It value neighboring San Bernardino County $1.1 million to resolve a ransomware assault on its sheriff’s division earlier this 12 months. Jeff Aguilar, the chief data safety officer for neighboring Los Angeles County, hopes to stop the same destiny in any of the 38 county departments he’s charged with safeguarding.
Aguilar, who has held high-level safety posts in LA County since 2018 and have become its CISO final 12 months, is keenly conscious of the rising vulnerability of federal, state, and municipal businesses—cyberattacks focusing on the general public sector spiked 40% within the second quarter of 2023 over the identical time the earlier 12 months. And though LA County has to this point prevented a significant incident, Aguilar is aware of sustaining that report would require diligence, resolve, and—that is key—fixed communication and coordination with trade friends in addition to the county workers beneath his watch.
This helps together with his personal division’s benchmarking efforts, to make certain. And greater than that.
Actually, in contrast to many CISOs, he’s a robust believer in sharing helpful insights which may assist different state and native authorities businesses counter threats. This willingness to listen to and share different viewpoints is probably borne of his personal different resume, which incorporates stints in authorities, healthcare, monetary companies, and transportation.
Focal Level caught up with Aguilar to be taught extra about his collaborative method and what makes him one of many nation’s prime governmental cybersecurity chiefs.
(The next interview has been edited for readability and size.)
At first look, LA County’s reporting construction – who stories to whom – appears, properly, pretty complicated.
We now have a federated mannequin: I report back to the county CIO. Every division acts as an impartial enterprise and has its personal division CIO and data safety officer. Their job is to enact the cybersecurity insurance policies and technique my crew units forth at a board stage.
I’ve two deputies reporting to me and I’m hiring two extra. We arrange the county into clusters (for operational functions), with every cluster representing a selected space of our enterprise. So, for instance, healthcare is one line of enterprise and regulation enforcement is one other. My deputies will cowl totally different clusters relying on their ability units and the wants of the clusters. We set up the cybersecurity guardrails from a high-level perspective, and departments work inside these.
Each the LA Unified College District and LA Housing Authority just lately suffered information breaches. While you see these issues so near house, does it increase alarm bells for you?
Sure, any group with delicate information is a possible goal.
I communicate to a lot of state and native municipal CISOs. We’re always sharing classes realized and asking, “What’s labored, what hasn’t, and what can I emulate so I don’t should reinvent the wheel?” I believe that’s one of many issues that, perhaps, LA County does otherwise than different authorities businesses. We’re pushing collaboration in authorities. There’s transparency.
Clearly, I don’t need to get into the weeds with what particularly we’re doing. However we’re always having nice discussions, particularly round technique and incident response, from a regional perspective.
You oversee cybersecurity coverage for departments with greater than 100,000 workers. All it takes is a kind of departments to go rogue for good planning to go sideways. How do you guarantee compliance?
Sure, it’s a problem. Fortuitously for us, we’re always beneath inside audit. I do know a variety of people don’t view audits as including worth. However I do since you solely know what you already know, and audits are a good way to make sure compliance and determine gaps.
So, our division doing these audits runs although considerably of a guidelines. They’re on the lookout for compliance in opposition to inside board coverage. We now have expertise directives and requirements. Every division is reviewed and should then be validated in opposition to these insurance policies and directives. That is ongoing. Each division will get hit with it a number of instances per 12 months.
After which, each infrequently, we’ll additionally see a federal audit.
With our inside audits, I’ll typically level to the place I believe gaps would possibly exist and allow them to see what they will discover. After their report is available in, we’ll usually create an enchancment plan. That strikes up the group’s management chain for consciousness functions. This fashion, we all know we’re getting the right consideration to resolve regardless of the points is likely to be.
With that many county workers, you have to have your fingers full.
For positive. One of many basic safety ideas is the particular person – the worker – is at all times the weakest hyperlink.
Organizations dump hundreds of thousands of {dollars} right into a management surroundings, and it might probably all be circumvented by a single missed click on. So, we’ve been extraordinarily aggressive with consciousness coaching down to every particular person line of enterprise – as a result of the way in which enterprise is completed from one division to the following is likely to be fully totally different.
For Nationwide Cybersecurity Consciousness Month, we’re talking to workers, and bringing in distributors and trade leaders to share classes realized in addition to to share safety Dos and Don’ts. And I believe we’ve gotten higher at telling the story.
