Transcript: 10/22/09 - CISO Mark Weatherford speech at 8th Annual IT Security Awareness Fair

Chief Information Security Officer Weatherford

IT Security Awareness Fair 2009
October 22, 2009

MR. WEATHERFORD: Well, good morning, and thank you for having me here for the eight annual, eight annual IT Security Awareness Fair.

Leo told me to remind you that if you have questions you can submit them to -- who? To somebody? Or just write them down and --


MR. WEATHERFORD: OK. I'd like to hold all questions till the end, but if you have something burning and you're afraid you're going to forget, go ahead and interrupt me as I'm going along.

I have only my voice to hold you captive today. No slides. So all my usual pretty pictures and things. Not today. Just me.

So I spoke at this event last year, but it was pretty new to California state government and quite frankly unscripted at the time, so I don't really remember a lot of what I said. Actually, I went back and looked through my notes and I didn't have any notes, so I can't reemphasize anything I said last year.

This year, when Leo called and asked if I could keynote, I couldn't resist, because I think I have a few things that you'll be interested in hearing me talk about. And those of you who know me know that I love cyber security. I'm passionate about it, I get jazzed about it, and I want everyone else to be passionate and jazzed about it, too.

Fortunately, I can't think of a better time to have this IT Security Awareness Fair. In the 16 months I've been in CISO in California, I've seen a lot of progress in the way we protect our technology assets, our citizens' information, and the overall awareness of cyber security and state government.

In fact, Governor Schwarzenegger issued a proclamation recognizing October as California Cyber Security Awareness Month for the third straight year.

We also hosted the first ever West Coast kickoff event for National Cyber Security Awareness Month last week, which was a huge success and I think a lot of you participated and attended that. And that was a big deal because it took a lot of coordination between my office, the US Department of Homeland Security and the National Cyber Security Alliance to pull that off. I'm happy to report that they were overwhelmed by the response. We've had about 240 people attend and they've already committed to helping us put it on again next year. Of course, I told them, promised them that we'd have 500 people next year. And I really do think we can do that. We started advertising kind of late this year. We're already planning right now, so I think next year will be a much better event.

And really, that's just an indication of the visibility of each of you in the cyber security business and our overall cyber security program we've got in here in California. And rightfully so. Cyber security issues should have their own month, and the governor should recognize it because it's important. The work we all do in the Office of Information Security, the security management division at OTech, and most importantly the work that each of the state ISO's and other security professionals in every one of our state agencies is critically important to the functioning of government.

I was talking with a personal friend last week, and they said they didn't know that we had so many Information Security Officers in the state. At first I was a little bit insulted by that, but then I thought, you know, that's probably the way it ought to be, that people don't know that we have the kind of infrastructure and the kind of organization that we do have. It means we're doing our job right.

The bottom line, and whether they recognize it or not, information security matters to our customers, the citizens we all serve, and to our own sense of what government should do to protect our citizens' information.

Teddy Roosevelt once said, "Far and away the best prize that life has to offer is the chance to work hard at work worth doing." That's how I feel about cyber security and it's how I hope many of you feel, too. We don't work for the accolades or the recognition, although we're getting a lot more of them, both. Rather, we work in this field because we know it's a job worth doing. Frankly, I'm extremely proud of what we do, and I tell everyone I meet what great things are being done in California on the cyber security plan and about the accomplishment of our Information Security Officers and other security professionals in state government.

So I hope you can tell I wasn't kidding when I said I love this stuff. And those of you who know me do know that I'm very passionate about it.

Today I want to speak about the accomplishments that we've achieved over the past 16 months in my office and working with many of you. And also the ambitious agenda. But more importantly, the effort it's going to take to achieve the next level of maturity as an enterprise information security community. And that's critical.

While I don't have to time to talk about everything we're doing and thinking about, I am going to hit the highlights, which I hope you'll find interesting, or mildly interesting. I hope throughout my comments today you'll find this common theme: The nature of information security is changing. Enterprise is the new buzzword.

Working on our own issues and our own silos is not going to cut it anymore. Our collective future is going to be significantly different than our individual past. And we need to work together to ensure we make our security community's priorities a part of that future.

So without further ado, here are some of the accomplishments from the past 16 months, and my priorities for the next 14 months and beyond.

This important accomplishment, in terms of forging an enterprise view of information security of the past year, is the development of the California Information Security Strategic Plan. I've been talking about this for several months. Many you of you have tired of hearing me talk about it, I'm sure, but we're finally on the verge of releasing it. It's one of those things that I wanted to make sure it's absolutely perfect, but I now find myself changing words that I'd already changed before back to the words they were before, and staff is getting a little annoyed with me for the constant revisions. But we hope to have that out before the end of October.

The plan is both strategic and visionary in scope, and I think in addition to the initiatives I'll talk about in the next part it will set the direction for information security in California for at least the next five years. That's my goal.

Putting this plan together was a collaborative effort, and I think its real beauty is that it's inspiring as well as enabling, presenting very realistic and attainable goals while charting our direction in a new strategic sense.

Another project you've heard me talk a lot about is the Enterprise Information Security Policy Refresh. Many of you have been involved with this and we are now very close to beginning the vetting process. This is a project I'm excited about and many of you relay that you're excited about it because it's the one thing that will help you make a difference in your agency's security programs.

