Interview: Christopher Buse, CISO, State of Minnesota

Christopher Buse, State of Minnesota
Christopher Buse, State of Minnesota

Some say a life in public service results in few, if any, rewards. Christopher Buse would not be one of them. The bureaucratic stifling of creativity, a lack of forward-thinking, the oftentimes lower pay scale – these are all frequently cited as reasons to avoid a career in the public sector. Buse, who has spent his entire career serving the citizens of Minnesota, sums up what he has received as payment for his dedication: a sense of purpose.

“I go to work every day, and I absolutely love what I do”, he tells me. “I think it’s exciting what we’re doing, building our security program”. That security program is for the Minnesota government, where Buse serves as the state’s first chief information security officer (CISO).

“One of the nice things about working in government is that you can make a difference in society”, Buse says with absolute sincerity. Yet he didn’t start out on the path of computers or IT, like so many other CISOs. Buse instead relied on the frank advice of his father when preparing for the future.

North Star Native

It would have been narrow-minded of me to assume that Buse played ice hockey as a youngster, simply because he hails from a state with a notorious passion for the sport. He instead volunteered this information readily, recalling childhood aspirations that included becoming the nation’s premiere collegiate player enroute to taking home the sport’s highest honor – the Hobey Baker award.

The plan hit an abrupt roadblock when Buse was cut from his high school team. With no prospects for a college hockey scholarship, this future IT security professional instead harbored visions of journalistic excellence. He arrived at Minnesota’s St. Cloud State University intent on majoring in English.

“My father was a pretty black-and-white guy, and he just didn’t like the thought of his son being an English major”, Buse confesses. He saw himself as a budding business journalist, perhaps destined for somewhere like the Wall Street Journal. Buse’s father, who managed a small enterprise, relayed a different, more practical vision for his son’s future. “So he convinced me to transfer over, and be an accounting major”, Buse remarks, adding that accounting came naturally after years of experience doing similar work for his dad’s businesses. 

Regardless of accounting’s usefulness in securing future employment, Buse insists his affinity for writing enhanced the work he did early in his career. After graduating from St. Cloud State in 1986, he took an auditor’s position at Minnesota’s Office of the Legislative Auditor, a watchdog accountability agency that reported to the state’s legislature. It was here, Buse contends, that sound communication skills proved vital.

It may seem counterintuitive to think of an accountant/auditor as someone who requires a high level of proficiency with the written word. But the public reports Buse was asked to churn out required a balance between both technical and narrative. He recognized the value of style, feel, cadence, and professional polish – all the elements of good composition that brings a satisfactory smile to my face known only by my fellow wordsmiths.

From Spreadsheets to Computers

he first role Buse stepped into during his 19 years at the Legislative Auditor’s office was that of accountant and auditor. He was working as a CPA for about seven or eight years, by his recollection, when he began wondering whether there was a better way to conduct audits that didn’t rely on sifting through so many paper documents.

It was at about this time “when the first general audit software started being developed”, Buse tells me. It was the first of several indications that this CISO has always had an eye out for what can potentially streamline a process, and the technology that can enable it.

Once this evolution began in earnest, Buse recalls members of his agency walking in to do audits on a particular government department, and subsequently “spin around their financial world like a Rubik’s Cube. Harness[ing] the horsepower of technology", he asserts, "we knew more about the organization than they knew about themselves”. The reason for this, he continues, was his agency’s ability to conduct data mining and numerous forms of analysis on every financial transaction.

It was through this process that Buse’s transformation away from accountant/auditor began taking shape. He became involved in ISACA, and went back to school at the University of Minnesota, “supplementing my accounting curriculum with more IT classes, getting into database design, programming, and some of the other hard IT disciplines”.

The Legislative Auditor’s office, as Buse remembers, “recognized early on that we needed to think about computer systems as a discipline on their own”. The office then formed a dedicated technology audit group, where he then worked for the next eight-plus years.

A Day in the Life

It was June 2007 when Christopher Buse was hired as the State of Minnesota’s first-ever CISO, a position that reports to the deputy CIO within the state’s Central Technology Agency. That deputy then reports up to the state CIO, who is appointed by the governor. Unlike government agencies that are “more policy-driven”, as he explains to me, IT has a tendency to be insulated from political battles.

“The way we view it is that our job is to deliver IT to meet the organization’s needs, as efficiently and effectively as possible. I think, regardless of political party, those goals are pretty well understood and noteworthy across the board”, Buse replies when I ask him about the role politics plays in his job security.

Upon his arrival as CISO, Buse describes the structure of Minnesota’s state government IT as “decentralized silos” where security was handled in-house by each agency. “I was brought in to put an enterprise wrapper around security, and by and large I think one of the main impetuses of bringing me in is that there were some noticeable, public security failures that happened in our state.”

He recalls one example – one of his last audits for the Legislative Auditor – where a review of the state’s new web-based motor vehicle licensing process revealed serious security issues. “We made a pretty powerful recommendation that they actually shut down the motor vehicle licensing in our state, and go back to a paper-based approach, until they could figure out how to run the system more securely.”

It was a moment, Buse notes, where the technology got ahead of the security considerations. It was also a learning experience that he believes led the state legislature down a path of increased attention toward security, while also helping identify three key shortcomings: “We just didn’t have good governance processes in place, the ability to use our resources effectively, or make enterprise-wide decisions”.

Fast-forward to 2012, and the legislature in Minnesota consolidated all IT functions under one central office, pulling in departments from 78 different executive agencies. As CISO within this Central Technology Agency, Buse’s daily responsibilities include enterprise security, enterprise architecture, geospatial technologies, and helping coordinate some of the IT procurement activities.

