In order to secure a city, you need insight into what technologies each department is using but doing so requires getting everyone on the same page and asking for help if necessary, City of San Diego Chief Information Security Officer, Deputy Director Gary Hayslip told an audience at the RSA 2017 Conference.
As the CISO of the city, Hayslip said one of the biggest challenges to securing local infrastructure, wasn't the threat of hacktivism attacks, but getting everyone on the same page and that one of his main goals was to build up a rapport with department leaders to show them that he cared.
“Cybersecurity is a service and the service is enterprise risk management,” he said.
Hayslip said his first few months on the job were spent doing meet and greets with department heads and getting people to understand that he was there to help and understand the type of cooperation needed.
“A lot of the departments found that they wanted to start partnering with us, and they would start kicking money in because they wanted to work with us,” Hayslip said. In return he was able to gain insight into shadow IT programs and other vulnerabilities that had the potential to cause trouble down the road.
Once everyone is on the same page, he said, cities need to start with the basics and take the Center for Internet Security (CIS 20) evaluation to see where they stand and what they need to work on.
“You're gonna have a hell of a list, do not freak out about it, just take it and break it down in pieces, have them help you prioritize it and start moving forward. When you do that and you get a list of the things that are broken, understand you don't own it, that's the business, get the departments in to have them work with you, let them help you prioritize them,” Hayslip said.
When the departments started working together and prioritizing tasks based on the impact to their services and revenue of the department then you get a lot more buy in and departments are more likely to cooperate you because they see how security affects their services, Hayslip said.
With everyone working together it was also easier to make sure all IT products go through the CISO's office before being approved and constantly doing inventory checks to account for anything that doesn't get vetted.
The city was also able to gain insight by partnering with local tech firms to help secure and offer insight into the cities network in exchange for using the cities platform as a test bed.