With these new enterprise security policies you will be able to point back to some very definitive state policy guidance to justify requirements that support your security programs.

I don't want to steal his thunder, so I'll just say Patrick McGuire, my deputy, is giving a presentation this afternoon at 12:30 on the Enterprise Information Security Policy Refresh project. I hope that everyone can attend, and not to take away from the other two presentations at 12:30, but this one's really important. Really important. And Patrick can answer a lot of your questions there, too.

Next, we have good news on the telework security standard guidelines. I know that many of you have heard me talk about telework a number of times. I started working on the policy last December. It was a little more difficult than I anticipated for a lot of reasons, but mostly because there's a lot of personnel issues and HR-related issues associated with teleworking, and there's also potential funding implications which raises the level of complexity a little bit.

As many of you know, we've been working with DPA, DTS, and the Telework Advisory Group, and I'm happy to say that telework security standards guidelines have been incorporated into the state telework policy that's currently being reviewed. I think we're more than 90 percent of the way home on this project.

Another project that's been more difficult than I anticipated was the development of a statewide social media policy. It may sound easy, and I thought it was easy, I thought it would be trivial. It's not. There are a lot of moving parts to social media, a lot of things that I had not considered when I originally started. One of the big things is the terms of services agreements with the different social media services that we have to consider.

But I want to make sure we do it right the first time. I don't want to leave anything to chance on this. The good news is we are not the only ones struggling with this. As I began this several months ago, I threw a loop out to other state CISO's to see what they were doing, and the almost unanimous response was, "Let us know when you get it done, because we'll copy yours." (Laughter).

So I think we're a little bit ahead of the game. There are a few states that have rolling out. Utah has a very good policy and guidance out on it. And we're going to plagiarize that as much as we possibly can.

So the good news, we're in the final editing of the social media policy, and we hope to begin the vetting process with everyone in early November.

In the spirit of collaborating and consolidation, our office has been working with the CHP and the California Emergency Management Agency on an incident management partnership project to replace our current instant reporting process with an automated system. I know everyone will be happy about that.

Michelle Robinson, from my office, has moved mountains, literally moved mountains to ensure the successful evolution of rolling this project into the Cal EMA Instant Response Management System Replacement project.

So what we've essentially done is we had already been moving down to the road with a FSR to build an automated instant management program when we discovered that Cal EMA was already doing essentially the same thing. So we were able to get involved with it early, with their project, and simply incorporate our requirements into their project, and it's been a beautiful arrangement. It's a success story, because we'll be able to accommodate the needs of multiple organizations with one project and achieve statewide visibility about information security incidents and the resources required for responding to them.

I think this project will end up saving a lot of money and time as well as providing a better level of service for everyone. And it may be the first example of a statewide consolidation project.

To help support state government information security workforce demands, we are working with the US Department of Homeland Security National Cyber Security Division to develop and implement a state government model for information security and workforce development based on the IT security essential body of knowledge. That is a program that DHS, US DHS put together. And California was one of six states that they invited to come back and participate with them in the development of the security essential body of knowledge for state governments.

We'll be finalizing this model in December after -- and then we can -- we'll bring that model back in -- I didn't. That embarrass you? -- and begin tailoring to meet those specific needs here in California. Really excited about this. I'm a little -- I don't know exactly where it's going to go, but I think it's a good framework that we're going to be able to build on. And this project is another example that shows we're being recognized nationally for the work we're doing in information security at the state government level.

Another accomplishment that's actually the result of work begun at GTC West in 2008 is the progress we've made for a data exchange strategy. I don't know how many of you are familiar with this, but this is truly an important piece of work. The Office of Information Security, at the time led by Colleen Pedroza, in a collaboration with a work group comprised of state, county and city employees -- many of whom I see sitting in here, Kevin -- developed an initiative to establish standardized terms and conditions for data exchange or use and system interconnectivity agreements among government entities.

The primary purpose, focus and intent of the guidelines for establishing data and system interconnectivity agreements between governments is to establish a consistent and reusable framework upon which entities at all levels of California governments, including state, county and city can facilitate their data use exchange, system interconnections and level of services. This document has been requested by a number of other state and local government organizations for their use. It's one of the things -- it's up on our website, by the way -- it's one of the things that we get fairly consistent requests for from other states. A lot of other organizations are using that as a model to build within their own organization.

I've always believed that great information security programs have more than just right policies and practice. They also have the talented and skilled people. We've begun to address this to our partnership with California State University Sacramento; together, we created curricula and have commenced instruction for the first information security leadership academy. In fact, I just spoke with them yesterday and talked with them about security leadership at the executive level. Comprising a mix of technical and management curriculum and focusing on developing future cyber security professionals, the class consists of 19 state and local government employee students.

And we aren't participating in just classroom training. We've also embarked on the Community Cyber Security Maturity Model project, which is a $4 million grant from the Department of Homeland Security and administered by the University of Texas at San Antonio, the Center for Infrastructure Assurance and Security. California was one of three states selected to participate in that CCSMM project and work with two local governments in California in preparation for the 2010 Cyber Storm 3 exercise. We're working with the cities of Sacramento and Palo Alto on this project; Major Steve Maloney from Cal EMA is our project -- is our partner in doing most of the community coordination work, along with Marianne Chick from my office.

