CSO of the year
CSO of the year
With the help of a mere 29 employees, Dan Lohrmann is responsible for safeguarding 19 state agencies, which equates to some 55,000 employees and their desktops, as well as the public at large. Just like quality, security is job number one. In fact, for Lohrmann, security has become a part of him.

“I almost think that security is in my blood,” says Lohrmann, chief information security officer with the state of Michigan.

That might be largely due to his professional past. Some 13 and a half years in the intelligence community, working much of that time with the National Security Agency (NSA), can do that to a person. Every endeavor began with security and quality in mind, says Lohrmann, with technology coming after. “It became second nature to everything we did,” he adds.

Ask anyone working for the state of Michigan or, for that matter, the federal government, and they will note the unwavering passion and dedication Lohrmann shows for his work.

“I gather he wakes up every morning looking forward to taking on information security challenges,” says Greg Garcia, assistant secretary for Cyber Security and Communications for the U.S. Department of Homeland Security.

And, he adds, Lohrmann, who is the newest recipient of SC Magazine's CSO of the Year Award, is simply not fazed by the difficulties of those challenges. He always brings to every task enthusiasm, energy and tenacity, “and he brings lots of ideas,” Garcia says.

That's why Lohrmann's win of this year's CSO of the Year title is of little surprise to many. “We're very fortunate to have someone of Dan's caliber in state government,” says his boss Ken Theis, chief information officer for the state of Michigan and director of the Michigan Department of Information Technology.

To Rose Wilson, chief deputy director of the Michigan Department of Management and Budget, hiring Dan all those years ago was a no-brainer because of his always positive, never-give-up attitude.

“Dan is driven. As he approaches every task he looks at how he can improve security. That innovative attitude, that spirit that we're always taken care of, that we're secure, is critical,” she says.

Due in great part to Lohrmann's drive and skill, there have been various IT security triumphs made this year in Michigan, but one of the biggest is compliance with Payment Card Industry standards, says Theis. And this compliance, he adds, is enterprise-wide – no small feat when trying to coordinate so many departments with different application, network and server teams, three data centers, and much, much more.

“It is his leadership, tenacity and the guidance from him and his group that made this possible,” says Theis.

Overall, he adds, Lohrmann readily understands what the state needs and has established a five-year roadmap of how it should get there.

“Dan's really been our strategic leader. Because of his professionalism, knowledge and skill sets, plus his experience, he brings a great mix,” says Theis.

To get the protection of customers' private data and the state's critical information right, it always takes a balance between operations and security, he explains further. Dan, fully comprehending this, works with everyone proactively before big business decisions are made to ensure that data and critical assets are safeguarded.

According to Lohrmann: “You've got to partner to be successful. You've got to work with other states. You've got to work with the federal government.”

And although sometimes security can be viewed as an audit function or a downright impediment to getting business done by some folks within a company or agency, this is not so in the state of Michigan. That passion that Dan brings to work everyday not only ripples through his own division, but also into other departments. He takes “a true collaborative approach” that makes the state secure and “makes my job easier,” adds Theis.

“His job is to provide secure solutions to meet business requirements,” he says. “What makes Dan different is that he is a ‘yes' guy.”

Illena Armstrong: How long have you been in information security? Can you highlight the positions and organizations that helped you prepare for your stint for the state of Michigan? What about pertinent training and certifications?

Dan Lohrmann: After graduating from Valparaiso University with a Bachelor of Science in Computer Science, I started with the National Security Agency (NSA) in 1985 as a computer systems analyst. I worked in their world-wide networking group on a variety of projects – from testing protocols and vendor product capabilities to installing networks and briefing customers on products and plans. NSA was a great place to start a career since their culture was all about security and their training was outstanding on everything from encryption to project management. Every network we installed was built with security as job one.

While at NSA, I finished my Masters Degree in Computer Science at Johns Hopkin, with a concentration in networking. I also was certified as computer systems analyst by NSA, which was a rigorous process and resulted only after passing an exam.

I went to Harrogate, England with Loral Aerospace (which was later bought by Lockheed Martin) as a senior network engineer on a U.S./U.K. military base. It was there that I worked extensively with local area networks (LANs), from Ethernet to fiber distributed data interface (FDDI) – mostly Sun, HP and Cisco equipment. We always had the latest training and hottest new products. I designed networks and built monitoring systems, and learned about routing protocols, the ins and outs of internet protocol (IP) addressing, and many hands-on technical topics. I still use this training today in many ways as I interact with technical staff.

