It price neighboring San Bernardino County $1.1 million to resolve a ransomware assault on its sheriff’s division earlier this yr. Jeff Aguilar, the chief data safety officer for neighboring Los Angeles County, hopes to stop an identical destiny in any of the 38 county departments he’s charged with safeguarding.
Aguilar, who has held high-level safety posts in LA County since 2018 and have become its CISO final yr, is keenly conscious of the rising vulnerability of federal, state, and municipal businesses—cyberattacks focusing on the general public sector spiked 40% within the second quarter of 2023 over the identical time the earlier yr. And though LA County has thus far averted a serious incident, Aguilar is aware of sustaining that file would require diligence, resolve, and—that is key—fixed communication and coordination with trade friends in addition to the county workers below his watch.
This helps together with his personal division’s benchmarking efforts, to make certain. And greater than that.
Actually, in contrast to many CISOs, he’s a powerful believer in sharing helpful insights that may assist different state and native authorities businesses counter threats. This willingness to listen to and share diverse viewpoints is probably borne of his personal diverse resume, which incorporates stints in authorities, healthcare, monetary providers, and transportation.
Focal Level caught up with Aguilar to be taught extra about his collaborative strategy and what makes him one of many nation’s prime governmental cybersecurity chiefs.
(The next interview has been edited for readability and size.)
At first look, LA County’s reporting construction – who reviews to whom – appears, effectively, pretty advanced.
We now have a federated mannequin: I report back to the county CIO. Every division acts as an impartial enterprise and has its personal division CIO and knowledge safety officer. Their job is to enact the cybersecurity insurance policies and technique my staff units forth at a board stage.
I’ve two deputies reporting to me and I’m hiring two extra. We manage the county into clusters (for operational functions), with every cluster representing a selected space of our enterprise. So, for instance, healthcare is one line of enterprise and legislation enforcement is one other. My deputies will cowl totally different clusters relying on their talent units and the wants of the clusters. We set up the cybersecurity guardrails from a high-level perspective, and departments work inside these.
Each the LA Unified Faculty District and LA Housing Authority lately suffered knowledge breaches. While you see these issues so near house, does it increase alarm bells for you?
Sure, any group with delicate knowledge is a possible goal.
I converse to a number of state and native municipal CISOs. We’re consistently sharing classes discovered and asking, “What’s labored, what hasn’t, and what can I emulate so I don’t need to reinvent the wheel?” I feel that’s one of many issues that, possibly, LA County does in another way than different authorities businesses. We’re pushing collaboration in authorities. There’s transparency.
Clearly, I don’t wish to get into the weeds with what particularly we’re doing. However we’re consistently having nice discussions, particularly round technique and incident response, from a regional perspective.
You oversee cybersecurity coverage for departments with greater than 100,000 workers. All it takes is a kind of departments to go rogue for good planning to go sideways. How do you guarantee compliance?
Sure, it’s a problem. Thankfully for us, we’re consistently below inner audit. I do know quite a lot of of us don’t view audits as including worth. However I do since you solely know what you understand, and audits are a good way to make sure compliance and establish gaps.
So, our division doing these audits runs although considerably of a guidelines. They’re in search of compliance in opposition to inner board coverage. We now have expertise directives and requirements. Every division is reviewed and should then be validated in opposition to these insurance policies and directives. That is ongoing. Each division will get hit with it a number of instances per yr.
After which, each infrequently, we’ll additionally see a federal audit.
With our inner audits, I’ll usually level to the place I feel gaps would possibly exist and allow them to see what they’ll discover. After their report is available in, we’ll sometimes create an enchancment plan. That strikes up the group’s management chain for consciousness functions. This manner, we all know we’re getting the right consideration to resolve regardless of the points could be.
With that many county workers, you will need to have your fingers full.
For positive. One of many elementary safety rules is the particular person – the worker – is at all times the weakest hyperlink.
Organizations dump thousands and thousands of {dollars} right into a management surroundings, and it could possibly all be circumvented by a single missed click on. So, we’ve been extraordinarily aggressive with consciousness coaching down to every particular person line of enterprise – as a result of the best way enterprise is completed from one division to the following could be utterly totally different.
For Nationwide Cybersecurity Consciousness Month, we’re chatting with workers, and bringing in distributors and trade leaders to share classes discovered in addition to to share safety Dos and Don’ts. And I feel we’ve gotten higher at telling the story.