So as you can see, the last 16 months have been pretty full of action on the information security front. Those aren't -- that isn't everything that we've accomplished; that's just the highlights. There's been a lot of other day-to-day things that, while significant in their own right, we simply just don't have time to talk about it all.

So while each of these initiatives has value individually, they also have value when viewed collectively.

First of all, they are all philosophically consistent with the idea that information security needs to have an enterprise perspective in order to serve the security needs of each agency and improve the overall security posture of the state enterprise. This idea was fundamental to the establishment of my office by the State Legislature in 2008, and is a cornerstone of the state's overall IT direction.

The transition as a result of the governor's reorganization plan earlier this year, which many of you have been participants in, has further cemented the security component of our future enterprise-driven IT environment. And I think those of you who were here yesterday and heard Teri talk about that realize how important security is to both her and her vision for where she wants to take IT in the state.

I will -- I've said this before, and I just couldn't help but thinking of it again yesterday as Teri was talking -- I don't know of any other CIO in state government that is as supportive of the security efforts and the security programs and the security professionals within their organization as Teri is with us. I can't tell you how much of a relief it is for me to work with Teri. When I bring issues to her, she takes them seriously and, you know, we have a serious policy discussion on them. And I can just tell you having been a CISO in other organizations, it's rare to get that kind of support at the state CIO level.

Second, the work of the past 16 months serve as a building block, but not just the next 14 months of the Schwarzenegger administration, but the strategic vision of the next five years. The initiatives I just spoke about were driven by the value of bringing an enterprise view to information security. Doing this was integral to creating the kind of world class information security program California deserves.

The initiatives I'm now going to talk about are driven by the value of creating a professional and integrated enterprise information security program. When I said that -- when I wrote that, I thought, "What the heck does that mean? What is a professional and integrated information security program?" And I suspect many of you are wondering what that means, too. Let me explain.

I understand it's a bit of a nebulous term, but to me, professional and integrated information security program means three things:

  1. Professional is about people.
  2. Integrated is about the processes.
  3. And the information security program is about the underlying technology.

Anybody recognize a theme there? People, process, technology. These three things, the people, the processes, and the technology, are characterize a professional and integrated information security program.

In the final 14 months of Governor Schwarzenegger's administration, and into the next administration, my focus and the focus of my office is going to be to land squarely on these three areas. Here's what my office will be doing in the next 14 months.

Addressing the area of people, one of the greatest enterprise deficiencies in the overall security posture of California state government are the inconsistencies in qualifications, training and appointing of state Information Security Officers. In fact, many of you have told me that if I could accomplish one thing, it would be to create some standardization for what it takes to be appointed as an Information Security Officer. Too often, due to either ignorance or lack of understanding, state security staff respond to our business partners and other IT requests with, "The answer is no. What's the question?"

We're going to change that perspective, and consistent ISO qualifications are one of the ways we're going to do that. One of my highest priorities of the next three years was just to have a specific skill criteria for agencies when appointing ISO's, and if current ISO's lack those skills, to help them get their required training and experience necessary to do the job.

I'm not under any illusion that this is going to be an easy project, but it's the one thing that will have a long-lasting impact on each and every state agency, on our ability to manage risk or mistake.

I'd also like to extend that vision by establishing a career path within state government for security professionals. I realize that falls in a very hard category. Working with some of the state agencies to do that is a little bit overwhelming just thinking about it. But I think it's important that we at least embark on that, we at least start walking down that road. This will allow us to cultivate, grow and mentor the cyber security professionals California will need to securely carry out the business of government in the future.

Addressing the area of process, it's a common theme in the information security business that you cannot manage what you cannot measure. Equally important, you cannot improve the effectiveness or ineffectiveness of your security program processes without metrics to back you up.

To address this critical issue, I've recently established an enterprise information security metrics workgroup made up of a number of Information Security Officers and security professionals from several state agencies, including a couple of you here today. I've always been a fan of using metrics to tell a security story, but I also understand that used in the wrong way metrics can simply be used as window dressing to camouflage real problems. To that end, this workgroup will be focused on designing metrics that measure for outcomes, not simply activities.

For example, identifying the percentage of email that is blocked as spam is interesting, but it's not really actionable. On the other hand, measuring your agency's time to patch cycle every month following patch Tuesday might uncover some trends that give you insight into you might improve your patch managing process.

My goal for the enterprise information security metrics workgroup is to create a professional and standardized approach to security which will give each of you the measurable support you need to validate and justify security controls and resources within your organizations. One way OIS can help you measure their -- you measure your cyber security program today is by conducting assessments based on missed 853 guidelines. As many of you know, that's what we built the program around, is missed guidelines. The findings from these type of assessments are a great measure of your compliance, but also identify your real gaps in security controls. You can also use the assessment results in your remediation efforts to measure progress. So if you're interested in having us work with you on doing an informal security assessment, let me or my staff know. Gary will be happy to take your name and work with you.

UNIDENTIFIED MALE SPEAKER: Can Gary raise his hand? Thank you.

MR. WEATHERFORD: Wow, somebody's signing up already. I like it.

UNIDENTIFIED MALE SPEAKER: (Inaudible). (Laughter).