I joined ManTech International (which won the base IT contract) in 1993 as a technical director in charge of a newly formed Network Management Group (NMG). It was responsible for integrating numerous new systems into complex European networks. During this period ManTech won many IT contract bids all over the world and I learned an extensive amount about IT service contracts from the vendors' perspective.  

I joined Michigan state government in July 1997 as the director of information technology for the Department of Management and Budget (DMB). Our main focus was on Y2K remediation and this period taught me quite a bit about business continuity and disaster recovery (DR) planning. I also served as the CIO for the department, and we started building new customer-focused websites and e-government.

After Y2K, I accepted a new role in our governor's office as state-wide senior technology executive – functioning as CTO – for the e-Michigan project. We built a new, award-winning portal which consolidated dozens of websites into one portal with a common look/feel and content management. This Michigan.gov portal continues to lead the nation with new e-government services for citizens (G2C), businesses (G2B), and other governments (G2G). Even in this role, security was always a part of my role and focus.

I became Michigan's first chief information security officer (CISO) and director of the Office of Enterprise Security in May 2002. I helped create the position description at the time within the newly formed Department of Information Technology (MDIT), which centralized all IT functions and authority in state government into one department.

Q: Any mentors who really helped you over the years to get to this point of understanding about information security?

A: I've been blessed with many great mentors over the years. Pete Blodgett at ManTech in England taught me so much about contracting and managing expectations of customers and staff. Rose Wilson, current chief deputy director of Michigan DMB, was my first boss in state government. She was awesome at showing me the ropes on how to get things done in a world full of new rules and a culture that was very different from the intelligence community. Teri Takai, CIO of California and former CIO of Michigan, showed me the incredible importance of building trusted relationships.  

Q: What processes and solutions/vendors helped you reach your goals?

A: Symantec has partnered with us on numerous security and system backup projects, including endpoint security and policy compliance.

We also work closely with AT&T on connectivity to our counties, Cisco on architecture, and IBM, which hosts our Michigan portal. We've installed new intrusion prevention technology, as well as re-evaluated all inbound and outbound traffic.

In partnership with the MS-ISAC and the federal Smart Buy program Office of Management and Budget (OMB), we purchased Safeboot (now owned by McAfee) to encrypt our laptops. The discount pricing we were able to get by working with other states and the federal government was outstanding and made this program economical for our customers.

Q: Who in your organization helped with these achievements?

A: This has been a total team effort. All parts of Michigan Department of Information Technology worked together – led by our Director and State CIO Ken Theis, the Director of Infrastructure Pat Hale, and the Director of Agency Services Lynn Draschil.

We also worked closely with our Network & Telecommunications Group, led by Director Jack Harris, on network changes; our Office Automation (OA) Group, Director Mike Binkley, regarding desktop and laptop changes; our field technicians and systems administrators on system configurations; and our agency information officers to get the word out and communicate changes and hear their needs.

Most of all, we've partnered with business customers. We have a security sub-committee, which is composed of senior executives from different agencies, who serve as our advisory board on security matters. We work with them on HR issues, what to block as far as spam and websites, and a whole host of other issues. Leon Hank, deputy director of the Department of Transportation, has been a big advocate of security on the business side and serves as the co-chair of the Security Sub-Committee of MiTec.

We also brief each agency director on their risk issues, as well as the governor's cabinet and legislature on security vulnerabilities and programs. For example, we've established new training for all state employees on potential breach response.  

Q: Do you get enough support from your colleagues and bosses?

A: Absolutely. I've found that it starts by having our state CIO and the governor on board in naming security a priority, and everyone else follows their lead. I've had two great leaders in this area – Teri Takai and Ken Theis.

Q: What steps do you find integral in getting and maintaining such support?

A: Being a part of the CIO's executive team, strategic planning sessions and regular staff meetings has been huge. We meet weekly and those relationships are a must. I also attend the MiTech meetings and chair the Security Sub-Committee with Customers.

On a more personal level, I try to do lunch or breakfast with key stakeholders. Five years back, I would wait for problems to develop before contacting key stakeholders, but I learned that's too late. You need good relationships before the going gets tough. When we get together, security is not the main topic. We talk about our families, business issues, personnel (comings and goings) – whatever's hot at the moment.

Another benefit has been that I've been through a lot over the past 11 years with many of our Michigan government leaders in IT: Y2K as a peer CIO, e-Michigan and the Michigan.gov portal launch, a change of governors from different political parties, a new consolidated organization, etc.

