Agnes Kirk | Chief Information Security Officer, State Office of Cybersecurity/WaTech
Agnes Kirk is a member of the WaTech Leadership Team and as the Chief Information Security Officer (CISO) for the State of Washington she helms the new State Office of Cybersecurity. A frequent speaker at local and national security events, Agnes was selected by Government Technology Magazine as one of the nation's Top 25 Doers, Dreamers and Drivers. She is a member of the State's Domestic Security Executive Group, has served on the Executive Committee of the Multi-State ISAC, past Vice-President of the Rainier Chapter of ISSA, a steering committee member of the Puget Sound Alliance for Cyber Security, and chairs the State of Washington Computer Incident Response Center.
WaTech Communications Director, Marilyn Freeman, spoke with Agnes about her re-imagined role as the State CISO.
Freeman: Agnes, “Security” appears at the top level of WaTech, organizationally.That's a big distinction from earlier incarnations of the state's central IT agencies. What is the scope of this new State Office of Cybersecurity?
Kirk: The new Cybersecurity Office is strategically rather than operationally oriented with a great deal of attention on our authorizing environment. Our focus includes garnering executive support and advising the legislature and other policy makers on IT security strategy and investments. We'll work to bring together public and private sector partners to proactively work together on the state's overall security posture. We'll work to provide greater support for agencies and staff to implement security measures. Plus, I'm very excited about establishing a Washington state Information Sharing and Analysis Center.
Specific groups within the Cybersecurity Office include:
- WA Cybersecurity and Communications Integration Center
- WA Computer Emergency Readiness Team
- WA Information Sharing Analysis Center (ISAC)
- Security Policy / Architecture & Projects
What's different about your new job as the State CISO compared to your pre-WaTech CISO role?
A big change is that I wont have responsibility for the agency's security operations teams that provide perimeter security, secure gateways and remote access services. I will really miss them. They are a dedicated team of professionals that provide critical services to our agencies and the citizens.
In my new role I'll be far more active in advising policy experts and lawmakers on IT security strategy and investments. My new work strengthens the State's efforts to raise visibility and to strategically cultivate support in both the public and private sectors in order to ensure economic resilience. One of those efforts is the upcoming Governor's Security and Privacy Summit that will be held in Seattle in January. We'll be sharing more information about that in the coming months. I'm also charged to expand our partnerships and to coordinate more closely with the critical infrastructure sector.
We'll tackle common enterprise-wide security needs of our customers' businesses and bring greater capabilities to all agencies. For example, we are creating a statewide certification and accreditation program of Internet facing applications. That project will include training developers in secure coding best practices, code testing, and so forth before publishing applications for public consumption.
Overall, the greatest change that comes with my new role is the chance to reframe the security conversation to a business-driven dialogue.
In our context—state government—what's the difference between “Security” and “Privacy?
I think Michael Cockrill said it well at a recent Technology Services Board (TSB) meeting – Security is a technology function that protects access to data; protects against unauthorized access to information. Privacy is a legal function that determines when information should be deliberately disclosed; when and how it should be disclosed. Where they come together is in protecting someone's private, protected information against unauthorized disclosure.
How do you imagine your Security team might work with our state's new Chief Privacy Officer, Alex Alben?
Alex brings a wealth of experience and an important perspective to the table! I see security and privacy as two sides of the same coin. Both security and privacy need to be by design. Both need to be thoughtful and deliberate. I think Alex and I agree that we need to work closely together because it is all about protecting the right data. I'm glad he's part of the our new agency and I really appreciate working with him.
What are you hoping is made possible for the security realm by the advent of this new agency?
I want to change the conversation from a security conversation to a business conversation. We want to understand what is important to our stakeholders. We want to know how we can help them meet their missions/goals, enhance or protect our state's reputation, help contain costs, and reduce risk.
I hope for an opportunity to focus on better support for agencies and staff to implement security best practices. And I hope to help our top level executives and the legislature understand why they should care about, and what they can do to support, good security in as they deliver their core mission. Security is an enabler to support their goals.
I've heard rumors – well, actually you shared a little bit of this with me a few weeks ago—that you're aiming to organize a Security Summit. What can you tell us about that at this point?
Yes, we are currently in the planning stages of organizing a Security and Privacy Summit on behalf of the Governor to be held in January. This summit is in support of our goal of bringing national level visibility and support from our Federal partners and bringing together public and private sector executives for the common goal of ensuring economic resiliency in a connected world. Security and privacy go hand-in-hand and are at the top of one's mind (or should be) for all executives and decision makers, regardless of industry. Right now the plan is a two-day summit with different tracks targeting different levels of the organizations. The target audience is legislators, agency executives, critical infrastructure executives, local government executives, and other decision makers.
What kinds of activities do you see other states doing with security that might inspire our work (or your work) here in Washington State?
The great part about being part of many security community networks through MS-ISAC, NASCIO, PACCISO, etc. is that we are all willing to share our successes and failures with each other. The web application certification and accreditation project we will be launching is actually an idea that came from the state of Pennsylvania. I talked with them about their implementation of this program about one year ago. They were very helpful in describing their program, lessons learned and what they would do differently if they were to start over today. Our hope is that we can learn from others and not experience the same bumps.
As Chief Information Security Officer do you see your role as one that will champion policies that involves security improvements and do you see a need for more or different security-related policy?
My primary concern is increasing the security posture of state government to ensure the appropriate protection of the data entrusted to us by our citizens and businesses. We'll do this through policy and strategies aligned with the goals I mentioned earlier: helping executives understand why security and privacy are important and how they influence that in their roles; developing appropriate security policies to ensure we utilize best practices in our security controls; keeping up with emerging technologies; and ensuring security policies appropriately enable rather than prevent the ability to serve our citizens and businesses.
Open data is an increasingly important aspect of government today, and society at large. How do you see the state balancing the tension between an Open Data Initiative and Security?
Open data is definitely an important part of transparency and making data available through self-service is a huge part of the value proposition. On the other hand, that means that it is even more important to ensure that we have a robust process to deliberately determine what information should be made available. Security and privacy continue to be a big concern when aggregation of data is possible that could result in unintended consequences.
What new activities or investments might we expect to see regarding state Security by the end of the calendar year?
That is a good question! We kind of need to wait until we end the Legislative session to see what laws are passed and have a budget to see what that means for us.
What book or books are you reading now?
Reality Based Leadership by Cy Wakeman
What question were you afraid I'd ask?
I would never tell!