The CISO's Desk (December 2023)

A year of progress

As we reach my first-anniversary date here at WaTech’s state Office of Cybersecurity (OCS), I thought I would review some of what has occurred in the past 12 months. It has been quite a ride.

There have been significant changes in the past year. Let's highlight a few:

  • The team is almost done rewriting the information security policies and standards 141.10. This has been a massive undertaking for everyone involved, not just OCS. 141.10 was one document that was difficult to consume and understand where agencies needed to achieve compliance. The OCS team has successfully transformed an outdated and complex set of documents into a more manageable and easily understandable format while aligning them with the National Institute of Standards and Technology (NIST) and Center for Internet Security (CIS) standards. The task is expected to be completed just after the end of 2023, with all rewrites done, and final adoption is expected by the end of the first quarter of 2024. 
  • We recently switched to BlueVoyant as our Managed Security Service Provider for our Security Operations Center (SOC). We expect they will increase our capacity, support, and capabilities. The onboarding process with BlueVoyant has been ongoing for the past nine months, and agencies have been working to complete it. However, it's important to note that WaTech has complete visibility into all statewide alerts and works with agencies to triage them.
  • OCS organized various training opportunities for state information technology and security practitioners. Since May, we have successfully conducted the Holistic Information Security Practitioner course for 115 state employees. SecurIn, our vulnerability management service provider, also conducted a Spring and Fall two-day seminar. These sessions focused on the proper utilization and enhanced features of the platform. A variety of agencies sent 40 to 60 technical team members to participate in each seminar. 
  • CloudRange has recently provided opportunities for information security staff to test their capabilities in addressing security incidents in a real-world "live fire" environment. This platform simulates actual incidents in a safe environment, allowing participants to test their incident response skills and learn ways to address situations that may occur in real-life scenarios. It's a great way for security professionals to gain practical experience and improve their skills in a safe and controlled environment. 
  • October's Cybersecurity Awareness Month was a success, with over 900 state employees participating in numerous events, including four Kahoot quizzes, weekly random participant drawings, an escape room. Short awareness videos, CyberBytes, featured our very own Jack Potter, and we had thirteen informational presentations throughout the month. This content was archived and is available on our website
  • When I joined OCS last December, we faced a significant challenge: a 30% vacancy rate within the team. However, we have put in a lot of hard work to address this issue, including rewriting position descriptions, reallocating positions to serve our customers better, and conducting numerous interviews. As a result, the vacancy rate has now dropped by more than half, to 13%, and we expect to fill most of the remaining open positions either by the end of this year or shortly after January 1, 2024. 
  • Our Program and Policy branch has implemented a Risk Assessment service. This service is positioned to assist agencies in identifying, analyzing, and evaluating potential threats and vulnerabilities that may affect the confidentiality, integrity, and availability of their information assets. Such an assessment helps to determine the likelihood and impact of various risks, prioritize the appropriate mitigation strategies and controls, and enables the agency to align its security objectives with its business goals, comply with relevant laws and regulations, and protect its reputation and stakeholder interests. 
  • The Security Design Review Team has had an extraordinary year. As of today, December 1, this team has closed 297 Security Design Reviews. This is compared with 69 for 2020, 82 in 2021, and 110, almost triple that of 2022.

Of course, in addition to these highlights, OCS continues to work to improve the support we provide to our customer agencies and ensure the ongoing confidentiality, integrity, and availability of the State information assets. 

Ralph Johnson

State Chief Information Security Officer