nation than what is happening from a cyber security perspective.

Our world is now effectively based in all of the information systems that we all use or support or -- in the (inaudible) community, those of you that have been our great partners in supporting us. Nothing runs if it doesn’t run on our back end infrastructure and our systems. You know, it’s an interesting phenomenon and I often think that there are some officials who think that if the systems don’t run, we can somehow or another go back to paper and pencil. And those days are really gone, as all of you know, but I’m not sure that we’ve necessarily got that message out across to all of the officials and all of the individuals that provide our funding, but that also provide and support the importance of the work that we do.

And so I think venues like this where all of you can come together, who are the experts in this field, talk and share ideas, but also look at how we can continue to raise the awareness. And that is why I’m so thankful for the partnership, really, of the number of folks that are being here today, our vigorous support for the organization, support Department of Homeland Security, as well as the vendor (inaudible) sponsors, and also e.Republic for helping us to put this on.

As California residents and businesses are inventing a new and exciting future in information technology, California state government has to be a part of that transformation. Building a dynamic and (inaudible) statewide IT program really requires a strong security component, not only to meet the obligations of good government, but to engender the trust from citizens as we move to being a leader in online citizen-centric and transparent government.

I’m going to take a little bit of a moment here to really thank everyone in the room from California state government, because I think as you know, we are moving to be much more citizen-centric and put more and more services out on the web. All of you who are California residents, we want to be able to provide the right services to you in the easiest way possible.

And we’ve been able to move up to, this year, a number two ranking as the number two website in the nation amongst all the states. And while we’re tremendously proud of that, even though we’re shooting for number one, that really does require us to be more and more vigilant about how we manage security and how we protect the information that really now is coming into us more and more through our web interactions with the citizens.

And I want to thank Governor Schwarzenegger again for his support; and just also say thank you to Mark Weatherford. We are honored and privileged to have Mark with us. We’re really -- we really are excited to have him as our chief information security officer. He comes to us with a vast amount of experience and I think he’s really going to be able to help us move the program ahead.

So (inaudible) when it comes to managing and protecting our technology access California is on the move. The initiatives we’ve undertaken in the last 22 months characterize our enterprise approach to information technology. And I think many of you’ve heard me speak before about enterprise, enterprise, enterprise. How we want to move away from the way that we operate today, which is very much in (inaudible), and we’re very much more to a statewide approach. And we’re moving in this direction in cyber security and information security.

The actions we’ve undertaken are not just philosophically consistent with our enterprise direction, but they’re operationally consistent. And that’s really what I want to talk about today. Our drive towards consolidation and efficiency will enable California to operate in a standard way, control our technology assets, and provide consistent training and qualifications. A strategic, efficient and consolidated technology environment where the state purchases, plans and deploys its information technology in a standard and consistent way really allows us to improve the enterprise security posture of the state. And we’ve undertaken a number of initiatives that help us to get there.

For example, and this is a list of all the things that we’ve been working on -- but I want to put them in security context for you. Our enterprise architecture group and our enterprise architecture has been hard at work really working around and on our state enterprise architecture. And this has been done in conjunction with all the departments and agencies. All the departments and agencies have been asked to create their enterprise architecture for their organization. And what we’ve asked is, in going forward, the agencies and departments look to standardize on those components in their enterprise architecture.
Now are we expecting there to be one enterprise architecture for the state? No. And as you’ve heard me say before, for those of you that have heard me speak, right now we don’t even have 130, which is the number of CIO’s that we have. We tend to select our architecture based upon the projects and the individual points in time that we purchase. And what’s important is that we’re purchasing in a way that gives us more standardization so then we can protect that in a much more standard and uniform way for a lot less cost. So we’re not saying it has to be one way, but we’re saying it has to be less than the 130, and even more than 130 ways that we do it today.

Mark is completing our first information security strategic plan. And this document will really give us the roadmap for a value-driven way that we can approach security issues, adopt security technologies, and really protect our information security going forward. It really creates and it actually puts out a document that talks through our information security plan.

That plan will be posted on our website with all the rest of our information strategic plan -- our informations -- CIO strategic plans, our IT capital planning process, and our enterprise architecture. So again, we will be planning to make all of these documents transparent so that all of you have an opportunity to see what our complete set of plans are.

The second leg that you can see here listed is our capital planning process. Now, for many of you that aren’t familiar with that process, we asked the departments to project a five-year plan for what they intend to do from a project perspective in the future. Why is that important? Well, really in conjunction with our consolidation efforts, it gives us a better five-year long term plan of what we are going to be purchasing. And it gives us a way to ensure that security is a part of the projects as we’re conceptualizing of them, as we’re planning for them, and more important, as we’re determining what their costs are.
As many of you know, it’s impossible to retrofit all of the security that we need in projects. We need to be able to think about security as a major component as we’re planning projects, leveraging the technology that we’re buying, and ensuring then that the security that is embedded in all of our planning -- and that’s not only from a development perspective, but it’s also from an infrastructure perspective to make sure that we’re thinking about disaster recovery, we’re thinking about back up, all of that, in the initial planning for the project.

We’re also pursuing collaborative efforts, and Mark talked about those a bit. I’ll just talk about a couple of the other ones that we’re working on. We’re working with Cal EMA -- who’s here from Cal EMA? Raise your hand. All right. We’re working with Cal EMA on -- the reason you see the Homeland Security grant for cyber security assessment and tabletop exercises and are working with us, as Mark said, on the community cyber security (inaudible) model and moving forward on the cyber security challenge work.
In addition, we’re working with Cal EMA to replace response information management system with a more robust enterprise application to better meet the needs of the state. And these are just only a couple of the things that we’re working together with other agencies on to ensure that we have a robust information security program.

