Evolving the Role of CybersecurityLessons from Michigan's Merger of Physical, IT Security
Michigan's history has already seen partnership and agencies come together. The state over the years has consolidated its infrastructure and brought many functions together under one organization. "We got involved in all kinds of emergency situations that involved technology, from the blackout of 2003 to a variety of other emergency situations, including things like fires and weather-related situations," Lohrmann says in an interview with GovInfoSecurity.com's Eric Chabrow (transcript below).
The newly formed Department of Technology, Management and Budget will continue to see different perspectives and agencies come together to aid the state in its mission of fostering affective cybersecurity. Identity management is one area, for example, that can see improvement. The same identification that allows access into a building could also be used as a digital ID.
Lohrmann says he'll continue to think about how physical and IT security will work together to improve safety among state government, such as "how the two organizations [will] provide security to the enterprise and to different buildings using a combination of technology and physical security, like guards and different protective measures typically used in securing buildings and sites."
In the interview, Lohrmann discusses how:
- Business and societal changes provide a new perspective on physical and information security [see Real and Virtual Worlds Become One];
- Combining physical and information technology security will benefit the state;
- Similar technologies can be deployed to safeguard physical and digital infrastructures.
Lohrmann joined Michigan government 14 years ago as chief information officer of the Department of Management and Budget, in time to lead the agency's year 2000 remediation efforts. His next post was a two-year stint as CTO of the state's e-government initiative. In May 2002, Lohrmann began his 6Â½-year tenure as state CISO, until he was tapped as state CTO in January 2009 (see Michigan's Pass-Fail IT Security Challenge). Early in his career, Lohrmann worked as a computer systems analyst for nearly six years at the National Security Agency.
He holds two computer science degrees, an MS from The Johns Hopkins University and a BS from Valparaiso University.
Michigan's MergerERIC CHABROW: Why merge infrastructure and computer security into a single unit, and why now?
DAN LOHRMANN: These are exciting times in the whole information security and cybersecurity field. As long as we think about all the different threats that face America, obviously we have cyber threats and we also have physical threats. A lot of private-sector companies have already merged these functions into a chief security officer role and that's what we are doing here in Michigan. I will be the chief security officer for the state of Michigan, and as you mentioned the director for cybersecurity and infrastructure protection.
We're seeing more and more overlap and synergy between the two fields, opportunities to work together. We believe that this is an important function that can actually have more efficiency and provide a better service by bringing these two organizations together.
Improvements to SecurityCHABROW: How will this new setup make the state of Michigan's IT and its physical infrastructure more secure than what has been going on?
LOHRMANN: ... [It] may be helpful for your listeners to understand some of the background in Michigan. We're already a very centralized organization, probably the most centralized IT organization in the country, under the Department of Information Technology way back over the last decade with Teri Takai as our CIO and then Ken Theis as our CIO. Many of you know that Teri Takai is now with the Department of Defense as the CIO there. We brought together all of our different functions into one department, reporting to the governor, and that was the Michigan Department of Information Technology, brought together 48 centers to three, consolidated our infrastructure, consolidated a lot of our functions under one organization, and we had our own emergency management coordinator as well. We got involved in all kinds of emergency situations that involved technology, from the black-out of 2003 to a variety of other emergency situations, including things like fires and weather-related situations.
Meanwhile, we had our Department of Management and Budget. They had their own emergency management function. Those two organizations came together in the last 18 months, so now it's the Department of Technology, Management and Budget. All that's a mouthful, but we had two main emergency management functions that we're bringing together into one organization in this. We're looking holistically at all the different aspects of emergency management within our department, from a technology perspective to buildings, to how we support real estate and different critical infrastructure items within government. For emergency management by itself, that's one area we think we can come together and provide a better service for the state.
CHABROW: What are some of the synergies? What are some of the skills that you have, someone who has spent a good part of your career in technology information security? What do you have to bring to physical security and vice versa?
LOHRMANN: Going even further along the same line of thought, there are a variety of functions that our physical security organization provides, everything from issuing a badge, using that for parking, entering buildings, [and with] that ID we're talking more and more about digital identification and how we can bring those discussions around proximity readers. How can we use that thing you have - that identification, that picture of you - as a digital ID as well. Bringing that together from an identity management perspective is one area we see some synergy.
Working together on projects like cameras, we have digital pictures being sent across our networks. We have information traversing our networks that has ... historically been air-gapped. Just as we have the phone system merging together with computer systems and voice-over IT and more and more technology, you have more and more different functions that ride our networks over IT. There's a wide variety of ways that we can work together.
Another example would be how the two organizations will provide security to the enterprise and to different buildings using a combination of technology and physical security, like guards and different protective measures typically used in securing buildings and sites. We believe that working as one team, we can be more cohesive in our mission. I also think that a holistic look at how we work together in all of our IT functions and all of our physical security functions is going to be important as we integrate more and more functions of our department, our technology management and budget function, within Michigan State government.
Influence of IT on GovernmentCHABROW: What does this say about maybe the influence of information technology on government and on society?
LOHRMANN: That's a great question. I see, quite frankly, the whole importance of a cybersecurity virtual world being more and more integrated into all aspects of our lives, everything from people using Facebook and people using their smart phones, cloud computing, more and more that being part of their everyday activities both at home and at work. Whereas physically you maybe had to come in on a weekend if you wanted to work on a project, now people are working from home. You have telework happening. You have just so many different aspects of virtual life and digital connectivity; it's really kind of all-encompassing. There really isn't a part of government that doesn't use computers, that doesn't use technology in some way.