MR. WEATHERFORD: OK, finally, addressing the third area of technology, where would we be without security -- or technical controls and security tools to ensure our security programs adequately provide the kind of protection our state businesses and applications demand?

Equally, how will we ever be able to provide accurate visibility into the security posture of our enterprise IT environment without creating some consistencies in technology and some impetus for that enterprise view?

The answer is we can't; therefore, my technology goals are twofold: Focusing on both standards and technical oversight.

First we need to begin defining and following standards for security technologies in California. Just as our state CIO Teri Takai is fond of saying that we won't eliminate all diversity in IT, I don't mean to eliminate all diversity and security products and services either. What I do mean, though, is that state businesses obviously need to continue to have some variety in choosing security products and services, however, the number of those choices needs to be reduced. The state as a whole is simply spending too much money on disparate products and services for us to achieve any kind of economy of scale, and many products and services are not compatible, so we can't even compare apples to apples across state agencies.

In addition, most of the staff training required to manage and administer the myriad of products and services deployed across the state is never completely realized as people move around from agency to agency and products change.

Secondly, we need to incorporate new levels of security oversight into the development and rollout of new business applications and other software. We already have guidelines in place with the FSR process that requires agencies to engage the IT -- the ISO and the IT planning process, but I'm working with the OCIO enterprise architecture group to integrate a security engineer into their process as well. Having technical security expertise involved at the enterprise architecture level will help ensure the state makes good security decisions and doesn't begin a project journey without considering all appropriate security issues early in the game.

In his 1961 speech committing a nation to putting a man on the moon before the end of the decade, President Kennedy said, "If we are to go only halfway, or reduce our sights in the face of difficulty, in my judgment it would be better not to go at all." This is a little bit of a corny analogy and I realize that, but I agree with the statement, and it's how I feel about our charge with protecting California's critical technology assets and information.

However, our security challenges are different in one important aspect. In 1961, going to the moon was a choice. In 2009, California state government doesn't have a choice about dealing with our cyber challenges. There are too many threats, we have too many vulnerabilities, and quite simply, the times demand it. The alternative is negligence.

And that's the final challenge I want to leave you with today. Times are changing. The way we worked in the past does not project into the future. State leadership recognizes it, our citizens expect it, and it's now our turn to do something about it. And we will not go halfway.

Information security professionals in California state government need to continue to move forward building an enterprise-focused professionally skilled and integrated security program. I believe the Office of Information Security is positioning the state to develop and execute just such a program, but I also know that security isn't about just policy and organization. It's about boots on the ground and people doing the heavy lifting. And that part of the challenge falls to you.

And this is what I hope you get from my comments today. Not just the sense that things are changing, but that the state needs you to be part of that change. Not just the sense that we're raising the profile of information security, but the profile begets additional responsibility. Not just a sense of my commitment, but recognition that commitment demands reciprocation.

Many of you have come to me and volunteered to help with our enterprise security vision for California. I thank each of you, but I want new people involved, too. IT has seen too many of the same faces volunteering when there's a lot of other security talent out here in the state that we need to be capitalizing on. I understand that we're all busy, but we're also all part of this enterprise called California. And I want everyone involved in helping create an enterprise security community.

The challenges are great, but so is the opportunity. We'll continue to work hard, as we have always done, to meet to the challenges, not as individuals, but as individuals working in and contributing towards statewide enterprise information security program.

Thank you very much. And I will take questions. (Applause).

No questions? Come on. (Laughter). Yes, sir.


QUESTION: You were saying that you're coming up with a social media policy. Isn't that policy that we have key? I mean, one thing is to have the policy and the mandate, and everybody understands it, but will there be steps in there in order to secure it, and to take action?

MR. WEATHERFORD: Yes, well, so the question is, we're working on a social media policy; will we be able to enforce it?

QUESTION: Thank you.

MR. WEATHERFORD: Well, fortunately, according to staff, (inaudible) have been portioning capabilities for a policy that we issue, are in fact what community security policy with the state has, so, I would say yes. I recognize that a policy developed at the enterprise level is not as (inaudible) as a policy in effect at the agency level. And it should not (inaudible).

So a lot of that (inaudible) will beef up the individual agencies to implement in their individual policy. Does that answer your question?



QUESTION: Sufficiently, yes. The answer is yes.

MR. WEATHERFORD: The short answer's yes.

QUESTION: (inaudible).

MR. WEATHERFORD: So the answer is we're solving (inaudible). But as we do (inaudible) the number of different products and services that we use, then we can (inaudible). Does that kind of answer your question?


MR. WEATHERFORD: The goal is to not have the cluster of different parts out there that are not compatible with each other, that don't share (inaudible). To having a fewer number of (inaudible).

And this is obviously not something that's going to happen overnight. This is a multi (inaudible). And again, working with the enterprise architecture groups, making sure that those things are being worked in the enterprise level.

QUESTION: (inaudible).

MR. WEATHERFORD: You know, there are a lot of -- in my (inaudible), there's a lot of unknowns about this, because the procurement process (inaudible) difficult. And certainly when we start setting -- when we start standardizing on anything, it creates some concerns on (inaudible).

So we have to make sure that we do this (inaudible).

