That "the CIO was hired by the mayor two years ago and saw the need to hire a CISO" underscores management's commitment to making security priority for a city of about 500,000 that boasts one of the world's busiest airports (reaching 100 million travelers last year), Lambo said. "The Mayor [Kasim Reed] has always been about the best in class. We're taking that tone from the top and implementing it at the IT level."
In his six years in office, Reed has nearly doubled the police force, but the city's CISO said public safety depends on more than just a physical force. "The mayor had invested in the Atlanta police department, but if IDs are compromised people won't feel safe," said Lambo. The city would run the risk of losing data confidentiality and integrity, with some potentially deadly results. "To make traffic lights smarter, we need to put them on the internet or at least make them internet-connected and that exposes us, he explained. "If integrity is compromised, there could be a loss of life."
In addition, a smart city whose data integrity is compromised, becomes a "dumb" city quickly, he noted.
Since governments at local, state and federal levels continue to be the targets of cyberattacks, the likelihood of compromise is a real, said the CISO, who assumed his position last year just three days before the city was hit with a massive distributed denial of service (DDoS) attack. And the results of a breach could be devastating, potentially costing the city $100 million, he added.
To prove just how damaging a breach could be, Lambo and his team showed how one could impact four out of the mayor's five stated priorities. For example, a breach can reduce productivity or damage the city's reputation, hampering, respectively, the operational efficiency and economic growth priorities set by the mayor. The increased costs could affect the city's financial stability, another mayoral goal and identify theft could compromise public safety.
The mayor established a governance board that includes, among others, the city's CIO, CTO, director of enterprise risk management, finance risk management manager and assistant police chief, and when Lambo joined the ranks, Reed charged him with leading it. That board has been instrumental in advising AIM on needs, challenges and feasibility of security plans. And it urged him to obtain a critical success factor, vocal buy in from the top, by having the mayor make a video that emphasized the need for a culture of security and urged adherence to policies and procedures.
While Atlanta strives to achieve the gold standard for excellence -- ISO 27001 Certification plus CMM I Level 3 -- Lambo hastened to point out that security hinges on more than just compliance. "The Titanic was compliant, it met safety requirements," he said. "They just forgot to do a risk assessment to see the affects of hitting an iceberg."
The CISO's team has put considerable effort into risk analysis. "We've Identified critical assets and done risk assessment against them," said Lambo. The city has prioritized items in its general fund based on that risk assessment. Next, it will tackle watershed services and finally Atlanta's sprawling Hartsfield International and Jackson airports.
Risk prioritization should be done at least once a year, though Lambo said once a quarter would be better and every month ideal.
"Now we're data centric," said Lambo, noting that the easiest way to "eat an elephant" is by the slice. The next elephant served up for the team? "Critical infrastructure," he said. "It's a big area of focus next year."