As the chief information security officer (CISO) of Fairfax County, Va., which was named best in technology management by the National Association of Counties, and the chairman of the National Capital Region’s CISO committee, Michael Dent has been at the center of his county’s information security practices. Dent sat down with 21st Century State & Local to discuss his experiences in the field and recommendations for other local CISOs.
MeriTalk: Tell me about what you do as the CISO for Fairfax County.
Dent: I’m responsible for every aspect of data enterprise security as it deals with the IT and technology that we have in the county. In Fairfax County we have over 60 agencies; each of those agencies is a business in and of itself. The county, demographics-wise, we’re 400 square miles. From a population standpoint we’re probably bigger than eight states, we have 1.5 million citizens, plus or minus. Every citizen in this county is IT-centric pretty much, they know IT, so they expect a lot from their local government.
My mission and the mission of my staff here is to enable business securely. Most CISOs get the reputation of being “no,” but that’s not how we operate. We work very hard to make sure that what our citizens need from us as a government we provide it. And we provide it in a way where they can trust that their data is protected.
MeriTalk: What do you find unique about working in a local government IT space?
Dent: Having come from the state, the bureaucracy, I guess, at the state level and maybe higher at the Federal is more. Here, I’m directly in contact with any of the agency heads, anyone that wants to do business or do something from an IT standpoint. I have a unique reporting structure in that I report to the CTO [chief technology officer] for administrative, budgetary issues, things like that, but then for any risk I go directly to the county executive and I report to him on any risk matters, anything that’s going on. If they need to make decisions, I can go directly to him whenever I need to. In most places, the CISO has to go through many layers before they can get to the top.
MeriTalk: Are there any projects or things that you’re working on right now that you find particularly exciting?
Dent: One of the projects that we’re in production with right now is that we replaced our endpoint protection, traditional antivirus that we used to have, with a new antivirus, which runs with artificial intelligence and machine learning. A lot of my peers thought I was crazy by doing that, because it was a big leap. My boss, she gives me the autonomy to do what I need to do as long as we’re briefing them and giving them information about what’s going on and where we are with these new technologies.
We’re still implementing an analytics software, which we envision to probably go beyond just the IT side: There’s many business cases for that.
We’re getting ready to implement another product that’s going to go on our endpoints, which will help give me real-time insight into what’s going on with these devices when they don’t meet compliance or they don’t conform to our standards.
These are, just within a year, projects that we’ve started, so they’re all going to merge together I think.
MeriTalk: The National Association of Counties recognized Fairfax County as the best in technology management. What does it take to get to that level, and what is your advice to other CISOs?
Dent: Involve themselves in the business areas that their companies or their organizations are responsible for supporting. A CISO really needs to know everything that’s going on in some part of a business. You’ve got to know their end goal, what they want to do, so that you can be a part of recommending solutions. That way you stop being the person that says “no” all the time.
MeriTalk: You are also the chairman of the National Capital Region’s (NCR) CISO committee. What work do you do in that capacity?
Dent: Yes, I chair the National Capital Region CISO committee, which is the subcommittee to the CIO’s committee. My boss, Wanda Gibson, chairs the CIO committee. That is a private network of 22 local jurisdictions in D.C., Northern Virginia, and Maryland. We all have our own dark fiber, and we’ve interconnected all of those for public safety. So that network is a carrier-class network, but we don’t use carriers, we use our own private fiber. So if there’s ever another, God forbid, 9/11 or a major incident where AT&T and Verizon get inundated and first responders can’t use those networks, our network is always going to be there, and it doesn’t rely on them.
We have federated the 22 jurisdictions’ identities through an identity and access management service that is managed by our NCR technical team. I am the executive sponsor of this service. The NCR Identity and Access Management Service (NCR IAMS) allows authorized use of local entity-issued credentials to access regional applications without changing existing architecture or protocols. No special training needed.
That’s all funded through UASI [Urban Areas Security Initiative] grants. We manage most of the grants for that network here in Fairfax. We have the budget to be able to front those grant programs before the grant funds actually get here.
There’s 20 CISOs, or guys and ladies whose titles have had security added to them, we meet monthly, and we just discuss things that are going on in the world. We talk about new technologies. This year we’re starting a new piece where we’re asking these CISOs to bring in their vendors to do just a presentation of what their solutions are to that group.
We do get represented in the governor of Virginia’s cyber commission. They gave us a seat from up here and I asked a CISO from Arlington [David Jordan] to sit on that. And he championed our efforts and what we were doing. And some jurisdictions will ask us to review a solution for them. So I will do it or my engineers will sit down and go through it, and we just help each other out.
MeriTalk: What do you see in the future of IT security, particularly at the state and local level?
Dent: I think you’re going to have to look at cloud. You’re going to save money, but at the same time you’re going to have to make sure it’s secured, of course. For me, data is out there. We need to start looking at the new technology that is out there, because the hackers are looking at it. The hackers are looking at the old stuff and finding out that, in government, there’s not a lot of movement to quickly change those things out. So if you don’t start keeping up with and staying ahead of this as best you can, you’re going to get hit. I really disagree with the old saying of “you’ve been hit and you don’t know it” or “just be prepared to get hit” and that’s where they leave it. I’m always ready to get that phone call that says something happened on our end, but I also know that I have the defensive depth and program that the damage isn’t going to be as bad as most of the people have, because there are so many layers that we can defend against. That’s due diligence.
OPM’s data breach, that was a total neglect of leadership and not following the people they hired to do security for them. In all of those most recent breaches, and when I say recent I mean 10 years, if you peel back the onion on those breaches, in more than 90 percent of them, someone told them of the risk they were hacked at. But the decision by leadership was made not to do anything. My leadership knows this. If I take risk to them, it’s on them to make a decision. But if you’re going to accept the risk, accept the risk.
The hard part for CISOs nowadays is living with the fact that they made the decision. You may not like what they say, but if you document it, give it to them formally, and let them know what it is, there’s nothing you can do to change that. Stop being stressed in your CISO life. Keep moving. You have to keep moving. That’s how I’ve survived, I think, these 15 years.