UNIDENTIFIED MALE SPEAKER: To answer your question a little further, the federal government is working very hard right now trying to push, prod and promote vendors (inaudible).

So somebody says, "Hey, you're not going to get this contract unless your product works with that product." That's -- that performance (inaudible).

MR. WEATHERFORD: The federal government is (inaudible) to make sure that when we deliver a product (inaudible).

QUESTION: (inaudible).

MR. WEATHERFORD: You know, it's going to a loose process first, and I think the answer is no, the policy will not be part of the (inaudible) process. What is part of the (inaudible) process now is, as most of you know, any procurement (inaudible) --

UNIDENTIFIED MALE SPEAKER: Can I get you to (inaudible) the mic? Sorry.

UNIDENTIFIED MALE SPEAKER: (inaudible) they can't hear you. (Laughter).


MR. WEATHERFORD: How's that? Not bad. Where as I? (Laughter). I'm sorry?

UNIDENTIFIED FEMALE SPEAKER: Our policy (inaudible) --

MR. WEATHERFORD: Policy our (inaudible). Oh.

As you know, all IT procurements in the state now over $5,000 go through the Office of the Chief Information Officer. That's been a source of concern for some people, but I can tell you that we've caught -- caught may not be the right word. (Laughter). We've seen a few things come through that you think, "Why are they doing that?"

Then we've also seen a few things that said, you know what, there's three other, four other agencies over here going down this one procurement path, and we've got an outlier over here. It might make sense to combine all four or five of these agencies and have them procure the same thing. That way -- it gets us down -- it moves us toward consolidating on that fewer number of products that we've been talking about.

The bottom line is as everything goes through the Office of the CIO, if it has a look of security, my office gets to see it. We get to comment on it. Not necessarily give it a thumbs up or thumbs down, but we can say, you know, this makes sense, or perhaps we can rethink this and we can help them. Maybe they don't about a certain product that might be better suited to their environment.

So I think it is working well so far. It is creating a significant workload on my office that we didn't anticipate. But in the long run I think we're all going to be a lot better off with that.

Nothing hard? The square root of...?

QUESTION: (inaudible). I've always felt the state has missed opportunities. Talk about security, what's it mean to be a security professional? (inaudible). I am not a person (inaudible) a lack of experience that you want me (inaudible) your system. (inaudible).

I've always felt it would be appropriate for (inaudible) to find world class actors slash security experts and offer them up as a service.

MR. WEATHERFORD: I love this. We did not set this up, by the way. (Laughter).

QUESTION: We have to be realistic. I work with an organization of 225 people. We have seven people in IT. I'm scheduled to work Friday, Saturday and Sunday. Because I can't get my work done during a furloughed schedule, I can get done -- my work done during a non-furlough schedule. I don't have the time to commit extra to everything. We need to hire experts at things and make them available for consulting services. Why haven't we done it? It's 2009? (inaudible). (Laughter).

UNIDENTIFIED MALE SPEAKER: My answer to the second question is (inaudible), which is that if the public isn't (inaudible) -- this enterprise is 225 people. You're saying the state -- how big is enterprise?

MR. WEATHERFORD: The enterprise is the state.


MR. WEATHERFORD: His enterprise -- I mean, it's a definitional. His enterprise is his organization.


MR. WEATHERFORD: The state enterprise is the state government IT infrastructure. QUESTION: My question is does (inaudible) -- when we look at this enterprise situation is every agency and department its own being separate and divisible, or is it just a part of a whole body?

MR. WEATHERFORD: (inaudible)?

QUESTION: Or is just a finger of a (inaudible) --


QUESTION: -- there's a separately owned subsidiary of the state of California.


UNIDENTIFIED MALE SPEAKER: Each is its own sideline.


QUESTION: (inaudible).


QUESTION: (inaudible) in his first question.

MR. WEATHERFORD: Yeah, let me get that, please.

QUESTION: (inaudible).

MR. WEATHERFORD: So -- I love you by the way. (Laughter).

QUESTION: So (inaudible). (Laughter). So --

MR. WEATHERFORD: Actually, Carol and Keith and I have talked about this, and Teri and I have talked about this a lot, and when the strategic plan comes out by the end of October it will have some discussion about this very issue. And this is (inaudible) just part of a problem in California right now. We have so many small agencies that do not have the skilled staff or the funding or the resources in general to address those security issues.

So how hard would it be to create an enterprise security operations group that provided those kind of services on a (inaudible) basis? And I asked this questions at a conference here several months ago: How many people would be willing to pay a central organization to do web application scanning once a quarter? That's a question.


MR. WEATHERFORD: Nobody would pay for that?

UNIDENTIFIED MALE SPEAKER: I don't have any money. (Laughter).

MR. WEATHERFORD: We'll build it into rates. (Laughter).

No, the point is there's a whole lot of things that the state can be doing at that enterprise level that requires very little additional overhead. Building the capability once is the hard part. You know, getting a trained -- as you say, an expert once, is the hard part. Buying a tool once is the hard part. If you have a hundred customers, how much more difficult is it to add one more customer or ten more customers? You might have a little bit more overhead.

But that's my goal, is to do exactly what you're talking about and take a whole variety of services -- and again, this is not something that can happen overnight. And I do not have the funding to do it right now, but I'm working on it.

