Jake Margolis is the chief information security officer for the Metropolitan Water District of Southern California, a state-established cooperative that provides water to 26 member agencies and, ultimately, to 19 million people across six counties. He’s been in that role for nearly three years and was previously CISO for Orange County. Before that, Margolis was information assurance manager, a CISO-equivalent post, at the California National Guard, during a decade in the military in which he held a variety of technology and cybersecurity roles.
Margolis holds a master’s of science in information systems and technology management from Capella University and a bachelor’s of science in computer applications and networks from Coleman College. He also is a Certified Information Systems Security Professional (CISSP).
Techwire: As CISO of your organization, how do you describe your role; and how have the role and responsibilities of the CISO changed in recent years?
Margolis: Generally speaking, as a CISO for any organization, you’re the one who’s overall accountable for the cybersecurity posture for the organization. What’s changed, I think, is how we defined the cybersecurity posture. Once upon a time … it was what are the IT guys going to do? Put up another firewall, go buy some more endpoint protection, whatever the case may be. Very technical, nuts and bolts kinds of responses. But I think in recent years we’ve come to — and it’s always been my philosophy — that cybersecurity is a public safety issue. And because it’s a public safety issue, it’s wrapped up equally around policy and administrative procedure as much as it is around technology. It’s how do you keep the right people informed, how are we developing relationships with our law enforcement partners, fusion centers partners, our agencies, our sister agencies in the field, to exchange information that’s appropriate to exchange? I would say the role of CISO has evolved from being an IT-centered role to … definitely a strategic leadership function for most organizations. You’re involved in every aspect of how technology is implemented, but also how it’s affecting services, procurement to a certain degree. What you do as far as … changes in language that have to be put in to address potential insider threat problems or simple things. What are we doing for dealing with the supply chain? That’s an issue now and not a technical problem that can be solved easily. And it’s not a technical problem; the supply chain is very complex. It’s definitely becoming more strategic-centric for organizations, and in many organizations, it moves around. … I work for our CIO, and we have direct reporting through our administrative services … and our chief administrative officer. And it’s a relationship that works out really well, and we have very open lines of communication with our leadership, so it works well the way we’re set up.
Techwire: How big a role do you personally play in writing your organization’s strategic plan?
Margolis: Well, we do have a cybersecurity component of it, but right now, we’re still developing it to a certain degree. And as far as the role in that, we’re the outgrowth of the strategic initiative. I’ve only been with Metropolitan since 2018 and that’s an outgrowth of the organization making cybersecurity one of the top priorities … . If you will, I’m the first person to sit in this chair. Officially. They’ve had people with equivalent pay bands in the past, but the Office of Enterprise Cybersecurity is a fairly new structure. And I’m the first person to sit in the Office of Enterprise Cybersecurity. It was part of IT. And it was referred to as ‘infosec.’ … A lot of organizations functioned that way, where you were looking at how are we controlling access, how are we dealing with … patch management, all the stuff that … cybersecurity deals with at the IT side. They’ve always made it a priority; before I came on board, they made a significant financial investment in uplifting their cybersecurity tool set. It’s always been a high priority for the organization, and I think they wanted to add a position to that that was going to somewhat drive the cybersecurity direction a little bit more … at a strategic level and more towards a focused goal. … We do have a cybersecurity program in place now in the form of a policy and we do cybersecurity awareness training and we do all the things that other people do, but having that focus, I think, has been key. … It’s definitely been exciting, it was a great opportunity to come in there and have that ability to interact with such a great organization that’s been around for a while. …
Techwire: What big initiatives or projects, in either cybersecurity, IT or innovation are coming in 2021? What sorts of RFPs should we be watching for in the next six to 12 months?
Margolis: Well, that is a bit sensitive … . I will say that what we are trying to do and what we’re working very diligently towards, is we’re trying to make sure that we are setting ourselves up so that we’re meeting those best practices across the board. … We looked at … the stuff that’s public, primarily from WaterISAC (Information Sharing and Analysis Center). And we’ve looked at other organizations’ best practices and what we’re really doing is, we’re measuring ourselves against what the industry or subject matter experts across the industry … and those kinds of organizations and those agencies and we’re trying to put ourselves in a place where we measure up against all those categories to the fullest extent possible. We’re doing very well, we’re moving the needle in there, and that’s what our projects are focused on. When you look at those, you’re talking about things like access control, tightened-up access control, improving situational awareness, continually refining your ability to respond to cyberthreats. How we deal with it is really … how I programmatically handle cybersecurity and how I’ve always kind of viewed it, even when I was over at the county of Orange, is you have two pillars. One is threat intelligence or risk information. And the other pillar is response capacity for incident response. And everything you do falls in between those. We’re always refining our ability to intake information and we’re always refining our ability to respond. And so, all of the projects that we have on the immediate horizon are centered around that. … We are engaging the public as much as we can in the business community, because you have to have those good vendor relationships and partnerships or you can’t build a solid cybersecurity program. But the method has to be in place to appropriately vet those and do this fairly. That’s what we’re working toward.