There is no ‘typical’ day in the life of this CISO, Buse admits, adding that no such thing exists for any security leader within something the size of a state government. Each day starts with a schedule, but many parts of a ‘typical’ day will be spent on the unexpected – putting out some of the “burning fires” that can pop up at any time.

He also contends there are absolutely no road blocks to communicate with the management above him, asserting that security takes on an important role with his CIO and deputy CIO. “They understand it, and they put their money where their mouth is”, Buse says of his management. “For all of the major projects that are taking place, security is intertwined with them. It’s pretty rare for something to happen in our organization where somebody isn’t taking a look at it with a security lens.”

Serving the Public

My next inquiries for Buse involved the challenges he faces on a daily basis – both in the overall security threat landscape, but also those unique to managing security in the public sector. His response was that government faces the same threats as the private sector, but there are three areas he identifies as stark differences: compliance, culture, and retaining talent. Otherwise, he explains further, government faces the same trends as any other security department, including future mobile threats and identity/access management challenges that accompany any organization looking to streamline numerous services into one access portal.

Because the state’s IT office deals with so much personal data, there are many compliance requirements Buse’s office must navigate above and beyond the normal private enterprise. It’s a fact of life when doing government work, and he chooses not to dwell on it.

Overcoming the siloed culture of IT in government was particularly difficult, he admits, because before the state’s IT consolidation each agency handled their IT and security in-house. The challenge here was to bring an “enterprise culture” to government IT, when most private enterprises had streamlined these functions into a single department more than a decade ago. Buse took his cues from the many Fortune 500 companies that call the Minneapolis/St. Paul area home, and was able to do so by speaking with colleagues in local CISO forums and being involved with his local ISACA chapter.

Money has always been an issue in public service, Buse concedes, and not just budget problems during the recent financial crisis. “I think one thing that people don’t realize about our area is that we have more Fortune 500 companies than any city across the nation”, he tells me, which leads Buse into his next point: oftentimes government finds it hard to retain talent, especially in the area of information security. With major corporations like Target, Best Buy, General Mills, and 3M in the area, he says there is a high demand for talented people, and a shortage of those with the necessary skills.

Looking at Buse’s resume, one of the things that strikes me is the fact he has spent his entire working career in the public sector. With so many potential lucrative opportunities available to someone with his experience, I ask him why he chooses to remain in public service rather than cash in on a private sector role?

“I love working for government, and I just think it’s one of the things that’s in my blood. You give up a little bit on the salary side…but you go home every day feeling good about what you’re doing. You’re protecting people’s tax records, and a lot of the critical information that keeps society flowing. Not only do you do work that’s meaningful and important, but we’re not just grinding out more profits for stockholders, and we get to work on some of the biggest, most high-power systems that are available. We get an opportunity to do security on a very, very big scale.”

It’s a message Buse conveys when speaking to university students in the Minneapolis area. “I try to tell [them] that, some day, when you retire at the end of your career, you’re going to have to look back and say, did I get a chance to make a difference in society? What other organization can you go where you’re developing security systems that cross 100,000 end points, and are just massive in nature?” It’s a type of inner satisfaction that he is alluding to, and Buse says he takes every opportunity to emphasise the not-so-obvious rewards of public service for those just starting out on their career paths.

Away from the Office

Not everything is policy, audits, networks, and firefighting in the world of Christopher Buse. He is a husband and father of two adopted children. “It’s all about them”, Buse remarks when speaking fondly about his children. He confesses that both he and his wife spent too many years working and in the classroom, but now the children “have brought a badly needed balance into our world. When I’m outside of work”, he adds, “I try to spend as much time as I can making my kids’ life as great as it can possibly be”.

On the professional front, but outside the halls of government, Buse has long been involved with ISACA, where he serves as a member of its Government and Regulatory Advocacy Committee. He believes it allows him to keep “more of a lens on the world that includes other perspectives”.

Buse also keeps up on his reading by following a multitude of security journalists and bloggers. He occasionally takes classes to help keep his “technical edge”, which helps him avoid becoming “strictly a policy guy”, he says to me jokingly.

He also touts the importance of social media for security professionals. “Social media is just so cool in our profession, and you can almost, through having a really, really good Twitter network, have better information about what’s going on in security than by subscribing to all the journals”, he comments, as I try not to take too much exception. But the value of this new medium is clear, as Buse concludes: “Social media has given us the ability to get information fast”.

Next Stop?

With more than 26 years in public service, Buse insists he has no regrets about the choices he’s made, and he considers himself lucky that, after all this time, he can still go to work each day filled with energy and excitement. It leads me to one of my final questions, as our time draws to a close. I ask him, five or ten years from now, do you see yourself doing something different?

“I love government, so I’m not sure where I will be. You never know where fate is going to take you, but I hope my fate takes me to some place where I can continue to work in government and serve the people”, Buse replies. “It sounds a little bit hokey, but for people that work a long time in government, I think it means a lot to serve the people and to give back.”

He then recalls, with great fondness, a local fire chief and relative who spent his entire life working and volunteering in public service. Before the procession arrived at the cemetery, it passed each of the local fire houses, as fellow fire-fighters were given an opportunity to give one last salute to a man who gave so much back to the community. This type of tribute – and respect – was something that touched Buse deeply.

“Someday, if I’m fortunate enough, maybe they’ll bring my casket past the Minnesota state capitol, and I can look up at that building and those beautiful gold horses, and see it one last time.”

For a man who has given all of his working life in an effort to serve the people of Minnesota, it seems to me a rather reasonable and fitting final request. But for Christopher Buse’s sake, and those in the North Star State, I certainly hope that moment doesn’t come anytime soon.

What’s hot on Infosecurity Magazine?