QUESTION: Well, that kind of follows, because, just very briefly, we've gotten -- and we've heard about silos -- we've got to break out of our mind fog here, this groupthink about salaries and benefits we deserve to collect. I want to make a statement (inaudible), because I am a state employee. Right now in the pay structures we can't afford to hire (inaudible) people who are in security that we need to hire who are in security, because if you (inaudible) $200,000 a year you're not going to get them.

MR. WEATHERFORD: Well, that might be a little bit high. (Laughter). I can get some pretty people for 200 grand, I can tell you.

No, but you're absolutely right. But -- and I said it in the speech -- I don't have all the answers for the personnel on how we create that curve app for state cyber security employees, but we're going to address it. We're going to work on it. I'm committed to doing that.

Yes, sir.

QUESTION: I just wanted to follow up on kind of what he was starting to address there. You know, maybe -- I'm not sure if this isn't something that hasn't been thought about or a consideration (inaudible). You're talking about as being (inaudible) maybe paid for a service to actually come and to do the security assessment out of their environment or whatnot. Have you considered as far as whether or not they'll -- (inaudible) money versus making it a requirement for them to have to do that, to be able to identify funding to do that? (inaudible) redirect bodies from within an organization that maybe (inaudible) similar types of activities now? Put people who, Mark, like you say, maybe that's a server that's qualified to be doing that? (inaudible) those qualified people to (inaudible) in your office --

MR. WEATHERFORD: Yes. Yes. The answer is yes. Essentially what he's asking is have we considered recruiting volunteers to help work some of these operational issues in the state? And the answer's yes.

I could point out six or seven people in this room that are working for me in some little way right now doing some research, or doing some analysis, or doing something. We haven't formalized that. And you can -- it's a challenge to do that. I mean, everybody's busy. Nobody has a lot of extra cycles to devote to something that's not in their job description or something they're not being paid for.

But I think the volunteer spirit in the state is pretty good. I mean, I'm pretty overwhelmed sometimes with people coming to me and saying, you know, "I have some spare cycles and I'd really like to work on this with you." You know, I mentioned the enterprise security metrics workgroup. I mentioned it at one meeting and the next day I had eight people on the workgroup, and I shut it off. That's big enough. Although we may -- if anybody has, like, really has a burning desire to participate, let me know.

QUESTION: But then so I wasn't necessarily saying, I mean, you know, it's kind of a voluntary type thing. I guess what I'm saying is it's going out and identifying through some process some of the more qualified talent within state services within the different agencies. And maybe have an ability to cherry pick those people and form a solid group to do what this gentleman over here was talking about.


QUESTION: Actually as a full time job what they're, you know, then they --

MR. WEATHERFORD: As a full time job?

QUESTION: Well, actually, we're moving it from where they're currently working and putting them -- creating a position within your office, or multiple positions within your office, to be a team that goes out and does those security assessments.

QUESTION: And then also (inaudible) --

MR. WEATHERFORD: Well, I would love to do that.

QUESTION: Those services all card your -- he asked you a question if you really could answer it. His question was you've got (inaudible) agencies that paid for this and gives it -- but it's some other way. I don't think (inaudible), but offering it a la carte, there's a list of services being provided. What would you like to take advantage of?

MR. WEATHERFORD: I think there's a marriage of what you both are talking about. There's a marriage there somewhere and we've been talking about that. So -- hang on a sec, Kevin, one second.

QUESTION: Is there somewhere to at the Controller's office (inaudible)? We can't contract ourselves and write our own paychecks?

You know (inaudible) this guy's saying, look, this is a service that the state needs. (inaudible) we have payrolls (inaudible) so for security. But the (inaudible) of security is really to cut back and make sure the whole state is secure.

MR. WEATHERFORD: Unfortunately, government doesn't work that way. (Laughter).


MR. WEATHERFORD: And I wish it did. I wish I had the authority to go out and create this humongous security organization that provided service to every state agency. It doesn't work that way.

Now, I'm not saying that it can't, and we can't -- I mean, we have to nudge it in that direction. But you know, there's a lot of legislation required in what you're talking about right now.

QUESTION: My question is (inaudible) --

MR. WEATHERFORD: OK. And it's not off the table. But we have to build the whole groundswell. And we're doing that. We're getting the right kind of visibility, you know, in the state agencies and I think up to the governor's office and the legislature. Some people are starting to ask -- I know, he's going to run over here and grab me any second now. (Laughter).

OK, Kevin.

UNIDENTIFIED MALE SPEAKER: To answer your question (inaudible) --

MR. WEATHERFORD: You're on the clock.

UNIDENTIFIED MALE SPEAKER: I know. This came up at the (inaudible) roundtable last night. (inaudible). How do we provide services to agencies that can't afford it? Now, I have to say -- because I'm the education director of -- we have -- we as a group have said that, you know, if we can (inaudible) somehow work it out, we'll be glad to come to your agencies and give you a hand. And I'll guarantee it's not going to cut out the clock. (inaudible).

If he says I want you, is his agency going to lend help? And without a lot of political pull behind him, he's -- they're not going to let him go to work for him unless there's a clock (inaudible).

Then you get into personnel. How do you (inaudible)?

