Cybersecurity Effectiveness Podcast

back to podcasts
Listen on:
Subscribe:
stay up to date

Nick Andersen

The biggest difference between the state and business is that with a business you've got the power of your dollar behind it. If I don’t like the way an organization handled my data, I can opt to do something else or go consumer to consumer to find other options. There’s not really another option when you’re dealing with the government. You don’t have the power of choice, which places a much greater responsibility on us as a state government to take great care with citizens’ data.

Nick Andersen is the CISO for the State of Vermont, where he leads state government efforts pertaining to security and protection of data, security compliance activities, risk reduction, security operations and threat intelligence. 

Brian Contos:                

Welcome to the Cybersecurity Effectiveness Podcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host, Brian Contos, and we've got a really special guest today. Joining me is Nick Anderson. Hey, welcome to the podcast, Nick.

Nick Andersen:            

Thanks Brian, I appreciate it.

Brian Contos:                

Hey Nick, before we get going, I was wondering if you could give everybody a little bit of background about yourself, and ultimately what led to you becoming the CISO for the state of Vermont?

Nick Andersen:            

Yeah, certainly. So, my path was a little unusual. I started out in the Marine Corps on active duty and after my time in the Marine Corps where I got to a number of really neat things. Technology, engineering and kind of build the foundation of my technical skill. From there I started branching out into security, and it was really just because I was there, and somebody had to do it and it started to become more of an emerging field and emerging requirement on the military side, so it just presented itself as an opportunity, and I kind of jumped at it.

Nick Andersen:            

So from there, after my active duty service, I wound up leaving around the D.C. area, and I still got the opportunity to go back and forth between the Government and the industry side a couple of times with some really neat jobs, doing everything from ITSM, IT Service Management, support for some highly apprised initiatives, to ultimately become an engineering chief for the Coast Guard's IT Command, and then serving as the CIO in their senior cyber risk executive for Coast GuardIntelligence, and then moving to the Pentagon as a Department of the Navy Senior Executive, where I was the CIO for Naval Intelligence and their senior cyber risk executive for all the things in that portfolio.

Nick Andersen:            

Jumped out in the industry for a couple of years at law, primarily, a bunch of services work pertaining to cybersecurity within the government space, national security side, Homeland security, some others, and I helped to start a small company that's still doing terrific and growing with my former partners there and had this opportunity to come work on this staff in the state of Vermont, and becomethe CISO up here and get a taste for what it's like operating within the state level. Which has been great.

Brian Contos:                

Yeah, that's awesome and what a great and eclectic background you've got. I think that's gonna serve the state of Vermont well. So, let's dig into what state level government's all about as it relates to cybersecurity. What are some of the key goals that you're focused on?

Nick Andersen:            

Yeah, so a lot of the goals for us, there's such a rich diversity of cybersecurity issues within a state government. So, hearing a little bit about my background, you can probably tell a lot of my background has that National Security defense, homeland security kind of look and feel to it and a lot of that meant focus on mission systems. Which, whether we're talking about tracking planes, or tracking people, or tracking ships, a lot of it has some discriminators as what the answer we're trying to arrive to, the question that's trying to be answered with a specific mission focus that it takes. But by and large it's all the same, it's only classified systems trying to serve a specific purpose to get some decision advantage so we can take an action.

Nick Andersen:            

Within the state it's such a terrific wide-ranging source of issues across the board, whether it's healthcare issues or issues pertaining to issuing drivers licenses and permitting and a lot the constituent base in services that affect people’s day to day lives. So, when we look at the priorities we're trying to take internally as a state, it's pretty multifaceted. We're going through some really great health checks and some status checks internally to kind of see where we're at to establish our own internal base line. Once we're done with that, we're developing a little bit more of a long-term plan to move forward and kind of grow the maturity of our infrastructure security operation, and we just kicked off a brand-new Vermont SOC initiative along with our partners over at Norwich University with their applied research institutes to stand up the Vermont SOC for the first time. So, that is a brand-new function here.

Nick Andersen:            

The Governor took the opportunity a little more than a year ago to establish a cybersecurity advisory team to pull together some pretty disparate disciplines across the state to provide representation from the healthcare side, from Academia, private industry, utility service providers are included in this. We got some critical infrastructure representation, emergency management, [and] public safety to really give us a good cross section of identifying those large-scale issues within the state that we get to tackle.

Nick Andersen:            

What's going to be the next evolution? Because for us, cybersecurity isn't all about just securing our own internal infrastructure and focusing on what's a state of Vermont asset, which is critically important, but it's also for us protecting all these things that really support the larger ecosystem of the state.