We’re getting finish customers to care about these mis-clicks by creating an emotional response that goes past the county surroundings. They will take what they be taught house and apply it of their private lives.
We’ve received the vacation procuring season developing, for instance, and there can be an entire uptick in phishing makes an attempt that purport to come back from, say, Amazon Market, eBay, the IRS, or no matter that they’ll must be careful for. Folks see these issues and have an emotional response and would possibly simply click on with out pondering. We’ve actually ramped up our program to assist educate them on such issues, each at work and residential.
How are you aware in case your consciousness coaching is efficient?
We conduct fixed drilling. We do tabletops. I’ve click on charges for each division and a roll-up at a county stage. I’m in a position to development that yr after yr, and we modify the coaching the place it is smart. We don’t do cookie-cutter coaching that’s the identical yearly. We modify it to hotspots within the trade and hotspots within the county.
So, for instance, our phishing campaigns are slightly totally different than they have been proper now as a result of we’re coming right into a major election subsequent yr. We’re warning workers about phishing emails with messages meant to get them going, like, “Your get together affiliation has modified; click on this hyperlink if you happen to didn’t intend for this to occur.”
We’re at all times regional and geopolitical points and periodically modify our coaching accordingly.
Do you do something like menace hunts to seek out potential vulnerabilities?
Oh yeah, though we outsource issues like that due to the extent of expertise it requires. We’re attempting to construct that competency internally. However for us, it is smart to have trusted companions to assist with threat-hunt workouts. Risk searching is a good device, and it’s not new. However it’s in all probability nonetheless pretty new for many authorities businesses as a result of it entails endpoint administration and a selected stage of experience, which could be advanced.
I’m a giant fan of the MITRE ATT&CK Framework [a reference detailing tactics and techniques commonly used by attackers during network intrusions], and we do quite a lot of tabletops, primarily based on the menace panorama we see, to establish what could be occurring inside our area or different jurisdictions.
So once more, all of it comes again to collaboration. As a result of if the Metropolis of Los Angeles is getting hit with one thing that could be associated to us, it is also occurring in Pasadena, Santa Monica, Burbank, or elsewhere.
Inform us a couple of onerous lesson you’ve discovered within the final yr.
Properly, fortuitously, we haven’t had any massive incidents. However we’re involved about supply-chain threat administration and attempting to get higher at it.
The SolarWinds hack (the place hackers inserted malicious code into generally used software program to breach tens of 1000’s of presidency and company networks) introduced that to mild. We’re a giant county. We now have a number of distributors. So, getting on prime of provide chain threat is crucial for us. We’re at all times asking, “What’s our third-party threat? What’s the third-party threat throughout the whole panorama? And the way will we validate distributors are complying with our safety necessities?”
To handle that, we created one thing known as our Safety and Privateness Exhibit, which lays out the county and contractors’ commitments and settlement to fulfill their obligations below relevant state or federal legal guidelines, guidelines, or laws, in addition to relevant trade requirements regarding privateness. It will get into every thing from audits to incident response, and so forth.
We now have an addendum for various cloud providers, and proper now we’re rewriting it to additionally tackle using generative AI as a result of we’re satisfied that it’s right here to remain. Actually, we wish to put up guardrails for that now whereas there’s time.
How do you keep forward of the curve on these new and rising applied sciences?
I feel most CISOs have the identical playbook for that. We discuss with one another, and we’re being attentive to what’s occurring within the trade.
Being CISO for a authorities group, I additionally get quite a lot of menace briefs from federal companions, together with MS-ISAC (the Multi-State Data Sharing and Evaluation Heart).
There’s quite a lot of helpful data that comes out of all that. We even have month-to-month conferences with the FBI to get sense of what’s occurring from a nation-state menace perspective. After which, there’s your individual curiosity. Wanting into the implications of one thing like ChatGPT, which is gaining momentum, and looking out forward and fascinated with safety in a quantum computing world.
Robust leaders have the foresight to take a look at these out-of-the-box issues and take into account what’s subsequent. They may not be right here right this moment, however it’s a must to perceive what would possibly occur in the event that they do arrive.
Learn to shield your business-critical endpoints and cloud workloads with the Tanium platform.
This text was written by David Rand and initially appeared in Focal Level journal.