MR. WEATHERFORD: So Kevin's basically talking about all the challenges that -- and, you know, I'm a security guy. I'm not a personnel and HR guy, you know? I've got to go, you know, have people explain very simple stuff to me all the time about, you know, personnel policies and HR policies in California.

But it's on my mind.

QUESTION: I actually was scheduled to go to another agency that volunteered to do some work with them, so their CIO left. Basically they wanted to me to (inaudible).


MR. WEATHERFORD: OK, Kevin. Speak loudly.


MR. WEATHERFORD: Oh no, no, no, no. You can't answer three questions, Kevin, because your questions are too hard. (Laughter).

UNIDENTIFIED MALE SPEAKER: You said that you guys had overhead (inaudible).

MR. WEATHERFORD: State government IT procurement.


MR. WEATHERFORD: I didn't say you guys here. I said the Office of the CIO.

UNIDENTIFIED MALE SPEAKER: OK. But what I'm saying is that that's not what (inaudible).

MR. WEATHERFORD: No, it's not elective. That --


MR. WEATHERFORD: Oh, I'm sorry. Elected. I don't think that's codified in statute. I don't think it includes elected. I don't think -- but elected officials do not -- I don't know. I don't know how to answer your question, Kevin.


MR. WEATHERFORD: I can find out, though.

UNIDENTIFIED MALE SPEAKER: I think that's important to the strategy (inaudible) --

MR. WEATHERFORD: Well, let me address that a little quickly. Quite frankly, if I could get my arms around the executive branch, I would be, like, I would the happiest guy in the world, you know, because if we can get our arms around the executive branch the elected officials will come to us. You know, if we build the service, if we build the organization, if we build the skills, the elected officials -- they would be -- I can't say certain things -- they will come to us. They will want to participate in that, because if we can do things faster, smarter, cheaper than they can do it, they'll want to participate.

OK, number two.

UNIDENTIFIED MALE SPEAKER: OK, the other one is under the (inaudible)?

And that kind of goes to some of the questions I've been hearing about standardization of security requirements and all that stuff (inaudible). If we can actually play with (inaudible) --

MR. WEATHERFORD: Now, I've got admit, Kevin, I had not thought of that one. That is a great idea. Send me a note on that, would you?


MR. WEATHERFORD: Seriously, that's a good idea.

UNIDENTIFIED MALE SPEAKER: We've been talking about that for 15 years.

MR. WEATHERFORD: Then I've been out of the loop I guess.


MR. WEATHERFORD: See, I could tell you -- wow. OK, number three.

UNIDENTIFIED MALE SPEAKER: (Inaudible) from a strategy standpoint (inaudible) --

MR. WEATHERFORD: Oh, that's my blackberry probably. OK, sorry.


MR. WEATHERFORD: I can tell you that the CIO is actively working with DGS on that very issue. We are going to solve that one this year. For real. Before the end of the administration. We're going to solve that. I'm convinced.


MR. WEATHERFORD: One other thing I want to talk briefly -- because it kind of goes along with what we're talking about here. We're matrixing and sharing services.

How many ISO's are in here? How many ISO's -- how many of you, your ISO job is a small portion of your real job? That's the way it is in most state government agencies. Especially in some of the smaller organizations you have the title of ISO but you really only devote five percent of your time to doing security officer functions.

So I have this idea, and I'm just going to throw this out, and throw rocks at it if you want. What if the state were to create a cadre of Information Security Officers, qualified Information Security Officers, and they were able to say you're an agency of 200 people, you're an agency of 400 people, you're an agency of 100 people, you're an agency of 20 people. We have one ISO that says, you know what? I can be the ISO for these four different agencies. I can handle the responsibilities for these four agencies. I can make sure the policies are up to date, I can make sure they're doing their assessments and audits on a regular basis, make sure they're submitting their annual disaster recovery plan, they're doing their annual disaster recovery testing. All those things than an ISO is kind of responsible for.

How would that work? Does that sound like a reasonable idea?

UNIDENTIFIED MALE SPEAKER: I mean, are you dependent on the size of the organization as well as the -- how the organizations work with each other? You wouldn't want to have any conflict of interest between the two. (inaudible) --

MR. WEATHERFORD: I'm not saying I've answered all -- I mean I solved all that, but we have got -- and it goes back to your question. We have got to figure how to help some of these smaller agencies that don't -- and then -- and quite frankly are never going to have the resources to hire good, qualified security people.

But it kind of goes along with the other thing I mentioned is we need to have good, qualified Information Security Officers first. And I am going to fix that one.

Yes, sir?

QUESTION: Just include in that a geographic (inaudible) --

MR. WEATHERFORD: Sure. Obviously, you know, you don't want to have somebody responsible for San Diego and Eureka.

Yes, sir.

vQUESTION: My question is if you did that (inaudible) the agency, the department, then --

MR. WEATHERFORD: (inaudible) --

QUESTION: Who would be the head person over that person? I mean, it's --

MR. WEATHERFORD: Me. (Laughter).

QUESTION: Would they report to you? Would they work for you or would they work for and individual department? And that's where I (inaudible) --

MR. WEATHERFORD: Yeah. Well, I don't know, you know. I think they will work for some centralized organization like me.

QUESTION: (inaudible).

