IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

State Information Security Chief on Priorities, Connecting With Vendors

California’s state Chief Information Security Officer Vitaliy Panych discusses security planning, how vendors can support his team and how the COVID-19 pandemic changed worker experience and cybersecurity.

Last fall, California released a multiyear information security road map, Cal-Secure, for all levels of government that included projects covering people, process and technology components.

The leader of that cybersecurity effort is Vitaliy Panych, California state chief information officer, who was appointed in February 2019 in an acting capacity. He was appointed permanently in February 2021.

Vitaliy Panych.
Vitaliy Panych
.
Vitaliy has an impressive cybersecurity background with extensive government technology experience. He has been active in California government since 2003 and has held leadership roles in several different agencies, including CISO for the state Department of Corrections and Rehabilitation and information security engineering manager for the Employment Development Department.

This Government Technology article has more background on Vitaliy’s career and appointment to his current role in the California Department of Technology (CDT). He is also a member of the board of advisers for the Merritt College Cybersecurity Program.

Across the country, Vitaliy has become a sought-after expert on cybersecurity for many organizations, including the National Association of State Chief Information Officers, the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Center for Digital Government’s* CISO Advisory Council, where I met him. I have been very impressed with Vitaliy’s expertise, approach to cybersecurity leadership, cyber plans and ability to get things done.

Lohrmann: You have an amazing career in government. How has that experience helped you as California CISO? Why did you want to go into cybersecurity leadership?

Panych: Over the last 20 years, I have been part of teams spanning from highly technical application and infrastructure development to being motivated by my peers and mentors to take on senior cybersecurity leadership roles. I’ve always focused on fostering a highly collaborative culture, which means being able to incorporate diverse thoughts across my team while working in the trenches and meshing our efforts to fit our mission. Whether we’re building a network, a defensive-in-depth strategy, or a risk-assessment strategy, it always supports the bigger picture and our Vision 2023 principle of putting people first.

For example, when building our Security Operations Center and Forensics lab at the California Department of Corrections and Rehabilitation, we maximized our public safety mission to ensure IT-enabled classrooms could operate to support the rehabilitative mission as well as mitigate any chances of insider misuse as the incarcerated individuals get reintroduced into society. I have led and been embedded in teams that work with businesses dealing with protective law enforcement systems and systems that deal with tax collection or distribution of benefits at an aggregated $1 trillion in transactions. We mapped our efforts to achieve the core mission that impacts Californians’ day-to-day lives.

I got into leadership because I value the passion that information security practitioners embody to hack and deconstruct complex problems, constructing them into an overarching context supporting the mission at the human level. We continuously look for flaws that can undermine intended functionality to improve processes. This risk-assessment mindset is what got me into the infosec space in the first place. In other words, I enjoy figuring out how to break things to make them more resistant to failure.

Now I aim to deconstruct or hack the cultural aspects that impact our mission and build our workforce with a security mindset into every aspect of our culture, beyond the infosec teams. I realized as I moved from a technical career into a leadership role that ultimately, our people and culture will build sustainable and resilient defense capabilities within our public-sector mission.

Lohrmann: You became CISO about a year before the pandemic. How has the pandemic changed the worker experience, and cybersecurity, in California government over the past few years?

Panych: Gov. Gavin Newsom appointed me to the state CISO role in February 2021. But, at the start of 2019 I had just joined CDT’s Office of Information Security as the state deputy CISO. Shortly thereafter, I became acting state CISO when my predecessor left for the private sector. I had to hit the ground running and began focusing on building up our services-based security operations, our statewide incident response team, and converting our funding model to ensure the state had a baseline set of core security services to assume the cost of doing business for all state entities. We set those efforts in motion before the pandemic. I had developed security teams to work within our biggest agencies and departments which armed me with the knowledge of the political intricacies of how government functions to be able to hack through organizational boundaries. This was the first time our security teams worked across departmental boundaries and experienced firsthand how they could work better together. These efforts include our Information Security Leadership Academy, our tactical SOC, as well as our incident response, threat intel, and assessment teams that work across the matrix among organizational boundaries.

These early efforts led us to be successful in emergency scenarios like the pandemic. A major enabler of success was building up capacity for a dedicated incident response and threat intelligence team. The team is now embedded in and supports our California Cybersecurity Integration Center (Cal-CSIC). It is a force multiplier that benefits statewide and department-level security operations.

Our collective security teams, which we call our core partners, came together and dealt with pandemic-related needs such as scaling our agencies to operate a telework environment of over 170,000 remote employees. Together, we conducted pointed assessments and penetration tests to identify and remediate gaps in new attack surfaces around the varying telework environments to ensure severe flaws didn’t get introduced in our perimeter and access controls. The pandemic also required us to deal with other new attack surfaces and threat models to protect and preserve privacy for technology-enabled COVID-19 applications that spun up overnight. I remember we deployed dashboards and apps daily to deal with all statewide logistics surrounding managing the pandemic. We deployed our security teams to investigate, contain, mitigate, and recover from ransomware events, as well as denial-of-service-level disruptions, with our local and private partners. What we set in motion before the appearance of COVID-19 enabled our teams and people to deal with the threat-based problems that arose. By enabling our security teams, we maintained resiliency and operated as one team leveraging resources at scale. That team includes members of the California Department of Technology, (the California Governor’s) Office of Emergency Services, the California Military Department, and the California Highway Patrol and even private-sector partners. At the end of the day, we are one team focused on the fight.