We’re getting finish customers to care about these mis-clicks by creating an emotional response that goes past the county surroundings. They will take what they be taught house and apply it of their private lives.
We’ve acquired the vacation purchasing season arising, for instance, and there will likely be an entire uptick in phishing makes an attempt that purport to come back from, say, Amazon Market, eBay, the IRS, or no matter that they’ll have to be careful for. Individuals see these issues and have an emotional response and would possibly simply click on with out pondering. We’ve actually ramped up our program to assist educate them on such issues, each at work and residential.
How are you aware in case your consciousness coaching is efficient?
We conduct fixed drilling. We do tabletops. I’ve click on charges for each division and a roll-up at a county stage. I’m capable of pattern that 12 months after 12 months, and we alter the coaching the place it is sensible. We don’t do cookie-cutter coaching that’s the identical yearly. We alter it to hotspots within the trade and hotspots within the county.
So, for instance, our phishing campaigns are somewhat totally different than they had been proper now as a result of we’re coming right into a major election subsequent 12 months. We’re warning workers about phishing emails with messages meant to get them going, like, “Your social gathering affiliation has modified; click on this hyperlink if you happen to didn’t intend for this to occur.”
We’re at all times taking a look at regional and geopolitical points and periodically alter our coaching accordingly.
Do you do something like menace hunts to seek out potential vulnerabilities?
Oh yeah, though we outsource issues like that due to the extent of expertise it requires. We’re making an attempt to construct that competency internally. However for us, it is sensible to have trusted companions to assist with threat-hunt workouts. Risk looking is a good software, and it’s not new. However it’s most likely nonetheless pretty new for many authorities businesses as a result of it includes endpoint administration and a selected stage of experience, which might be complicated.
I’m a giant fan of the MITRE ATT&CK Framework [a reference detailing tactics and techniques commonly used by attackers during network intrusions], and we do a variety of tabletops, based mostly on the menace panorama we see, to determine what is likely to be occurring inside our area or different jurisdictions.
So once more, all of it comes again to collaboration. As a result of if the Metropolis of Los Angeles is getting hit with one thing that is likely to be associated to us, it may be occurring in Pasadena, Santa Monica, Burbank, or elsewhere.
Inform us a few laborious lesson you’ve realized within the final 12 months.
Properly, happily, we haven’t had any huge incidents. However we’re involved about supply-chain threat administration and making an attempt to get higher at it.
The SolarWinds hack (the place hackers inserted malicious code into generally used software program to breach tens of hundreds of presidency and company networks) introduced that to gentle. We’re a giant county. We now have a lot of distributors. So, getting on prime of provide chain threat is vital for us. We’re at all times asking, “What’s our third-party threat? What’s the third-party threat throughout the complete panorama? And the way will we validate distributors are complying with our safety necessities?”
To handle that, we created one thing referred to as our Safety and Privateness Exhibit, which lays out the county and contractors’ commitments and settlement to fulfill their obligations beneath relevant state or federal legal guidelines, guidelines, or laws, in addition to relevant trade requirements regarding privateness. It will get into all the things from audits to incident response, and so forth.
We now have an addendum for various cloud companies, and proper now we’re rewriting it to additionally handle the usage of generative AI as a result of we’re satisfied that it’s right here to remain. Actually, we need to put up guardrails for that now whereas there’s time.
How do you keep forward of the curve on these new and rising applied sciences?
I believe most CISOs have the identical playbook for that. We discuss with one another, and we’re being attentive to what’s occurring within the trade.
Being CISO for a authorities group, I additionally get a variety of menace briefs from federal companions, together with MS-ISAC (the Multi-State Info Sharing and Evaluation Middle).
There’s a variety of helpful data that comes out of all that. We even have month-to-month conferences with the FBI to get sense of what’s occurring from a nation-state menace perspective. After which, there’s your personal curiosity. Wanting into the implications of one thing like ChatGPT, which is gaining momentum, and searching forward and excited about safety in a quantum computing world.
Robust leaders have the foresight to take a look at these out-of-the-box issues and contemplate what’s subsequent. They won’t be right here at the moment, however you need to perceive what would possibly occur in the event that they do arrive.
Learn to shield your business-critical endpoints and cloud workloads with the Tanium platform.
This text was written by David Rand and initially appeared in Focal Level journal.
