Life After CISO

It's now official. I have changed technology roles and permanently moved offices within Michigan Government. I am now the Chief Technology Officer (CTO) and Director of Infrastructure Services. After almost seven years as Michigan's first CISO, I took an acting role as CTO in January, when Pat Hale left government and became CTO for Sparrow Health System. After successfully navigating the interview process, the "acting" has been removed.  Looking back, here are a few memories and perspectives from across the hall.

First, why did I make a change? It was a hard decision, but I was ready for new challenges. I also thought it was time to allow others to step forward in their careers. In the Michigan Department of Information Technology (MDIT), our CTO position is a deputy director over centralized technology infrastructure managing around 800 staff plus contractors covering roles such as enterprise architecture, networks and telecommunications, help desk (customer support center), data centers, technical support, office automaton, field services, project management, and more. This is a huge (and humbling) management and technology challenge, and I am very grateful for the vote of confidence that has been placed in me. 

 In addition, the new federal stimulus package offers some unique opportunities for involvement that are historic in nature and excite me, such as the possibility to build out Health IT and new government high-speed networks. 

Second, was the change difficult?  Answer: Yes, but the position has grown on me every week. The first few weeks were like drinking from a fire hose. I was trying to do too much and manage two transitions (learning my new job from Pat Hale who was getting ready to leave while handing off my old job to our new Acting CISO Trent Carpenter). Fortunately, I knew the people and processes - which helped tremendously. But I had no idea how many personnel issues would come with a very large technology organization. I quickly realized that I was way out of my comfort zone, but many colleagues were eager to help. I also gained a new appreciation for our infrastructure experts and my new team.

 A major virus outbreak that we experienced in February turned out to be a blessing in disguise. While I never wish these problems on anyone, I was forced to focus on one core issue for several days, and navigate my new team through an emergency situation that I was well-qualified to lead. A more cohesive team emerged from that problem. Meanwhile, I gained a better understanding of the perspective of my staff running infrastructure. That emergency also gave me a closer relationship with the customers who were impacted by the outage.

Third, what were some of my favorite memories? Together with our Michigan partners, our security team accomplished quite a bit from strategic security plans to websites offering cybersecurity training to new executive orders surrounding ID Theft and breach notification to PCI compliance over the past several years. However, my best memories always surround the relationships formed with customers and professional colleagues in government and in outside groups like the MS ISAC, Michigan InfraGard and the Department of Homeland Security's (DHS's) National Cybersecurity Division.  Cybersecurity must be a team effort to be successful, so I urge friends and colleagues to partner, partner, partner - whenever possible.

 As CISO, I also learned so much about emergency management in surprising ways. When the Blackout hit the Northeast in 2003, I found myself unexpectedly at our State Emergency Operations Center (SEOC) for four long days coordinating response. But that incident created new relationships and opportunities for the future, as new technology became integrated into new areas of government. 

Michigan was very fortunate to participate in both Cyberstorm I in 2006 and Cyberstorm II in 2008, and we learned so much from coordinating our cyber responses with the federal government, private sector partners, other states and even other countries. I've developed many friends around the country, and I owe you so much. Thank you for your help.

Thinking of success factors ... there is no doubt in my mind that CSOs and CISOs must embrace the unexpected to be effective over time. Turn "lemons into lemonade" wherever possible. There are always new ways to gain support for security initiatives, but they are typically not obvious at first.         

Finally, will I every go back to a senior security role?  I think security is in my blood, so my honest view is that I'm not really leaving security. Yes - I am leaving the Michigan CISO function in other (very reliable) hands. But in reality, there are many security functions within technology infrastructure - such as network and system administrator roles. More than that, we are all partners getting a common job done.

And yet, some of you will rightly say that I'm dodging the real question. I never say never. Looking back, I am surprised that I stayed in this CISO role as long as I did. Our Lord has been good to me, with plenty of "success," but I realize that awards aren't what's ultimately important. We do what we do to help others - to make a positive difference. We press on to build safer, more reliable digital government and an Internet with end-to-end trust.  We fight as cyber ambassadors for good.   

As for this blog ... I am no longer a CISO, so I will be cutting way back on my security blogging. I told Derek and CSO Magazine that I would occasionally pop in (every few months) to offer a view of security from a government CTO perspective, but I will no longer be a featured blogger for CSO-online. I am grateful that CxO media wants to keep my 30 months of blogs on their website for future public consumption.  CSO Magazine has been awesome to work with, and I am very thankful for their support through the years.

One final thought ... try to surround yourself with good people who you can trust. That is the most important aspect for CISO success.  I was blessed with a great Michigan security team. I also worked for great leaders like Teri Takai (now California CIO) and Ken Theis (current Michigan CIO). It certainly helps to have technology partners that "get it."


Copyright © 2009 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)