It value neighboring San Bernardino County $1.1 million to resolve a ransomware assault on its sheriff’s division earlier this yr. Jeff Aguilar, the chief data security officer for neighboring Los Angeles County, hopes to stop an identical destiny in any of the 38 county departments he’s charged with safeguarding.
Aguilar, who has held high-level security posts in LA County since 2018 and have become its CISO final yr, is keenly conscious of the rising vulnerability of federal, state, and municipal companies—cyberattacks concentrating on the general public sector spiked 40% within the second quarter of 2023 over the identical time the earlier yr. And though LA County has thus far prevented a significant incident, Aguilar is aware of sustaining that document would require diligence, resolve, and—that is key—fixed communication and coordination with business friends in addition to the county staff beneath his watch.
This helps together with his personal division’s benchmarking efforts, to make certain. And greater than that.
The truth is, not like many CISOs, he’s a powerful believer in sharing helpful insights that may assist different state and native authorities companies counter threats. This willingness to listen to and share assorted viewpoints is probably borne of his personal assorted resume, which incorporates stints in authorities, healthcare, monetary companies, and transportation.
Focal Level caught up with Aguilar to study extra about his collaborative strategy and what makes him one of many nation’s prime governmental cybersecurity chiefs.
(The next interview has been edited for readability and size.)
At first look, LA County’s reporting construction – who studies to whom – appears, properly, pretty advanced.
We have now a federated mannequin: I report back to the county CIO. Every division acts as an unbiased enterprise and has its personal division CIO and data security officer. Their job is to enact the cybersecurity insurance policies and technique my group units forth at a board degree.
I’ve two deputies reporting to me and I’m hiring two extra. We set up the county into clusters (for operational functions), with every cluster representing a particular space of our enterprise. So, for instance, healthcare is one line of enterprise and regulation enforcement is one other. My deputies will cowl completely different clusters relying on their talent units and the wants of the clusters. We set up the cybersecurity guardrails from a high-level perspective, and departments work inside these.
Each the LA Unified Faculty District and LA Housing Authority not too long ago suffered data breaches. Once you see these issues so near residence, does it increase alarm bells for you?
Sure, any group with delicate information is a possible goal.
I communicate to numerous state and native municipal CISOs. We’re always sharing classes discovered and asking, “What’s labored, what hasn’t, and what can I emulate so I don’t should reinvent the wheel?” I feel that’s one of many issues that, perhaps, LA County does otherwise than different authorities companies. We’re pushing collaboration in authorities. There’s transparency.
Clearly, I don’t wish to get into the weeds with what particularly we’re doing. However we’re always having nice discussions, particularly round technique and incident response, from a regional perspective.
You oversee cybersecurity coverage for departments with greater than 100,000 staff. All it takes is a type of departments to go rogue for good planning to go sideways. How do you guarantee compliance?
Sure, it’s a problem. Luckily for us, we’re always beneath inside audit. I do know quite a lot of people don’t view audits as including worth. However I do since you solely know what you already know, and audits are an effective way to make sure compliance and establish gaps.
So, our division doing these audits runs although considerably of a guidelines. They’re searching for compliance towards inside board coverage. We have now expertise directives and requirements. Every division is reviewed and should then be validated towards these insurance policies and directives. That is ongoing. Each division will get hit with it a number of instances per yr.
After which, each from time to time, we’ll additionally see a federal audit.
With our inside audits, I’ll typically level to the place I feel gaps would possibly exist and allow them to see what they’ll discover. After their report is available in, we’ll sometimes create an enchancment plan. That strikes up the group’s management chain for consciousness functions. This manner, we all know we’re getting the correct consideration to resolve regardless of the points is perhaps.
With that many county staff, you need to have your fingers full.
For certain. One of many elementary security ideas is the particular person – the worker – is at all times the weakest hyperlink.
Organizations dump thousands and thousands of {dollars} right into a management setting, and it might probably all be circumvented by a single missed click on. So, we’ve been extraordinarily aggressive with consciousness coaching down to every particular person line of enterprise – as a result of the best way enterprise is completed from one division to the subsequent is perhaps fully completely different.
For Nationwide Cybersecurity Consciousness Month, we’re talking to staff, and bringing in distributors and business leaders to share classes discovered in addition to to share security Dos and Don’ts. And I feel we’ve gotten higher at telling the story.