Brian Contos:                

Yeah and, y'know, you talk about a specific industry, and whether it's critical infrastructure, or healthcare, or financial services. And they have their own issues and concerns, but as a state you have state plus everybody else within that state and all their specific needs. And I'm wondering from a threat landscape perspective, is there a big difference, when you're talking about protecting your citizens, your constituents, versus an organization protecting its business data.

Nick Andersen:            

Yeah, I absolutely think there is. And I think the biggest difference is that with a business you've got the power of your dollar behind it. So, if I don't like the way that Marriott handled my data, that resulted in that data breach, [if] I want to I can just opt, as long as I'm not going to a place where there's only Marriott's, I can opt do something else. I can do Airbnb if I want to. I could go direct, consumer to consumer, to provide myself with other options to do that.

Nick Andersen:            

There's not really another option when you're coming to dealing with the government. There is not another option for you to go to get that driver's license issued. Or to get that Healthcare benefit. Or to file your taxes, like you're supposed to. You don't have the power of choice, which really places a much greater responsibility on us as a state government to take great care with citizens’ data and really be holistic about accessing that risk, because within an individual industry segment, there are some risks that are specific there. Here we have to consider all of those segments as part of the larger ecosystem within the state.

Brian Contos:                

Yeah. Let's talk a little bit about technology then. How does third party risk factor into the decisions that the state's going to make regarding their technology?

Nick Andersen:            

Yeah, third party risk is such a tremendous issue that we could probably dedicate an entire podcast segment just to third party risk. But third party risk in particular, we took the opportunity as a state, a little less than two years ago, Governor Scott established what was called the Agency of Digital Services to consolidate all of IT holdings, here within the state, to provide a single Cabinet level official that was going to be responsible for providing those services. The first thing that group really began to tackle was our procurement processes, or acquisition processes, to really begin to get a handle on "what do we have, who's providing it, where are they, and what types of controls and mechanisms for control do we have there?"

Nick Andersen:            

We took a good opportunity to standardize data across the board, standardize our language, regarding security expectations, audit, trying to get all of the audit reports and sharing that information with us, so that we really take our vendors and the people we are introducing to this environment and some of their subcontractors, and we bring them in, and make them a part the strategic risk conversation, by sharing our concerns, and having some of that trade off discussion along with them.

Nick Andersen:            

It's been an interesting evolution and when we kind of look at extending out our supply chain and trying to look at where the risk really lies, there are an infinite number of issues, and an infinite number of high-profile cases and news articles and everything else, that we could point to that indicates that there is a problem out there. It's really pretty difficult when you look at a traditional security conversation. You might see a traditional CSO, you might see your CISO, you might see a risk audit executive that's maybe a member of the Board, or the risk audit committee, you'd see those types of people in there. You don't typically see your procurement acquisition folks within a CFO Shop being involved in that conversation. It's all about broadening the scope to make sure we're holistically considering risk.

Brian Contos:                

Yeah. You know, that definitely paints a picture of an organization that's a little bit more foreign to probably a number of CISOs that are listening to this podcast, and work outside of a state agency. Let's talk a little bit about that specifically. So, what are some of the key relationships that enable basically a state CISO to be successful?

Nick Andersen:            

So, I think there's a number of key relationships. I'll kind of break it into buckets. I'd say the first is local community partnerships. So, when we're talking about things like having the Vermont SOC as a security initiative, it's not a security initiative for me to go manage risk and get a good handle on what are the operations that are affecting the security posture of the state's infrastructure, inside my lane as the CISO.

Nick Andersen:            

We look at that as a longer term workforce development initiative where we want to use that as an opportunity to partner with somebody like Norwich or some of the other great academic institutions that we have here in the State, and to strategically talk about the types of skills that we're looking for, the types of challenges that we think we're going to be addressing, what the real threat landscape looks like. And try to cultivate those skills within the students. So, I think there is a good academic lash up there, that's a terrific type of partnership to pursue and is enabling us to be successful. And that's symbiotic. We provide great opportunities to offer up the state in some of the things we're doing, as a hands-on learning lab to get those students exposure, they might otherwise not get there in the academic environment.

Nick Andersen:            

But then there [are] the functional relationships that we have with some of our Federal partners, like the Department of Homeland Security, and the FBI. The functional relationships we have with organizations like the MS-ISAC—the Multi-State ISAC—center for internet security, where they house the MS-ISAC, as well as the Election Infrastructure ISAC, which is another critical partnership for the state, in particular with the Secretary of State's office, managing the elections here within the state of Vermont.

Nick Andersen:            

And then we've got business relationships. Because one of our priorities has to be broadening our scope, again to look at the ecosystem approach to what is the threat, and what is the risk out there. A big part of that affects businesses and when we do look at trying to develop that larger works picture for the state, I want to have lots of terrific cybersecurity professionals to choose from here in the state, and I want lots of cybersecurity professionals working in the state to secure our infrastructure for more than just internal state of Vermont assets.It's bringing businesses in on that conversation as well. And then lastly partnering with local organizations to educate citizens, and educate local municipalities on what the threats are that are out there, and how they can operate safely and securely.

