Jeff Brown discusses how the state of Connecticut flipped the script and drove digital transformation at the state level through communications. By digitizing parts of its business, the state was able to consolidate and streamline departments, ultimately improving communication both internally and externally.
Episode 29 | Reimagining Cyber | Digital Government - How the State of Connecticut has Driven Digital Transformation | Jeff Brown
Jeff Brown 00:03
Take incident response as an example. That's a really high stakes communication kind of situation to be in, like, something's happened in your company. There's a lot of stakeholders who are going to be looking for information and you may need to be doing writing, you'll definitely have to be doing speaking and worst case you might be on the news, right? So there's all these different scenarios. I think it really underscores how challenging the communication aspect of our job has become over time.
Rob Aragao 00:31
Welcome to the Reimagining Cyber podcast where we share short, to-the-point perspectives on the cyber landscape. It's all about engaging, yet casual conversations and what organizations are doing to reimagine their cyber programs, while ensuring their business objectives are top priority. With my co-host, Stan Wisseman, Head of Security Strategist. I'm Rob Aragao, Chief Security Strategist, and this is Reimagining Cyber. So Stan, who do we have joining us for this episode?
Stan Wisseman 01:03
Rob, our guest today is Jeff Brown, the State of Connecticut's first CISO. Prior to his appointment to CISO in 2020, Jeff worked in the financial sector and led security teams at GE Capital, Citigroup, and Goldman Sachs. Jeff is also the author of a new book entitled, "The Security Leaders Communications Playbook," bridging the gap between security and the business. He's also co-chair and governing body member of the New York CISO community and is an IANS faculty member. Jeff, it's great to have you on our podcast. And before we start, is there anything else you'd like to add about your background?
Jeff Brown 01:41
Yeah, sure. As it turns out, I'm mostly self taught with technology. So my background is actually in communications. You know, at least my educational background is in communications. I felt that this particular book, and we'll talk about that maybe a little bit later, but was something that really is a big problem in our industry about communication. So that that is my background. Just recently, I'm about two years into the state service. So, I've seen now the public and private sector. And there's yeah, there's just a lot to talk about. I'm looking forward to it.
Stan Wisseman 02:15
And you're absolutely right about communication has been a challenge. I've had that challenge myself, good it's been said. So I'm looking forward to talking more about that a little later. Now, now, Jeff, the - your boss - the governor of Connecticut has a digital government initiative underway. And that's centralizing many of the IT functions for the state. And under that initiative, I understand you're unifying cybersecurity technology and processes across the state. So, so coming from the commercial sector, and being the first CISO for the state, what has been your approach as far as trying to pull in some of these functions from the different agencies? And, and, and delivering on this vision that's been set for you?
Jeff Brown 03:03
Yeah, you know, that's, that's a great question. And a lot of, there's really two things that are driving a lot of what we do in Connecticut right now from the government perspective. One is the digital government initiative, and to help support that we are doing what we call ID optimization. Now, from a security perspective, you'll typically see even in some of the big agencies, like the Department of Motor Vehicles and Department of Revenue Services, you know, they might have a security person, right. Many of them have no security people. Many of them have security people that also do general IT support. So when we look at, like how the agencies operate, it's it's a tough challenge. I think when you're, when you're that individual in an agency, and you're trying to do everything that a security person needs to worry about, that's not a great position to be in, you know, a lot. That's a lot. It's a lot, right. And so the interesting thing about that, though, is there's so much synergy with security people, I think security loves to collaborate. There's actually a group called the IT Security Officers Roundtable that has been meeting for over 15 years now, which is just huge. And it was all the people from the agencies. This is an unchartered group that would get together and just discuss all of the challenges that we have trying to implement security. So really, when when I started looking at pulling some of the security functions together, I was just amazed at how much natural synergy there was. People already knew each other, they'd already been talking with each other. And really, when I look at, like what benefits this gives to the state, because ultimately, we're all about, you know, serving our citizens. This gives us immediately better coverage for security for all agencies. I mean, now if somebody is out, we have an entire team of people that can back them up, right. We're also able to better leverage skill sets. So you know, we have some really good people that have to do compliance work. They're poking through logs all day but really talented security people, right? So we can, we can now kind of re-partition how people are doing what they're working on, and making sure that we're really leveraging things that we have, you know, in our groups right now. And I think that that's really good. So no one person is an expert in everything. And that's the old model where we had like, really just like one person in an agency, and they're supposed to know everything about security. We all know that security is like a huge challenge. Now, that's just not the way to go. And then really, at the end of the day, serving the citizens, it gives us a strategic holistic view of risk across the entire state, we can come in, you know, we can do common defenses, common products, and we can do simplicity over complexity, instead of this highly distributed model, we'll now be doing a highly centralized model. And I think, overall, this is going to put us in a much stronger security posture.