CSOs and CISOs that know the company/government culture and the people have a huge advantage – if they have a good reputation of getting things done, working on the hard projects and showing results. People want to work with those they trust and who deliver.

Q: When you're undertaking various projects, do you have to work with managers of various business units?

A: Yes, but I also have excellent security liaisons who work at detailed levels on aspects like NIST 800-53 compliance with business areas. [Editor's note: National Institute of Standards and Technology 800-53 is part of NIST's 800 series of ‘Special Publications.' These series of documents were established in 1990 to focus and provide guidance specifically on information security. 800-53 offers up recommendations on security controls for federal IT systems.] I typically get involved at key milestones, contract initiation or choosing the vendors, or if there is a problem or a new issue that arises.  

Q: Who do you report to? Is there an ideal hierarchical structure when it comes to ensuring that IT security is being addressed adequately in a corporate environment, do you think (for example, answering to the CEO as opposed to the CIO)?

A: I report to the state CIO and director of IT. I think this is best, since I am seen as an IT insider and not an external auditor. We are here to help, get compliance, solve problems, do good things – not issue bad reports on what people should be doing.

I've spoken to many colleagues on this topic and we have a big advantage in Michigan since IT is totally centralized. In a very decentralized environment, reporting to the CEO or CFO might make more sense for a variety of reasons – but don't be seen as the one who people hide information from.

Q:
What about budgetary needs? We hear a lot about return on security investment – how do you show your superiors that security enables business/government endeavors? And how do you get the support, resources and funding you require to do your job?

A:
We had a major ROSI [return on security investment] project in 2004 and showed the value in security investment in many ways. So while IT spending has gone down about 20 percent in the past five years through a variety of efficiency and consolidation savings, our security budget was voted on and raised from roughly one percent to two percent of IT spend by our MiTec Council due to demonstrated benefits and needs.

We also have received over $6 million in Homeland Security grants for cybersecurity efforts. From new generators at data centers to filtering software, we have been successful at explaining the role of cybersecurity to the emergency management community in state government. And this is a very influential group – especially when the lights go out.  

Q: In regard to compliance demands, what are your priorities and how do you adhere to such regulations?

A: We must comply with Payment Card Industry (PCI) standards, and we are now being required to go through what the private sector has known as SOX [Sarbanes-Oxley Act of 2002]. We have had dozens of laws and rules to comply with since I started this job, from HIPAA [Health Insurance Portability and Accountability Act of 1996] to the Social Security Number Privacy Act. We had a HIPAA Committee a few years back, and we have formed other ad-hoc committees on various compliance topics, including sharing personal medical records and pandemic influenza.

This has been a major focus, but it has fit into an overall vulnerability and risk management framework.

We also have been required to deal with many new laws that pop up, such as breach notification laws.

Q: If you have a number of mandates to which you must answer, how do you avoid duplicating efforts to address these?

A:
This has been a big benefit of MDIT [the Michigan Department of Information Technology]. Being centralized, we see those patterns much earlier, and we addresses trends that come up cross-agency. We even see things coming down from the feds or Homeland Security mandates, patterns with local partners, etc. We have several cross-agency centers of excellence to deal with issues in smarter ways.

Q: What is on your agenda for the coming year?

A: This will be a year finishing about three or four major security upgrades for us. There's more work implementing encryption in various situations, and we're rolling out a new identity management project. We're re-bidding our portal (Michigan.gov) hosting contract, as well as our content management system, and we want to improve our endpoint security policy enforcement.  

We're also doing much more outreach to local and federal government partners. We share many networks, and their security affects us in many ways and we affect them.

Q: What are some of the major challenges you believe you and your counterparts at other companies/government entities face in the next year?

A: I've been seeing some underlying problems in employee behaviors for the past few years that really trouble me. Some of our best and brightest, graduate-degree trained staff – those who know better – are often the worst offenders when it come to violating acceptable use policies and using the internet and technology. This is a deeper look at the insider threat, including employees and contractors, who are running businesses, wasting resources, taking risks that put the enterprise at risk.

This topic has seldom been discussed by security professionals over the years since it gets at moral aspects of our jobs and making judgments about right and wrong. I examine cyber ethics and good behaviors not from a top-down, policy-compliance approach, but from a bottom-up, personal conviction, employee-driven, Christian-look at how cyberspace impacts our personal and work lives.

Q: What other specific projects are on tap for this year and maybe starting in the next? Any forward-thinking plans that you'd like to highlight in the way of security implementations/other projects?