Lohrmann: California has a Cybersecurity Task Force. What is their role? How does that work from a governance perspective?

Panych: In California, we aim to operate in unity. The threat landscape is far too great and complex for any organization to successfully operate in a silo. The Cybersecurity Task Force, chaired by the directorate of the California Governor’s Office of Emergency Services and the California Department of Technology, unifies the state, local, tribal, territorial, academic and private sectors through leadership to strategize and task workgroups with the missions we need to focus on. This includes establishing priority-focused subcommittees to generate better information sharing, threat intel, cybersecurity workforce development, risk mitigation, legislation, and funding. This is an ongoing effort to break through bureaucracy to work on actionable outcomes against our collective threats. The task force serves as a leadership committee to inform stakeholders from all branches of government and industry. The subcommittees include varying levels of the government and public sector that share information and crowdsource deliverables like a cybersecurity curriculum ranging from K-12 to higher education. They also provided input on our security road maps and strategies that ultimately led to the creation of Cal-Secure — California’s first five-year cybersecurity road map.

Lohrmann: How did that road map come together? How will it be updated as situations change?

Panych: Cal-Secure was created collaboratively between all levels of government in the cybersecurity community. The plan outlines an overarching road map to prioritize initiatives to guide organizations at any level of maturity. The plan focuses on building up technical capabilities, but also how our workforce and governance practices can and do help us sustain our collective protection measures. We know that the threat landscape changes on a much faster cadence than a five-year plan, and we designed Cal-Secure to highlight the fundamental areas of focus to emphasize initiatives that build our organizations’ security maturity to be future-proofed through our workforce and governance practices. As a result, Cal-Secure is an adaptable support framework to guide organizations through an ever-changing security landscape. The plan will be re-evaluated and re-baselined on a regular basis to make sure it’s time resistant.

Lohrmann: Can you describe some of your security top priorities in the plan?

Panych: We’ve worked closely with our state entities and partners on critical operations and discovered we need to focus on scaling better security practices into organizations that have historically operated on their own. We must bring in some of the lessons learned from the past and help those organizations through successful and proactive measures provided by the state. This means providing real-time advisory resources that focus on areas of unknown or undiscovered risk. Additionally, placing an emphasis on collaboration and transparency with the provider community will result in healthier and more efficient supply chain management. We all depend on outsourced critical services that vary along the maturity spectrum. The focus needs to be on supply chain risk management and how we use IT-enabled services to raise the bar. Finally, we need to dedicate ourselves to build up the workforce. That means increasing candidate pools and the security pipeline where we will recruit and retain our next-generation security workforce.

Lohrmann: How can the vendor community better support you and your team?

Panych: When it comes to providing tech capabilities, we need the community to look at the entire threat landscape and not focus on a single solution to a specific attack. That means optimizing services so they’re more cost effective; better integrating information; and automated threat intel sharing and transparency from prior failures and incident scenarios. We also look to the vendors to help make users and operators of all services better security-minded professionals. Our goal and mission are to make everyone risk-minded in every facet of our organizations.

Lohrmann: What are your thoughts on StateRAMP and federal/state/local cloud security efforts?

Panych: Anything that supports transparency and visibility into organizations’ ability to demonstrate that what they’re doing is “the right thing” is a positive step in the right direction. I think StateRAMP has a valid, supporting role in an overall supply chain risk-management practice. Historically, most organizations relied on contractual requirements through self-attested mechanisms on whether a provider or service is doing the right thing, but that has been subjective. Vehicles like StateRAMP allow providers to open their books and show how they’re implementing, achieving, and managing the required security controls we all strive for. In my opinion, transparency beyond self-attested compliance measures is a step in the right direction. I think StateRAMP is working toward that goal.

Lohrmann: Where do you go to keep up with the latest strategic cybersecurity trends as well as tactical cyber threats? What public/private partnerships provide your team value regarding threat intelligence?

Panych: Our teams within Cal-CSIC have a mission to intake and share threat intelligence, as well as contextualize information to understand what is actionable to our risk and attack profiles. That is the integration point to bring in relevant information from across governments and industry sectors. In addition, we partner with various private-sector threat intelligence providers and incident response firms. We depend on closed-source intel from our federal partners as well as very valuable open source telemetry we receive from top-tier threat intel teams supporting those technologies we deploy within our system and network environments. The Cybersecurity and Infrastructure Security Agency, as well as MS-ISAC, have been very valuable in our efforts.

I enjoy networking and collaborating with other practitioners, whether it’s through informal infosec meetups, association meetings, or security conferences. The infosec community is very open and engaging. It’s fun to keep up with peers and have an opportunity to give back to them.

Lohrmann: Is there anything else you would like to add?

Panych: As we head into a world where more crime is conducted using cyber-enabled tactics, we need to focus on scaling defense strategies to the micro level, where adverse cyber events impact the individual. A lot of efforts have been focused on larger enterprises with relative successes and failures, but the smaller organizations haven’t had much help from our industry. I mean those small businesses, rural governments, nonprofits, and service providers. We need to aim our focus on scaling security basics at that level.

This story first appeared in Government Technology magazine, Techwire’s sister publication.

*The Center for Digital Government is part of e.Republic, parent company of Techwire and Government Technology.