Rob Aragao 05:52
So Jeff, let's kind of go into that topic of the citizen side, because that's one of the core aspects of the initiative, right, is the citizens-first methodology and approach and, you know, looking at kind of those citizen interactions, the citizen experience and that conversion to digital, overarching experience. So, I want to talk about it in a sense of, we recently had Gary Phillips on with, with E-Trade/Morgan Stanley, and a very focused conversation as related to consumer identity access management, the things that they're doing on their end. And obviously, in your world at - see, kind of translates into more citizens identity access management. But what does that look like for you in the program, as relates to kind of the starting point, right? Turn back the clock almost two years ago, now. Initially, when as you got in and kind of started assessing, and all the different agencies, right, as you said, it's a decentralized model that's now becoming centralized, that's a, it's a big, you know, part of solving the problem. But as you were there, and what your target state is, like, where are you in that journey? What are some of the things that you've come to kind of go through as lessons learned, you can share with us?
Jeff Brown 06:58
Yeah, and that's great. And I think that strong security really does start with access control and identity and access management. So, it's a really good, good starting point. I think on this journey, we have a vision that digital government really flips the model. Where, you know, I think in the past, what would happen is you go to, let's say, the Department of Motor Vehicles, you sign up, you have an ID, you have a login and a password. Now you go, you to get, I don't know, a fishing license, something else in the state, right, and then all of a sudden, you're starting all over from scratch. Like it's a brand new transaction. We have no idea who you are. The vision here is that we're going to have a single, unified identity as a citizen in the state of Connecticut. And I think that that's really great. That's, that's the vision that takes some time. But we've done a lot of tangible things that have, you know, really helped us on this journey. Right now, you could have literally dozens of different usernames and passwords just to interact with the state and nobody wants that, right? Like, we're really flipping the model on how would a citizen like to interact with us. And that really means like, having a profile, you know. Even, I think, as we kind of move forward in the future, when we start getting more of the pieces of this in place, you can almost think of digital government like an Amazon, right. Like where you can go in and say, I need a license on driving for driving, right, like, and then we can kind of point you in other directions where, you know, maybe this other service that the government provides might be useful as well. So that's really the the overall vision of digital government. You know, it gives us, I think, a very unique opportunity. This was something that started with the Obama administration some time ago. But really, what we're seeing is that it's it's tough to get things done in state government. But when you have the backing of the governor and for us, Governor Lamont has been a very strong supporter of this. He wants to be the first digital government from a state perspective. And I think that we're well on our way with that. And digital ID is really just part of that. I mean, we're also looking at things like the digital driver's license, which is, you know, we're working with Apple to really be one of the first five states to roll out the digital driver's license. So I mean, like, you know, in theory, in the in the near future, and this is coming very soon, you can leave your driver's license at home, just bring your smartphone with you, and, and that will be a valid form of identification.
Stan Wisseman 09:23
And it'd be in your Apple wallet, I guess, right?
Jeff Brown 09:25
Stan Wisseman 09:26
But, and that works well, potentially, within the context of the state, but when you leave the state, I mean, if you're, if you're going on a flight, and you need to show TSA, you know, identification, will they accept that as a form of identification?