Techwire: How do you define “digital transformation” in an information security context; and how far along is your organization in that process? How will you know when it's finished?
Margolis: My answer to the last part of your question is no, it’s never finished. Digital transformation is an iterative process. And you’re going to go so far, and you’re going to come back and reevaluate and reassess if that’s where you want to be, and then you may change course. … Digital transformation in government is an interesting question because it doesn’t impact us as much in our space because, as a district that deals with the wholesaling of water to our member agencies, it’s a little bit different, the accountability is different. But … if I was to put on my old hat from where I used to work … you have the providing better services to your constituents — how do we do that … in a way that gets government more engaged with the public or more importantly, the public more engaged with the government in a healthy interaction? That’s part of it.
And then … how do I make that so that I can efficiently deliver upon those expectations? That impacts us like anybody else, because we know what the expectation is of us and so we have to look at our efforts and if the efforts aren’t going to make it better then why do it? ... If our efforts are conservation, for example … and we can improve our conservation efforts by not having as many people working in one location — maybe we look at that and maybe we explore more remote or more hoteling kind of capabilities and we look at things like Gartner Secure Access Service Edge with a little more thoughtfulness. And say ‘What does this role play in our organization?’ … I think transformation is about making meaningful use of information … — information not data — so, you’re already taking care of that transformation of data into useful information when you get it, in the context that’s required, from any place at any time, and under any circumstances; and COVID-19 has taught us that you have to be able to do that under any circumstances. We in the public sector don’t get to divorce ourselves from the responsibility to provide the public with what they need and what they expect. And so if that means that we have to be able to sit in the middle of nowhere and fire up some sort of dish or some sort of LTE capability to get connected to the network system to pull reports or to manage payroll, we should be able to do that. … Part of (the) unknown is really looking at cyberthreats and I think that’s new. … I think we underestimate the adversary and instead of accepting that you’re dealing with something that’s unknowable, because you don’t know what they’re going to do and what their capabilities are, you have to learn to embrace that ‘I’m going to adapt my digital transformation efforts to account for the unknowable.’ So, when is that next major disaster going to happen, when is that cyberattack going to happen? Can a cyberattack be elevated to the level of a disaster? The answer is yes, it can, but what do I do when that happens? How do we look at those, how do we respond and do our efforts enhance our ability to do that and continue to provide services? I think that’s where digital transformation is headed. In my view … I look at digital transformation as being the close relative or the enabler to resiliency. You have to measure your ability to be resilient and to provide service and functionality and any effort that you do has to be able to feed that resiliency.
Techwire: What is your estimated cybersecurity budget and how many employees do you have? What is MWD’s overall budget?
Margolis: Our cybersecurity budget is a little interesting because we have an operating budget that is several million. But we also have capital improvement projects that we’re currently engaged in, to improve our cybersecurity posture. If you were an outsider looking in, you might add the capital improvements to the budget, but they’re not necessarily going to be there. Those are going to translate to maintenance fees and operating expenses … to maintain the solutions. But there’s a substantial temporary bond … . The total value of the capital project that we’re approved for is, we’re looking at, over the period of several years, about $4.9 million into cybersecurity improvement. We may or may not use all of that … . But as of right now, we’re focused on using that to develop and improve our cybersecurity capabilities so that we have those enhanced abilities to respond … we have the ability to ingest information and make use of that information. And yet again, getting that information is oftentimes in the form of technology procurements and services because you have to point things out that can gather that.
Techwire: How do you prefer to be contacted by vendors, including via social media such as LinkedIn? How might vendors best educate themselves before meeting with you?
Margolis: First I will say this: Know what we do. … What I would tell vendors is do your homework — just look at us. Just a little bit of due diligence will make your interaction with me a little bit easier. … I don’t mind email but keep in mind … it’s not personal if we don’t get to it, because I’m concerned with day-to-day operational kinds of things. And that’s why I say, if you know our business, then an email that is generally crafted at understanding how your product is relevant is probably going to be better received. It’s more the approach than the medium. I get contacts from LinkedIn; I get contacts on my direct email. I can’t say that I’ve taken LinkedIn over my direct email any more or less. … And it’s about developing that long-term relationship. … When you approach, make sure it’s relevant because most of the time, when I see things, I skim it. I’ll open it up and grab their white paper if I can. I’ll go and I’ll do the research on the company, so if I’m willing to do that when I see an email to see if it’s worth my time and energy, I’d expect the same courtesy in return from the salesperson. We want to be good stewards of the community. We want to be able to say ‘Hey, we want to be able to engage with you … .’ We want to take advantage of that, but it’s going to get lost if we miscommunicate from the beginning.
