At the (ISC)2 Congress in Austin Texas, September 25 2017, Eleanor Dallaway met with Michael Roling, CISO for the State of Missouri, to talk about his experience getting his CISSP, the challenges of working in the public sector and the State of Missouri’s cybersecurity plan...
What are the biggest challenges that come with working as a CISO in the public sector? Is lack of budget an issue?
We have divisional budget planning; Government staff that recommend next year’s spend to the legislator. We’ve been very fortunate over the years – we started out with a program that wasn’t funded at all in 2009. We’re now up to a $9m budget and I’m very grateful that the decision makers understand cyber. The press has helped with that in an awareness sense. They’ve made it easier to tell a story. They see what has happened over the years and they need help making sense of it all and bringing it home – that’s where I come in. This helps us formulate what the spend can be.
In the eight years you’ve been CISO for the State of Missouri, has the job become harder due to the evolution of threats?
Threats have evolved a tremendous amount. In 2009, there was still a mindset of prevention, IoT wasn’t in the picture, MDM wasn’t even a thing. There has been a tremendous amount of change, we weren’t even thinking about shadow IT back then but we should have been. It is a harder job today than it was then. The explosion of consumer products coming into the workforce has presented new challenges that we never had to encounter before. There is no perimeter for a lot of start-up todays, so we need to set our sights on what a perimeter-less environment looks like.
What do you consider your main tasks and responsibilities in your role?
My main task is to lead a full cybersecurity plan that we’ve had in place for almost five years now. It breaks down into four key points:
- Elevating awareness/culture (internal and external)
- Responding to incidents
- Using cutting edge technology to protect end-points, networks and human beings
- Maintaining and establishing governance
Who do you report to?
I report to the CIO office. That consists of a deputy CIO and CIO. We have a very close great working relationship and see eye to eye on the importance of security. That relationship is crucial to success. The CIO plays a key part in elevating my role and getting that message across to Cabinet and to the legislator, etc.
We work with about 30 vendors just in our security stack – it’s a full-time job just managing those.Michael Roling
Does each State have its own CISO? Is there a network that you’re all part of? What’s your relationship like with the other CISOs?
All states in the US have a CISO, and we have several groups in which we collaborate in. They are the hub of much intelligence between states. The turnover is fairly high for two primary reasons, the first of which is political and the second is that State Government tends to be a springboard for elsewhere because it doesn’t pay as well as the private sector.
So what keeps you in the public sector?
I love my team, I love where I live (Jefferson City) – I have great bosses and our current governor is doing amazing things. I know I could make more elsewhere, but there is a lot of value in loving what you do and where you work.
What one challenge is concerning you at the moment?
We’re all struggling with vendor management, it’s an area of great unknown. We have large contracts with companies that are building software for us, or processing data. Ensuring they meet or exceed our level of security is vital and a big challenge. Shadow IT will always be an ongoing governance issue. Truthfully it comes down to good solid governance over people and what they do with their data.
We work with about 30 vendors just in our security stack – it’s a full-time job just managing those. But we are consolidating, we have chosen a best of breed approach. What many don’t understand is the overhead in bringing on a bus of vendors.
The vendors that keep me up at night aren’t security vendors though, it’s the ones on the application development side or the data side.
You took your CISSP exam in in 2014. What was your experience of getting the cert?
The prep for CISSP was daunting. It is very well-known as the ‘inch-deep, mile-wide cert’ because it is so broad. Preparing for it is tough because you never feel like you’re prepared. I spent a year preparing and acquired some of the widely used study guides. It was a six-hour exam, I used about four hours and started to question whether I needed to review my answers. In terms of strategy, I skipped the questions I didn’t know the answers to immediately and then returned to them later. Sometimes, something then clicks in your brain to release the answer.
What advice would you give to someone embarking on their CISSP today?
Many of my peers are very technical. However, a large portion of the CISSP is non-technical, and is about understanding governance, risk and compliance, teaching you to thinking as a business executive would. Those areas of the CERT are what I’d recommend focusing on. Or alternatively, identify whatever your weakness is and hone in on that.
You’d been CISO for the State of Missouri for five years before you took your CISSP. You didn’t need it to get the job, so what motivated you to do it?
I like challenges and I viewed it as a great professional challenge. I didn’t need the accolade or certification to get my role, but I felt like personally I should attain that milestone.
When I’m hiring, I actually weight experience highest. I prioritize experience, hunger and spark. However, having a cert shows me that the candidate has gone out of their way to prove competency. So I value it, but I don’t require it.
Bio: Michael Roling is the CISO for the Office of Administration, Information Technology Services Division for the State of Missouri. He heads the Office of Cybersecurity and is responsible for overseeing the information security posture for the State of Missouri. Michael has been employed by the State of Missouri since 2003. As CISO, he has transformed the security culture throughout government, introduced new processes and technologies that have enabled IT to swiftly and effectively respond to incidents, and has implemented various policies that have strengthened IT governance. Prior to joining state government, Michael worked at AT&T and Anheuser-Busch. Hel earned a B.S. in management information systems from Saint Louis University.