When one takes on the position and responsibility as the chief information security officer for what is essentially the fifth largest economy in the world one has to have a strong plan in mind and the ability to move quickly.
That plan is exactly what Peter Liebert had in hand when he came on board as California's Chief Information Security Officer and Director of the Office of Information Security in November 2016. What Liebert inherited was 138 separate government departments that largely ran their own cybersecurity operations. Seeing the inherent inefficiency with this set up he went about creating a fully functional 24x7x365 Security Operations Center (SOC) within seven months.
The fact the SOC was needed was proven out almost immediately as the security team detected almost 100 security threats within its first year of operation that otherwise would have gone undetected.
Liebert created something even more important than the SOC. A team of cybersecurity professionals so dedicated to their task that none of the engineers or analysts has left state service since their CISO came on board.
Liebert credits his previous 10 years of cybersecurity experience, along with his earlier jobs in the profession for enabling him to quickly get a handle on what California needed.
“My time as an officer in the military helped refine my leadership skills and develop an unwavering sense of ‘can do’ attitude that has permeated my career. My time as a Presidential Management Fellow, in USCYBERCOM and the Secretary of Defense's Cyber Policy shop helped reaffirm my deep love of the field as well as knowledge on how to work within the federal bureaucracy to foster change in the information security space,” Liebert said.
Not to be left out, Liebert said, are the positions he held after his government service.
“My time in the private sector helped enlighten me on how a top tier cybersecurity company fosters innovation internally and provides value to customers,” he said.
Liebert also did not want to leave out those people who directly helped or encourage him to head down his current path.
“Two mentors come to mind right off the top of my head; Richard Clarke and Eric Rosenbach - both were professors in a Cyber Warfare Class at Harvard. That class was the epiphany in my career where I realized that "hey, I love this stuff and you can actually do it for a living!" Most recently I would consider Chris Cruz as a mentor in State Service who has helped me acclimate to California's bureaucratic ins and outs,” he said.
Ken Kojima, ISO CA Department of Corrections and Rehabilitation Agency, "Peter is instrumental in moving the state’s information security program forward to begin focusing on modern day cyber threats. He provides critical support at the state level to open doors for Agencies to leverage emerging technologies to help increase the state’s overall security baseline to combat the ever progressive threat landscape. Specific to CDCR, Peter helps our Agency identify opportunities to enhance and augment our current security program by providing guidance through various programs and services."
While the creation of the state’s SOC may be one of Liebert’s higher profile, he told SC Media is particularly proud of two other programs implemented by the state. The California Cybersecurity Maturity Metric and the publication of Software Licensing Plus (SLP+).
The Maturity Metric program took 18 months to complete and ensures that for the first time in California government history the state no longer simply checks to see if a company has a cybersecurity policy, but measures just how effectively that policy or capability is being implemented.
“An example of this is cybersecurity training. We require by policy for everyone to have a program that teaches workers the risks in cyberspace and now we utilize the performance of workers - their click rate during anti-phishing tests - to determine how successful their program is,” he said.
The SLP+ list is a much different animal and endured a particularly lengthy implementation process taking two years to be put into action. To be placed on the list and thus potentially sell wares to the state a vendor must prove their product meets the state’s standard and list it under the the SKU of "SLP+ Endpoint Protection Core.
“Secondly - my favorite part - is that ALL licenses being procured through this vehicle count cumulatively. This means that counties, cities, and executive branch departments no longer have to get priced based on the number of their endpoints alone.. all of them combine to allow for the deepest possible discount,” Liebert said.
CAL-SECURE comes after the CISO’s office completed a two-year assessment of the level of cybersecurity being used at by the state’s executive branch. Getting this project completed was one of the most difficult tasks Liebert said he has ever faced.
“We have completed our assessment and developed a five-year strategy, we call ‘CAL-SECURE’ which details a roadmap on how to address major shortfalls and risks we have seen across the three vectors of People, Process and Technology. This strategy is in the final review period and we are hoping to see it hit the street in the next month or so. Implementing this strategy over the next five years will be a huge task and our number one goal,” he said.