CIOCybersecurityInformation TechnologySecurity

A Panic Attack and a Dream: a Cybersecurity Saga


By Michael Deutsch, Chief Information Officer / Chief Information Security Officer, NYC Department of Youth and Community Development

Come along with me and my team’s journey in building an effective cybersecurity program.  I can’t promise you it will work out, but if you play along, maybe you can learn from our successes and mistakes.

I have a dual role as Chief Information Officer and Chief Information Security Officer.  There are many that say these two roles should not be combined as they have different and often competing priorities.  I do not view it that way; I see it as the ability to provide a best-in-class IT organization with a focus and dedication to security throughout.

I can’t say that I always had the same view of doing both roles.  My background is in IT Operations, where there is already an element of security in work, such as patching servers, setting up a DMZ, etc. When I moved into my current role of CIO/CISO, my primary focus was on ensuring a stable environment that could keep up with agency demand.  I spent my first few years focused on all the buzzwords, digital transformation, DevOps, Agile, SCRUM, human-centered design, etc. Yes, I was CISO on paper, mainly because someone needed to be, but I had no real motivation to actually run a cybersecurity program.  We did the required security work though not as part of a cybersecurity program but as operational security.  You know, ensuring we had servers patched or a firewall configured but no real understanding as to the threats associated with a patch or reviewing the firewall logs to find threats. I didn’t even understand what the CISO role really was. 

It was a gloomy day as I sat in my basement (I assume it was gloomy since my basement was always gloomy), working from home during the pandemic.  I was running my hands through my ever-thinning head of hair and following up on some ongoing security projects, when I found myself looking down a security abyss, a never-ending rabbit hole.  Basic panic attack stuff, like “There’s too much to do,” “Am I really secure?” “How do I know if I am really secure?” What happens if there really is a breach?” Would I even know if I was breached?” “Am I doing the right work?” “What is the right work?”  That is when I truly realized that I was not running a cybersecurity program; I was just doing security work, with no real roadmap or goals in sight, just patching and putting out fires.  I realized I needed to take cybersecurity more seriously and create a program that is woven into the fabric of IT and the agency. But where to start?

I devised these three things that would be needed to start a cybersecurity program: 1) learn as much about the cybersecurity landscape as I could, 2) get some staff focused on security, and 3) determine what tooling can be the most useful right away since our long procurement cycles require many months to complete.

Learning

I decided the best way for me to learn about managing a cybersecurity program was to take the Certified Information System Security Professional (CISSP) certification.  To achieve the certification, you need to learn the width of security though not necessarily in depth.  As a bonus, taking a certification helped me scope my learning, stick to timelines, and give me a very specific milestone to achieve, which I find very helpful (it also looks good on a resume, which doesn’t hurt). 

While the CISSP certification gave me a good foundation, it does not teach you how to implement a program. For that, I spent a lot of time on sites like LinkedIn Learning, talking with CISOs, Gartner and vendors. 

Hiring

With a small talent pipeline, my focus is on hiring for team fit and growth potential over my current skill set.  Hire low and grow (and hopefully, they don’t leave before you can utilize their new skills).  My goal is to have a team of three dedicated cyber security staff, one to manage Governance, Risk and Compliance (GRC), another on Security Operations, and the third on threat intelligence and resiliency.

Consider my agency like an SMB, with limited staff and budget, requiring team members to wear multiple hats.  The IT Operations team, especially as they handle most of the security-related work along with all the infrastructure, network, tiers 2 and 3 support, cloud, VOIP, etc.  Happily, we are not alone in protecting our agency; NYC Cyber Command handles security at the perimeter of the network, along with some threat intelligence and other cyber-related tasks related to the City as a whole.  With limited internal resources, and never enough time in the day, GRC and Resiliency work often falls by the wayside.   

I have one plus myself so far – fingers crossed on the other two.

Tooling

I did not want to throw too many tools at the team; I have often found security tools to promise a lot but often underwhelm due to the complexity of implementing and maintaining them.  With limited time and skills to handle them, we needed to focus on the most important ways for us to move the program along.  Our initial tools were around discovery and identification of assets, so we know what needs to be secured, and a SIEM so we can tell what is happening in the environment.  For good measure, we threw in a patch management tool for 3rd party products to handle our non-Windows patches, such as Java and Adobe.

Wish us good tidings as we continue to implement our cybersecurity program roadmap, choosing a framework, controls, risk management, etc.  I hope to be able to update you on our progress in a few months.  Stay well and stay safe!

Michael Deutsch
Associate Commissioner of IT | Chief Information Officer | Chief Information Security Officer
NYC Department of Youth and Community Development