Next we’re defining the data strategy. Now that might seem strange to talk to you about an information security program, but it really is also extremely important that we really manage our data from creation to destruction. This involves designing the architecture to meet our customers’ needs, integration and planning data migration, storage management, business continuity, and finally, making sure that we’re tracking our information all the way from its inception to the point of destruction.

We continue to mature our statewide disaster management program to address disaster recovery for all mission critical systems. For those of you who are familiar with our state data centers, we are currently in the process of moving out of a data center that actually used to be and is now -- we’re close to being out of it -- it’s actually in an old cannery building. And they call it the cannery because it was a cannery. And unfortunately it’s at the intersection of two major streets here in Sacramento. And we’ve been talking about this and talking about it for the longest time, and by the beginning of early part of first quarter of next year we’ll actually be moved out of that facility. And we actually consider it a big win because we’ll be sharing the facility out in Vacaville, one of the other state partners. So it’s one thing to talk about cyber security upfront, but it’s also important that we secure our physical assets and that we’re assured that our data’s residing in a secure facility.

Now, all of these initiatives connect and support one another, and they support one another because they give us a way of bringing together all of the components of our new projects, of our existing infrastructure, and of looking at how we want our architecture to look like in the future. And if you connect the dots a different way, I think you’ll see that what we’re doing is really creating a foundation for where we want California to be, not only from an information technology perspective overall, but again to be able to protect our information and to really have a robust information security program.

So we’re bringing our information technology security house in order. We’re doing so not just to do all the benefits today, but to position ourselves for the challenges of the future. Again, as the scene for today’s conference, which I think is fabulous, is really about our shared responsibilities. And this is fitting, because addressing future cyber security challenges isn’t just going to be a state responsibility, it isn’t going to be just the responsibility of each of you individually; our goal is to position California to be a partner in protecting our residents and businesses from cyber crimes and information security lapses.

Well, partnership isn’t just all about me talking about the state. It really is one of the things that we expect from all of you as being equal partners in moving us forward. For those of you that are state employees, the buck really stops with you as it relates to cyber security and protecting citizen information. We need to be more proactive in educating ourselves, but all of you can be proactive in educating your peers, your friends, the organizations that you serve, that the importance is that we’re all responsible for very critical information. And sometimes it just is data to us, not because we don’t care, but because we get busy, because we’ve got lots to do, and we always need to be aware that those data really relate to a citizen in the state that’s really expecting us to protect that information.

We see (inaudible) that our personal actions can result in security breaches. So a robust information security program isn’t just about policies or procedures that all of us can put up, but it’s really about how we on a day-to-day take a personality responsibility for protecting that information.

For our local government partners, you deliver the services very often that we either helped you to support, or services that you provided a citizen and so you really are much closer to the citizens in many, many ways. We need to collaborate with you on the security aspect of shared applications, of looking at things in a shared way to ensure that our constituents and the organizations are really prepared around the perimeter that you’re responsible for.

For the federal government, we look to you to continue shining a spotlight on cyber security issues. We will gain more traction from our efforts if we can go out and talk about the collaboration from a federal government perspective with the state, down to the local level, that this is really much more about -- particularly as we’re looking to get precious budget dollars in order to be able to make sure that we can push these projects out. And those dollars have to come not only to the state, but they really need to go down to the local level in order to make a big impact.

For our business partners, we want to make sure that we’re continuing to cooperate with you. So we’re looking at the innovative solutions that you’re bringing forward, but we’re doing that in a cost effective and efficient manner. You really are our eyes and ears into what’s happening out there in many ways, and you’re our eyes and ears into what are the kinds of technology changes, what are some of the innovations that we should be looking for.

And finally, for our private and nonprofit partners, we really appreciate your vigilance and your attention to this. But it’s important that we really continue to collaborate, because so many of the challenges that we face don’t necessarily come into the state. They come into you at your home computer which then effectively comes into the state, it comes into a business and then comes into a state. And so all of that means that we all have to be vigilant and we all have to be talking to each other, because it’s no longer a case where an attack is going to come in at one place. As all of you know, and I’m not telling you anything new, the attacks are coming from everywhere and they’re increasing, they’re growing in size, they’re growing in complexity, and our ability to share and collaborate, but also to be able to communicate when one of these incidents occurs is what’s so very important going forward.

These are the expectations of our citizens. As we move toward the future, it’s with the understanding that addressing future cyber security threats will require everyone to work together. Our collective future will be significantly different from our individual past. This conference is a chance to reflect strategically on what that future means for all of us. You’ve got a great agenda today with representatives from local government, state government, federal government and private sector. I know that all of their experiences and all of their knowledge will help to grow our collective wisdom.

But finally what I’d like to do is really thank all of you. While the things I’ve talked about are important, while the strategic plans are important, while it’s important for us to set our future, what’s really important is the dedication that all of you show on a daily basis, not only by being here today, to want to continue to improve, but by taking time out of your busy schedule when you’ve got lots of stuff coming up back at the office. You’ve got email, you’ve got database challenges. But all of you on a daily basis care about this issue very, very deeply. And I know that by all of us working together, we’ll be able to continue to improve and to continue to make a difference.

Thank you. (Applause).