Jeff Brown 09:41
Yeah, and the answer to that is right now, today, in January, no. But starting in February, that's going to be a very different story. Where this does get a little bit complicated, though is is you know, you have a source and you have a destination. You know, so when you when you fly out of Connecticut, you'll be fine. Depending on where you're going, the TSA isn't always - they're not ready to do this for every state all at once. So, I think for the short term, I think it's going to be a little bit spotty, but I certainly - anything within the state will be fine. And many destinations will be fine, but not necessarily every destination. So, unfortunately, that means you still need your traditional ID a little bit longer. And what do they say? That the future is here already, but it's not evenly distributed. But this is where it's all headed.
Stan Wisseman 10:28
And just a follow up question, as far as again, you've identified the citizen and you have a profile for them. Are you, are you norming up on all the different forms of authentication? As far as, how you authenticate that individual for the different functions they want to perform with the state?
Jeff Brown 10:43
Yeah, yeah, to a large degree. And I think what we're doing is, really, we're very conscious of the the friction that can come into play when you're, when you're working, not only just dealing with the government, but we're dealing with any website, right, where it's, it's just very difficult. You know, in some cases, multifactor authentication, which is a fantastic security control, but it does introduce some user friction, you know. We are trying to take a risk-based approach with some of this. So that, you know, maybe if you're just logging into a read-only account that has low risk, we're not necessarily prompting you for multifactor authentication. But if you're going to start moving money around, if you're going to start doing anything that might be considered a higher risk transaction, that we can do step up authentication on that and make sure that we're, you know, really taking a risk-based approach. We're not just like, across the board are going to say, like, yeah, it's gonna be really awkward doing business with us. We're really taking that citizens-first approach of like, how do people want to interact with us? And, also factoring in that some transactions really do need a little bit more security. And those are the ones that we're going to prompt you for, you know, stronger level of authentication.
Rob Aragao 11:49
And that makes sense. One of the things, kind of - I want to delve a little bit more into as well, Jeff, is, you as you go through this whole centralization, obviously, it's a lot to take on, but what are some of the kind of areas that you've honed in on right? We've talked about this part of it from the digital citizen aspect, which I think is it's just great in some of those examples. And you guys definitely are moving very quickly from some of the things that we've heard out there in other states. That's great news for you. And when you look at that, though, again, kind of what's next? What else are those other items, as it's more that centralized mode? Is it, you know, cloud type of offerings, and kind of making that easier for different types of services? Back to the agencies? Something else? What's happening out there?
Jeff Brown 12:28
Yeah, good question. Um, you know, one of the challenges that not only state government has, but ours ours in particular, you know, we have a huge amount of people who work for the state, and there's about 30,000 employees for the state. So that's a, that's a pretty high number. That said, a lot of the a lot of the employee base is aging, you know. I think over the next year or two, we have a very large portion of people who will become eligible for retirement. That doesn't mean they'll take it, but it means they'll be eligible for it. And the idea is that, like, as we as we kind of do this, you know, do we really need to, like re-hire people doing the same roles? Or, do we need to spend more on technology? Do we need to bring more technologists in? You know, we're really looking at all of those different questions. Not just like, you know, one-for-one replacement. Every time someone leaves, we replaced that exact person doing that exact same thing. We're really trying to be a little bit more thoughtful about this. And in terms of heading towards a digital government, we need IT expertise. We need in some cases, automation. In some cases, a system or a process instead of a person. Anything that we can do that. I mean, the vision of digital government is really, like, you can interact with us how you choose to and if that's at 2 AM on a Sunday evening, that's a 2 AM on a Sunday evening. That's, that's how we want to be able to do this. We want to be able to really service people, any anytime. A basically a 24/7 government.
Stan Wisseman 13:55
But you're taking advantage of the digital transformation to also look at the workforce and see how you can transform it as well to better serve the state.
Jeff Brown 14:04
Stan Wisseman 14:05
That is great. Now, Jeff, you are the first CISO at a state level that we've had on our podcast, which is fantastic. But, I'm interested to see how you've perceived this role. You know, having come from the commercial sector, right. I mean, you've you've seen how the commercial sector is done, you know, how the federal side does it from the state perspective, you know, what has that experience been like? And, you know, do you find it easier or harder to share information with your peers than you did on the commercial side? I mean, how's that working?