MR. WEATHERFORD: Right. Right. But you know -- and I'm not, again, I'm not saying I've solved this completely. You know, there'd be some competing loyalties, perhaps, and you would never -- there might be some organizations that you want -- you wouldn't want them to be responsible for organizations that had competing interests or something. I'm not sure.

QUESTION: Couldn't that be done at the agency level? (inaudible) to have an agency with a number of small --

MR. WEATHERFORD: We could be.

QUESTION: And, I mean, they could do that right now. It's not going to stop them.

MR. WEATHERFORD: So -- OK. So one of the things -- one of the -- I called together another workgroup a while back, and we started talking about -- you know how we have AIO's, Agency Information Officers? They're essentially responsible for all of the departments and organizations. And my thought is that we'll create an Agency Information Security Officer that the ISO's within the agencies can have dotted line back up to that Agency ISO.

You know, we need to centralize the control, a little bit, centralize some of the responsibility. So right now the AIO's, they have no -- in most cases, they have no input into what the ISO's at the department level below them are doing. And I can tell you, I get involved quite regularly, that an ISO calling me and saying, "I have an" -- or an AIO call me -- or even CIO's called me and said, "I have an ISO that's just did this stupid thing and it's causing me all kinds of problems, and what are you going to do about it?" (Laughter).

You know what I say? "Sorry." (inaudible). OK, Kevin, last time. (Laughter).

UNIDENTIFIED MALE SPEAKER: (inaudible). To answer her question, there was a point of time, at least in my agency, where our ISO reported to the exec, and it was a terrible relationship. So there has -- I think there has to be a degree of separation of the ISO's in their reporting chain. Perhaps (inaudible).

MR. WEATHERFORD: Yeah. And so we're looking at all these different things right now. In fact, I've been working with Gardner -- is Gardner in here, somebody? I've been working with Gardner on this. We've held a couple of kind of focus groups and putting together a model that I hope that we'll be able to roll out maybe before the end of the year.

You know, there's always the issue of, well, who's going to pay for this person? And that's a valid issue. But a lot of the agencies, a lot of the AIO's, are saying, "I'll find a way. If you can help us create the position and create the responsibilities at the agency level for an Information Security Officer, I'll find a way to fund a PY to do that."

Somebody have a -- Kevin? (inaudible), do you have a question?


QUESTION: Well, you talk about bringing --

MR. WEATHERFORD: Gary's one of my new superstars, by the way, in case anyone doesn't know.

QUESTION: (inaudible). You talk about bringing people together and bringing the whole organization under some form of collaboration. We've still got, I believe, 90 agencies that have never reported into that.


QUESTION: Those agencies (inaudible) --

MR. WEATHERFORD: OK. Those of you who didn't hear what Gary said, there are over 90 agencies that have never reported a security incident to the Office of Information Security.

There are three reasons for that. (Laughter). Three possible reasons. They either have very good security controls and they have never security incidents; they're having security incidents and choosing not to report; or they don't know they're having security incidents. (Laughter).

That's one of Gary's new jobs, by the way. Shameless plug. (Laughter).

Katrina, again, everybody in this room should know Katrina.

UNIDENTIFIED FEMALE SPEAKER: On the phone, that is. (Laughter).

MR. WEATHERFORD: On the phone. This is Katrina.


MR. WEATHERFORD: Katrina is the one -- she does more work than any other ten people I know. She handles all of the incidents that get reported into the office, catalogues them, categorizes them, works with state agencies to figure out what next steps, who do we need to call? So many of you have probably talked -- that's her in the flesh.

OK, we are about out of time. But --



MR. WEATHERFORD: What? Drawing?



Thank you all very much. I hope this was useful. (Applause). And I am always looking for volunteers, so if you have a specific talent or skill, call me and I will find someplace to put you, to utilize you.

UNIDENTIFIED MALE SPEAKER: So the first (inaudible) of us who put in for -- Burton Group was gracious enough to give us a $50 Amazon gift card. So did you read -- now read Mark Weatherford off of this list. (Laughter).

MR. WEATHERFORD: I didn't -- you didn't tell me I couldn't put one in, man.


MR. WEATHERFORD: Can I read it?



MR. WAGNER: Woohoo! (Applause).

MR. WEATHERFORD: Fifty bucks for coming today, man. Does it get any better than that? Sheesh.

UNIDENTIFIED MALE SPEAKER: It just might. Come on up.

UNIDENTIFIED MALE SPEAKER: (inaudible). (Laughter).

MR. WEATHERFORD: I don't think so, actually.


MR. WEATHERFORD: Protect your policy. Way to avoid that one, (inaudible). (Laughter).


UNIDENTIFIED MALE SPEAKER: Seriously. The second one is from TIBCO, one of our sponsors, the sponsors for lunch is also a round of golf with Roger Craig.

MR. WEATHERFORD: Well, so long. Let me -- (Laughter).


MR. WEATHERFORD: I didn't pick that one. (inaudible). I'll read it. Pam Linnell (PH). (Applause). Wait a minute. Do you play golf?


MR. WEATHERFORD: Do you know who Roger Craig is?


MR. WEATHERFORD: OK. (Laughter).

UNIDENTIFIED FEMALE SPEAKER: I was planning just to Google him.

MR. WEATHERFORD: OK. Thank you very much. (Applause).