Brian Contos:                

It sounds like you've got a busy job in front of you! Just trying to manage all those relationships right.That's a lot of work. So Vermont—and I'm going to go out here and you just correct me if I'm wrong—I'm guessing has to deal with a number of the same threats and issues and regulations and things that a Texas or a New York, or a California, or one of those states would, but Vermont is a smaller state, and how do you manage your cybersecurity workforce challenge and some of the pressures that are put on you, while it's the same as some of these larger states, with perhaps larger budgets, when yours are potentially much smaller? How does somebody in your position handle that?

Nick Andersen:            

So, I think there's a couple of different ways that we address that. And one is having those honest strategic conversations with the stakeholders here within the government, that helps make those decisions within the administration, within the executive branch, within the legislative branch, with our legislators that are responsible for oversight, authorization, and ultimately for applying funds to the initiatives that are proposed in the governor's budget. So, I think part of it is having that open honest strategic conversation with them about managing that risk.

Nick Andersen:            

I think another component is some of the workforce development opportunities that I discussed previously, as an opportunity over the long term, develop that pipeline of well qualified candidates and identifying the right incentives to keep them here within the state. And that's where partnering with businesses comes, because when we look at the workforce development track, it can't just be, graduate from an institution that we have here that might be an NSA Center of Academic Excellence like Champlain is, or Norwich is, and they come and work for the state. The state can't employ everybody, moreover people are going to want an opportunity to grow into other areas, and to learn different skills and we are going to want to take an opportunity to take people with different skills and experiences and bring them into the state. So, it's part of having that broader conversation as well.

Nick Andersen:            

And I think the last piece of it is just having incredibly honest conversations with vendor partners, rather than holding them at arm’s length and not necessarily revealing some of the problems or issues or requirements in the future. Having that open and honest conversation I think goes a long way to making sure that you're getting quality feedback and to making sure that you're getting ideas that you otherwise may not have thought of, where you can take advantage of something in a much more efficient or effective way.

Brian Contos:                

Yeah, I mean if you guys are investing, you know, I'm just making numbers up, five million dollars in your cybersecurity technology, you better be getting pretty darn close, if not more than five million dollar’s worth of value out of that investment. You just don't have the slush right, and the capability to say, "Well, we've got five other tools that will probably take care of everything else it misses." Right? Stuff has to work and those, I love the way you said that, your vendor partnerships have to be open and that line of communication, they have to be able to work with you.

Nick Andersen:            

Yep, absolutely. That is exactly what we'll do, is where I try to look at something very simple kill chain on one side, and everything I need to do across the other, deny, disrupt, degrade, whatever it might be, the action that needs to be taken to provide for a layered defense and just start plugging the holes in like it's a bingo card. Saying "Okay, well, the investments up. Where can I best layer in the solutions that we can get so we can provide that efficient and effective service here and make sure there's some real taxpayer value there?"

Brian Contos:                

Yeah, I like that approach, I just think it's a very logical. It's one of those things that if you build that out for yourself and you can share that with other non-technical, non-security individuals in the leadership team at the state of Vermont they can visually see what's working, and where there [are] gaps, and what those gaps can mean. I just think that's a brilliant way of approaching it. Nick, as we wrap up this conversation, there's a question we like to ask everybody that's on the show, and that's who's your favorite superhero or super villain, and why?

Nick Andersen:            

So, I'm going to go with a tie between two. I'm going to say one of them is probably Kit Pride, or Kitty Pride, who was an X-Men mutant, who had that phasing ability, and the ability to disrupt electrical fields when she's passing through. When I was reading the comic books I always really liked Kit Pride and she was later called Shadow Cat. But I also really like Phoenix. The later evolution of Jean Grey within the X-Men comics as well. Those were the ones when I was reading comics, it was a lot of the older 80's X-men comics and those two I always really seemed to like. Shadow Cat really was amazing at passing through walls, and obviously unrivaled potential coming out of Phoenix. It was really neat.

Brian Contos:                

Yeah, I think if I remembered it right, Kitty Pride was one of the youngest, if not the youngest, member of the X-Men. She was kind of like a little sister sort of character. Very cool. Well, Nick, thanks so much for joining us today on the podcast and especially to our listeners for joining it again. Be sure to check out other Cybersecurity Effectiveness Podcasts, sponsored by Verodin.

download transcript (PDF)
back to podcasts
Follow:
Subscribe:
join the list
X
Business Need
technology
company
resources
blog