Jeff Brown 14:41
Yeah, that's an interesting question. And I have to say after 25 years in the, in the private sector, financial services almost exclusively, they're - the mission when you're working at like a Citi Group or any of these like kind of big financial companies, the mission is pretty clear. It's protect the money. That's the job, right? And I think when you look at, like, what does a state CISO do that's different? It's really kind of interesting. I have to say, it's really one of the more interesting roles that you can take. Yes, we run day-to-day cybersecurity functions, just like every other CISO. However, you know, I've also worked with legislation in the state. We just passed the, you know, with Representative Caroline Simmons, who's now the mayor of Stanford, you know, we passed some legislation that encourages the adoption of cybersecurity frameworks. We protect the voting process, the 911 networks, health, transportation, and yes, we even have finance. So it's like being in every single industry all at once, which makes it, I think, really unique. But there's also, you know, like, kind of an element of evangelism that we do with the municipalities. So, most state governments don't have direct say over the municipalities, you know, the towns and in some cases, counties. That's not something Connecticut has. But, you know, really, when when we look at that, it's really lead by influence. A lot of our municipalities really want help with cybersecurity. So there's a lot of that kind of outreach. I think that comes along with this job. But also, one of the really great things, I mean, I'm glad you really touched on that, too, is about information sharing. The partnership is really incredible. So, I mean, I've met like, most of the other CISOs, many of which in person, you know, across all 50 states really like 54 plus the territories, you know. And there's groups like NASCIO, which is the National Association of State CIOs, the multi-state iSeq, which is our information sharing. But also like FBI, you know, all of our federal partners, the really big key difference is that we're not in competition with each other. Even when I look at something like the FSISAC, the financial services ISAC, you know, they were very good, right. But I mean, like, they're, at the end of the day, they're in competition with each other, right. The states are not. I mean, the idea of competing with like the State of Colorado that just, you know, that's just not really in the cards. So we tend to be very, very transparent with each other. And of course, since we're using taxpayer money, there's that element of just having a transparent program. So we do share a lot of like, what we're doing, you know, anything that doesn't really expose, obviously, any security vulnerabilities that might be used against us. But I mean, we really try to run a very transparent program and work with all of the other 50 states, because, you know, really, what we see is, you know, we're on like, Signal together, so we can all like kind of text each other in real time. And it's, it's, I have to say, it's really, you don't really feel like you're on your own here. You know, obviously, working in a state government, you have a little bit less freedom in terms of, you know, spending, it's a little tougher to hire people. But I have to say, the the quality of people that I run across, in certainly in the state of Connecticut, the quality is extremely high. A lot of us are coming from, believe it or not, private, private sector. So, so it's not always, you know, that 30-40 year employee that's been in the public sector their whole career. We have a really, I think, very good mix of public and private now. So, that's really bringing a lot of different thought leadership and thought diversity. You know, in terms of how we run things, it's just been, it's been really interesting. I have to say, it's, it's a fascinating job.
Rob Aragao 18:25
Well, it's great to hear that retrospective of that public-to-private sector and experience that you've had. One of the things that we talked about is - Stan mentioned - at the opening is, is obviously your new book, which came out in the fall of 2021. And I think it's great, the aspect that you've taken, the emphasis around communication, and communication at the CISO level, that translation of some of the kind of, you know, business reality of what you're trying to actually help enable, you know. So, as you look at, think back, through some of the particular kind of areas within your book that you'd like to share, at least highlight, I'd say for our discussion, you know, what would you share with the audience? Some kind of elements that you really emphasize within your book as some areas that they should consider?