We’re getting finish customers to care about these mis-clicks by creating an emotional response that goes past the county setting. They will take what they study residence and apply it of their private lives.
We’ve received the vacation purchasing season developing, for instance, and there can be an entire uptick in phishing makes an attempt that purport to return from, say, Amazon Market, eBay, the IRS, or no matter that they’ll must be careful for. Folks see these issues and have an emotional response and would possibly simply click on with out pondering. We’ve actually ramped up our program to assist educate them on such issues, each at work and residential.
How have you learnt in case your consciousness coaching is efficient?
We conduct fixed drilling. We do tabletops. I’ve click on charges for each division and a roll-up at a county degree. I’m in a position to development that yr after yr, and we alter the coaching the place it is sensible. We don’t do cookie-cutter coaching that’s the identical yearly. We alter it to hotspots within the business and hotspots within the county.
So, for instance, our phishing campaigns are somewhat completely different than they have been proper now as a result of we’re coming right into a major election subsequent yr. We’re warning staff about phishing emails with messages meant to get them going, like, “Your get together affiliation has modified; click on this hyperlink if you happen to didn’t intend for this to occur.”
We’re at all times regional and geopolitical points and periodically alter our coaching accordingly.
Do you do something like risk hunts to seek out potential vulnerabilities?
Oh yeah, though we outsource issues like that due to the extent of expertise it requires. We’re making an attempt to construct that competency internally. However for us, it is sensible to have trusted companions to assist with threat-hunt workout routines. Risk searching is a good instrument, and it’s not new. But it surely’s most likely nonetheless pretty new for many authorities companies as a result of it entails endpoint administration and a particular degree of experience, which will be advanced.
I’m an enormous fan of the MITRE ATT&CK Framework [a reference detailing tactics and techniques commonly used by attackers during network intrusions], and we do quite a lot of tabletops, primarily based on the risk panorama we see, to establish what is perhaps taking place inside our area or different jurisdictions.
So once more, all of it comes again to collaboration. As a result of if the Metropolis of Los Angeles is getting hit with one thing that is perhaps associated to us, it is also taking place in Pasadena, Santa Monica, Burbank, or elsewhere.
Inform us a few arduous lesson you’ve discovered within the final yr.
Properly, thankfully, we haven’t had any large incidents. However we’re involved about supply-chain threat administration and making an attempt to get higher at it.
The SolarWinds hack (the place hackers inserted malicious code into generally used software program to breach tens of 1000’s of presidency and company networks) introduced that to mild. We’re an enormous county. We have now numerous distributors. So, getting on prime of provide chain threat is vital for us. We’re at all times asking, “What’s our third-party threat? What’s the third-party threat throughout the whole panorama? And the way can we validate distributors are complying with our security necessities?”
To handle that, we created one thing referred to as our Safety and Privateness Exhibit, which lays out the county and contractors’ commitments and settlement to satisfy their obligations beneath relevant state or federal legal guidelines, guidelines, or laws, in addition to relevant business requirements regarding privateness. It will get into all the things from audits to incident response, and so forth.
We have now an addendum for various cloud companies, and proper now we’re rewriting it to additionally tackle using generative AI as a result of we’re satisfied that it’s right here to remain. The truth is, we wish to put up guardrails for that now whereas there’s time.
How do you keep forward of the curve on these new and rising applied sciences?
I feel most CISOs have the identical playbook for that. We speak with one another, and we’re listening to what’s taking place within the business.
Being CISO for a authorities group, I additionally get quite a lot of risk briefs from federal companions, together with MS-ISAC (the Multi-State Info Sharing and Evaluation Middle).
There’s quite a lot of helpful data that comes out of all that. We even have month-to-month conferences with the FBI to get an excellent sense of what’s taking place from a nation-state risk perspective. After which, there’s your personal curiosity. Trying into the implications of one thing like ChatGPT, which is gaining momentum, and searching forward and excited about security in a quantum computing world.
Sturdy leaders have the foresight to take a look at these out-of-the-box issues and contemplate what’s subsequent. They may not be right here as we speak, however you need to perceive what would possibly occur in the event that they do arrive.
Learn to shield your business-critical endpoints and cloud workloads with the Tanium platform.
This text was written by David Rand and initially appeared in Focal Level journal.
