Dan Lohrmann | Culture of security

When it comes to security credentials, Dan Lohrmann has some powerful training. He became Michigan's first chief information security officer after a career in IT and security that began at the National Security Agency. He moved to state government in 1997, when he became chief information officer and IT services director for Michigan's Department of Management and Budget. From there, he oversaw the agency's 2001 launch of the Michigan.gov Web portal. He became the state's CISO and director of the office of enterprise security in the Department of IT in May 2002. As CISO, he plays roles in a number of other IT security initiatives, including the Multi-State Information Sharing and Analysis Center. We caught up with Lohrmann to find out how cybersecurity is playing out at both the national and state levels. It was a fantastic way to begin a career. The focus on the culture of security was unique and, I think, very helpful. It was a shock when I first started in state government, which is at the opposite ... extreme.We have been able to change that after 9-11, and people have taken security more seriously. We're never going to be an NSA, and we shouldn't be. But their practices and procedures are world-class, and it provided the basis for my job in Michigan. We had a plan we had just developed and ... tested in a variety of scenarios. We didn't have a scenario that actually matched the blackout, but people did know where to go. I was the emergency management coordinator for [the state's Department of IT], and the governor declared an emergency and launched the State Emergency Operations Center. It was a statewide center where my counterparts from other agencies reported during the emergency. We spent the better part of four 18-hour days there.There were a lot of issues you wouldn't anticipate, like getting water from one side of the state to the other, road permits, food was spoiling and people were having to close restaurants, and supporting the food inspectors was a problem. Our main core data center where our Emergency Operations Center was had a generator backup. Two other major data centers did not have generators. We knew immediately we had to get generators for those facilities. We have been able to get Homeland Security and other funding to get those generators in place. Last February we had a local, weather-related outage in Lansing, and the generators kicked on and we were operational. Had we not had them in place, it would have impacted state government statewide.We did an after-action report, and we have worked the lessons learned, like the importance of keeping the Web up and getting information out quickly. We didn't realize how important our Michigan.gov portal was going to be. We were hosting it out in Boulder, Colo., but we didn't have the facilities locally to get them updated out in Colorado. ... It varies state to state, and on the national level it is a mixed picture. [But] we've been fortunate to have a good relationship with DHS. It started slow, but in the last year or two I've seen a definite improvement. On the personal level, I've been able to establish relationships with people and get the kinds of information we need. ... The groundwork is laid now for information sharing to become much better and more efficient than it has been. Some of the scenarios really surprised us. We were not planning for things like extortion. The behavior of the vendors that they simulated was interesting, and a lot of the things that happened were very much a surprise to us. We learned that some of the basic, simple things are hardest to do, like who are you going to call? You make assumptions about who is going to have the information you need and who is going to be available, and we found they weren't available. So you find yourself in a situation where you have to make decisions in a vacuum. Communications is the biggest problem in an emergency. It's hard to put one down, but I think overall it would be building the team that we have. We have a group of about 30 people in our office of enterprise security that looks at 55,000 state employees. We interact with people at the state, local and federal level, and I know that it's going to outlive me. One sign of success in any manager is if you can make yourself irrelevant. I don't know that I'm irrelevant yet, but it will outlive me.The second one would be working to see a return on our investment in eliminating costs. ... With anti-spam and antivirus products we have put in place, we believe we would show $765,000 cost avoidance per month in spyware and viruses, by not having to go out and visit infected machines. About 70 percent of our inbound e-mail is spam, we blocked more than 6.25 million viruses per month last year, we see about 720,000 external network scans per month and 1.4 million Web-based attacks on our network per month. So by putting the tools in place on an enterprise basis we're providing more protection and not as much response and recovery.LOHRMANN: Continuing to work on the culture, to help people understand how important security is at an individual level. ... Helping people understand the impact of their actions, I think that's the biggest challenge.