Jeff Brown 19:05
Yeah, you know, and it's, like I said, I, when I, when I wrote this book, I really thought about what was the one thing that I could give back to the community that would be different from a lot of other CISOs? And having that communications kind of background, as well as the technology side and the, you know, all of the other kind of challenges that come with being a CFO in a bank, or a CFO for a state government, you know, really one of the big problems in our industry, as people who've kind of been raised through technology are now being put in front of the board of directors. You know, there's just so much focus from senior management, CEOs, CIOs, you know, really, we've moved out of the, you know, end of the data centers and into the boardroom, right. So, that a lot of people struggle with that, that challenge. But if you think about CISOs, as well, this is one of the very few jobs in a company where you need to communicate to every single employee, right. Like, if you, you're a database administrator network person, I mean, you're you're not doing that. Maybe HR and a few others, the CEO, but I mean, like, you know, your job has to impact every single employee, whether it's from training and awareness, whether it's, you know, from incidents, or any number of different things. And really, the way the book is organized is, I give you just enough, kind of foundational skills and foundational things. I didn't want to write a textbook on communication. It's like, who wants to read that?! What I wanted to do was really give people practical skills that they could take back to their jobs. And I think a few of the things I would love people to just take away from it, is that communication is probably harder than you think it is. Good communication was probably planned that way from the start. Meeting people, like, at least jotted down some notes or did some rehearsals. And that, you know, really getting it right is really critical. I mean, I've seen a few CISOs in the industry who, they just couldn't cut it in front of the board of directors and that was sort of the end of the line then. You know, at this point, now you have to be able to, you know, like - let's take an example. Because in the second half of the book, I move into really like, okay, how do I apply this? You know, take incident response as an example. Like, it's, that's a really high stakes communication kind of situation to be in, like something's happened in your company. There's a lot of stakeholders who are going to be looking for information. And the one key thing that I really drive home about incident response is, you know what, you know, right now, and a lot of it's gonna change, so like, the more you start communicating that stuff, the more you may have to go back and make some changes. And yet at the same time, people are demanding updates, right, like what's going on with this> And you know, it's tempting in some cases, for people to just start speculating or you know, things like that. And you can't do that. Because - it's you have to really work with the facts and the facts are going to change. So really, working with everybody and setting those expectations early on it's, it's a, it's a really challenging set of communication skills that you need. You may be you may need to be doing writing, you'll definitely have to be doing speaking, and worst case, you might be on the news, right? So there's all these different scenarios, you know, and it just, I think it really underscores how challenging the communication aspect of our job has become over time.
Stan Wisseman 22:16
Now, I've been in that situation before, and you're right. It's, it's one of those things where you want to communicate internally, appropriately, without potentially losing credibility as things change. And having that balance of immediate response, but not having to then correct yourself time and time again, thus losing your credibility because you've learned more about the incident. It's a real challenge. Yeah, you're right.
Rob Aragao 22:49
It's true. There was another example, I think, maybe think about - was you alluded to the incident response aspect of it. And it was a tabletop exercise several years ago. And it was, you know, public company, and you going through the, you know, what's happened? Well, some information is flowing out, and it's externally. So, now to your point, the media outlets are starting to hit you because you're a pretty big, sizable company. How do you communicate with them? And it was the, the the element of ensuring that public relations, you're in public relations, your comms people are part of the exercise part of understanding what's happening, because they're going to be the ones really massaging what that message looks like, and kind of giving them a little bit of we're dealing with something but not over communicating or miscommunicating. So critically important. Jeff, thanks for joining us, I really appreciate the the aspects of kind of the bridging of the private, public sector aspect of your journey. But also, you know, we commend you on the transformation efforts that you've been going through over the past couple years now. And it sounds like you're on this great journey to to be in that first state that truly is very digitally focused, minded, and enabled. So we appreciate your time. And thank you for coming on.
Jeff Brown 24:00
Thank you so much for inviting me.
Rob Aragao 24:02
Thanks, Jeff. Thanks for listening to the Reimagining Cyber podcast. We hope you enjoyed this episode. If you would like to have us cover a specific topic of interest, feel free to reach out to us and you can find out how in the show notes, and don't forget to subscribe. This podcast was brought to you by CyberRes, a Micro Focus line of business, where our mission is to deliver cyber resilience by engaging people, process, and technology to protect, detect, and evolve.