A: I am very excited about my first book which is coming out this fall from Brazos Press. The book is entitled: Virtual Integrity: Faithfully Navigating the Brave New Web.

The book addresses an underlying importance of cyber ethics for grown-ups, both at the office and at home. This topic is written in non-technical language for end-users. I cover many e-Temptations, how websites “tempt the click,” and new ways that end-users can start to “surf your values” – connect their offline values with their online world.

I believe it is especially relevant for security professionals because it addresses questions prompted by recent surveys, showing that many people know what to do, but they still engage in the risky or dangerous things with information anyway.

I coin new terms like “integrity theft,” which I suggest is worse than identity theft. People are losing their families, careers and their reputations by engaging in activities that can be much more harmful than they realize – until it is too late. While identity theft is tragic, it is much easier to repair your credit history than your reputation.

The focus is on aspects of people, processes and technology online and why filters are no longer enough to protect us at home or work. I think trust, reputation and cyber ethics are key to security and privacy in the future. We need to think about the majority of people in our companies and not just the minority of bad guys trying to break in.  

I address security, privacy, moral and ethical aspects of topics like Web 2.0: YouTube, FaceBook, avatars and Second Life. The book offers recommendations to Google and Microsoft and a whole host of related stories. The appendix offers the outline for a new national strategy on cyber ethics, which addresses more than kids.

Q: Any advice on how to tackle these?

A: I have Seven Habits for Online Integrity that center on better integrating your faith and beliefs into pragmatic surfing habits.

We need to make a more compelling argument – a moral argument (no matter what religion you believe in) to protect yourself, your business and the internet from emerging threats.

Q: What's your best advice to others when it comes to building a strong security program?

A: Information security is a team effort. Build a good team – we have a great one – that works well together and supports each other. Surround yourself with smart people who can help. This includes those who are under your immediate organizational control, as well as partners throughout your business, the IT organization, vendors and those in other states, governments or companies that can fill an important void. Think outside your individual box as you build new partnerships.

I think of myself as a football coach – which I was – who needs to get the right players on the field at the right moments. Besides the skill sets, the players need to be properly equipped to do their job – which includes tools, training, trust and respect, and a good game plan.



[sidebars]

Dan Lohrmann:

Major achievements

“Michigan has made tremendous progress over the past year in regards to our security program,” says Dan Lohrmann. “We've completed over 15 major security upgrades, received PCI compliance, obtained significant Department of Homeland Security (DHS) cybersecurity grants, participated in Cyberstorm I in 2006 and CyberStorm II in 2008, and centralized numerous data centers and completed [various other] business projects.”

Additional milestones include:

Within Michigan government, Lohrmann holds various positions, including: co-chair of the Security Sub-Committee of Michigan Technology Council (MiTech), chair of the Cyber Sub-Committee on Critical Infrastructure Protection, member of the Homeland Protection Coordinating Committee, and member of the Pandemic Influenza Coordinating Committee (and legal sub-committee);

Lohrmann is a member of the Information Technology Government Coordinating Council (IT-GCC) led by the Department of Homeland Security (DHS). For this, he represents NASCIO, the National Association of State Chief Information Officers, which speaks for 50 state CIOs. In this capacity, he helped to write the National Infrastructure Protection Plan (NIPP), IT Sector Plan. Also, he participated in several work groups to implement portions of the NIPP IT Sector Plan.  

Related to this, he's been a leader on NASCIO's Security and Privacy Committee since 2002. In this role, he's created numerous white papers, best practices, videos, and other deliverables.

He has also been a member of the Multi-State Information Sharing and Analysis Center's (MS-ISAC) Executive Board since 2005. He co-lead a work group on outreach to local governments and produced a “how-to” guide for states to establish state-internal ISACs. Michigan launched its state/local ISAC in November 2006.

From 2006 up to now, Lohrmann has been a Distinguished Guest Lecturer for Norwich University's Master's Degree Program in Information Assurance (IA);

He served as president of Michigan InfraGard, from January 2006 through December 2007, and currently serves as the Chairman of the Executive Board;

As far as writing for the industry, Lohrmann has had many articles published in SC Magazine, a blog for CSO Magazine, and contributes a regular column to Public CIO Magazine;

Speaking engagements have included conferences nationwide and throughout Michigan;

In addition to receiving the CSO of the Year Award from SC Magazine in April, Lohrmann has also received several NASCIO Awards, Symantec Visionary Award, Security Magazine Top 25 Most Influential in Security Industry, and the CSO Magazine Compass award.