Techwire: In your tenure in this position, which cybersecurity or IT project or achievement are you most proud of?
Margolis: There’s a few, but what I would say the thing I’m most proud of is, we’ve enhanced our capability to respond. We … upgraded two internal staff positions to be able to be more available. We took them out of their old pay-band and put them into a pay-band that was more available, and we actually hired on a threat analyst. I would say the team that we put together … is the thing that … I’m the most proud of … that we were able to get good people in the right positions. We were able to promote some people internally, which is always exciting because … that’s a hard thing to do sometimes. … Just to see the growth that we have on our internal staff and how the organization has changed, how we approach cybersecurity is probably the thing I’m most proud of because that’s the people. That’s nothing that I do, that’s the people in there and their hard work and trying to align us as best they can to industry best practices and NIST (National Institute of Standards and Technology) and making sure we’re doing the right things.
Techwire: If you could change one thing about IT procurement, what would it be?
Margolis: That’s always a tough one because you’ve got the law that you have to follow … . What I would change, if I could, would be the public expectation on things. … Because the public has this expectation of government in general that you have a certain amount of agility because ‘We want this, we want this now,’ and then they don’t understand why it takes so long to get something done. It takes so long to get something done because we’re following the laws that you wanted us to put in place. … And when things don’t happen at the rate that you want them to, they’re not considering the complexities that are involved of doing a fair procurement process and giving everybody a chance. What I do like is that small businesses do have an opportunity to compete. I think that’s powerful. But we don’t allow them to compete at the expense of getting the job done; I think that’s also powerful. When you look at that, that’s good for the community as a whole. To that degree, I wouldn’t change that; I would just try to find out, how can we better communicate the expectations and in a way that doesn’t sound negative. … The more people that can contribute to that, the better.
Techwire: What do you read to stay abreast of developments in the gov tech/SLED/cybersecurity sector?
Margolis: One of the things that I get … because I like to be as efficient as I can … is the morning report from CalOES (the California Governor’s Office of Emergency Services). That’s kind of like the consolidated, open-source threat briefing for the day. They give it to everybody that enrolls. I’m not here to sing the praises of anybody but … it’s a great resource for the government agencies. … That keeps me abreast of threat stuff and that makes my news perusing easier. … Government Technology* has always been a great resource of information; their events have been great. But generally, I just try to read what comes in on my newsfeed every day. I try to read a couple of different ones and for big issues, I like to look at what the foreign news agencies have to say. Just because it’s really interesting to get an outsider’s look at what’s going on. … So I do spend a fair amount of time in the morning before I start … going through different news feeds on the same topics. … I want to know what’s going on, I want to know what the trends are in government. But more importantly, I need to be able to understand, what does that mean to me, because as a cyberdefender, we don’t really get to make a call. … Your duty is to protect that organization’s information and make sure that they have confidentiality, availability and integrity of their systems.
Techwire: What are your hobbies, and what do you enjoy reading?
Margolis: I just read my first Stephen King novel in probably a couple decades. I used to read him a little bit more when I was younger, but I read “Doctor Sleep.” A great book; it’s the sequel to “The Shining.” Now, I feel like I can watch the movie. … I tend to read a lot of, like, junk fiction. I’m a huge “Star Wars” fan … so I like to read up on what’s going on on that and get into the nerdy arguments about why that’s not right or what J.J. Abrams messed up in the movie, that kind of thing. A lot of my time is spent — not so much outside lately, because it’s just, not having the time — but I do like to hike, I do like to run. I run, because to me, it’s an exercise in grit. … There’s a lot of health benefits from that. And I do enjoy geeking out every once in a while to try to keep my computer skills as sharp as I can, but the more that I get away from it, the more that I’m finding that it’s hard to get back there to a certain degree. But I enjoy it. It’s always kind of exciting to see the new technologies that are out there … .
Lately, it’s trying to improve my pool game and my golf game, which are both dismal. I’ve taken those up because they both require so much focus to be good at them, and if you get mad or frustrated, you’re going to have a bad game. It really is a great exercise in patience. (Golf) gets you outside and it’s a little bit about being outside and enjoying the weather and being a little physical but … at a relaxed pace. That’s why I like running too. Not that I have any problem with team sports or doing team events — I spent a lot of years in the military so I’m a big, big fan of teamwork. But there’s something about a sport like hiking … or running or golf or even when you’re doing something like playing pool that’s just you. It’s only you, it’s your own head, it’s your own mental game and there is nobody that can really improve that for you. … Ultimately, you’re the one that has to do it. It’s kind of like working within your mind.
Editor’s note: This interview has been lightly edited for style and brevity.
*Government Technology magazine is part of e.Republic, parent company of Techwire.