Schneier, one of the most famous bloggers out there, talks about the endless broadening of security to include all areas of life. As we use technology more and more in government and in our personal lives, there's always this ease-of-use challenge. We want it easy to use, quick, fast, efficient, helpful, but we also want it to be secure, data encrypted. We want to make sure that we don't have identity theft and that we're protected. I think that's the real challenge for this organization, to be an enabling organization, an organization that helps get things done in government more efficiently and yet more securely.
Economic WoesCHABROW: Michigan, probably more than most other states, has suffered a lot in the latest economic downturn. Is there a fiscal component behind this move, or will the combining of operations require fewer employees than the two units operating separately?
LOHRMANN: I think we've already seen a reduction in the staffing across our organization overall. In Michigan we're down. I don't know the exact number off the top of my head, but it's certainly more than 20 percent, just from incentivized retirements. We had a large number of state employees. I think it was over 6,000 that left state government last November, December, January. As part of that, both organizations lost staff. For example, our field services staff within technology, a group that I manage now because this is taking effect on Oct. 1, we've gone from 360 field services staff to 120 field services staff, and that's over about the last six or seven years. ... When I was CISO back in 2002, the last time we did an "early out" in Michigan government was another time we brought all of our security organizations from a cybersecurity perspective into one organization. At that time we had already gone from 30 staff to 22 staff because so many people had left government for "early outs." As we see these incentivized retirement programs, we're down staff-wise substantially from where we were before.
Our budgets and our benefit levels for state employees have gone down. We have seen a reduction overall in the cost. Our rates are way down from where they were earlier in the decade, back in mid 2005-2006. Because of that, what we're seeing is actually an increase in demand for our services with less, so it really is a more-with-less aspect of this where we've already seen large reductions, probably more than most states around the nation over the last decade, really substantial reductions. We're looking at, "How can we now reorganize and be the most efficient, most well-running organization we can be to support Michigan government and actually really all of the citizens of the state of Michigan?"
CHABROW: Are there any drawbacks of combining these two units together?
LOHRMANN: That's a tough question. Off the top of my head I can't see any drawbacks. I think anytime you have change there are always questions in people's minds. When you bring organizations together, while you're bringing two teams together in a new way, obviously our physical security office, for example, will not be sitting with the building facility office that they were sitting with before. Initially they're not going to be moving physically, but I'm saying that they won't be in that organization anymore.
I think the challenge is to keep that customer service focus, even in security. We had all these other relationships, how will those relationships be maintained? That's a real challenge for us, to make sure that we're providing quality service and keeping those relationships strong that we had before.
The other thing that I want to mention to you is that our governor, Governor [Rick] Snyder, many people may not be aware of this, was an executive CEO of Gateway Computers a few years back. He's got a great IT background. He realizes how important cybersecurity is to Michigan, to citizens, businesses, K-12, primary through 20, through high schools, colleges and universities in Michigan. He understands the importance of the steps we've already taken around our Internet presence, our web portals and our online transactions. If we don't secure those properly, if we don't build a better organization then we're not going to be able to really provide adequate protection for online transactions, and he's made this a priority. On Oct. 7 we're going to be rolling out a new cyber plan, probably terming it Michigan Cyber or MI Cyber, looking at a strategy around Michigan cyber protection, how it affects businesses, how it affects universities, how it affects governments, local governments and state governments. It's really a whole new strategic plan around this, and this organization is going to be there to support the governor's vision and his mission around Michigan cybersecurity and also physical security.
Reporting to State CIOCHABROW: You'll be reporting to the state chief information officer. Why the CIO?
LOHRMANN: It makes the most sense from this perspective. One of the things I've written about in the past is I really do believe that cybersecurity specifically is outside of the IT organization. With Michigan, it's a little bit different than a lot of other states. It's very centralized, with 1700 IT staff. If we're outside the IT organization, often times the cybersecurity organization is viewed as auditors. They're viewed as outsiders who are coming in, looking in over my shoulder telling me what I have to do. It's kind of like, "Quick, cover up everything because the auditors are coming in." I don't think that's a productive relationship. When I was CISO in the state for six and a half years, back from 2002 to 2008, it was very important that we had a very close relationship with all aspects of the IT organization. We wanted to be part of that team, part of the executive team and part of the team that was looking at databases, data centers, smart phones, cloud computing, the major infrastructure decisions that were being made by the state of Michigan. It was very important to be viewed as a member of the IT team. That's the perspective.
I can see reasons why we could report it elsewhere and I'm not in any way signaling that it's going to move in the future. There's no plan for that at this time. Clearly there could be benefits to being other places, but I think the biggest benefit and the biggest aspect of this is we see cybersecurity's importance only growing. That's why I'm excited to be going back to this position. It's something that I'm really going to be challenged to do. I've spoken with the governor several times about this role. He sees and understands the importance of cybersecurity for the state of Michigan, for this nation, for the world and for the Internet. It's really an important topic. Obviously you know that. That's why you're in this business. We really have to make sure that is a prominent piece of this, and we have the right relationships with all parts of the IT organization.