- Share this item with your network:
- Editor's letterIndustries seek to improve third-party security risk controls
- Cover storyCloud-first? User and entity behavior analytics takes flight
- InfographicBeware of the gray hat hacker, survey warns
- FeatureCISOs face third-party risk management challenges
- ColumnKurt Huhn discusses the role of CISO in the Ocean State
- ColumnWhite hat Dave Kennedy on purple teaming, penetration testing
rolffimages - Fotolia
Kurt Huhn discusses the role of CISO in the Ocean State
A strategy focused on widespread training and education leads to progress against one of the state's biggest threats, says the Rhode Island CISO.
Rhode Island is the smallest state in terms of land area, but it is the second most densely populated, after New Jersey. With a population of 1,022 people per square mile, it is home to a complex mix of government agencies, defense contractors and businesses. The state's cybersecurity challenges are substantial. Kurt Huhn, in the role of CISO for the state of Rhode Island since December 2013, has brought his private sector skills to the problem in recent years.
When Huhn started his technology career in the 1990s as a "hot-headed 20-something who had just figured out that people would actually pay me to play with computers," he relocated to Silicon Valley to find the best opportunities. It was a time when everyone in IT was expected to be a generalist and security was not yet a specialty.
Huhn didn't narrow his focus to cybersecurity until he took a job in IT at a small, East Coast bank. That's where the transition began, and the computer skills he began to acquire on an Apple IIe as a 14-year-old got stretched in a new direction. After working as a senior systems engineer and IT manager at several banks, he became a member of the enterprise infrastructure team for the state of Rhode Island in 2009 and quickly advanced to the role of CISO. Today, when he's not keeping the Ocean State cybersafe, Huhn actively pursues two hobbies: handcrafting knives and creating pipes for smoking tobacco (though he says he gave up smoking several years ago).
How did you end up transitioning to cybersecurity?
Kurt Huhn: I went to work in the financial industry as an IT manager for Randolph Savings Bank in Randolph, Massachusetts. They had just had an FDIC [Federal Deposit Insurance Corp.] audit, and on the cybersecurity side, it wasn't pretty. The FDIC looks at business issues -- for example, cash on hand and how your mortgage organization is conducted -- and they also want to make sure your security is okay. I was able to articulate some of the IT security challenges the bank was experiencing. Then, working with third parties, we got everything straightened up by the time the FDIC came around again. We went from having several critical high- and medium-severity issues to just a few low-priority issues.
I see that Rhode Island recently named its first state "cybersecurity officer," Mike Steinmetz. Do your roles intersect?
Huhn: Steinmetz has more of a cabinet-level role, so he deals with more esoteric aspects of policy. My role of CISO is more operational, making sure systems are running and keeping the bad guys at bay. He also has responsibilities relative to Homeland Security and antiterrorism, though our paths do cross a bit due to the nature of my role of CISO. It's easy for me to interface with the FBI and Homeland Security and our Rhode Island State and Urban Area Fusion Centers, like Providence, which share threat-related information between federal, state, local and private-sector partners. We, in turn, have provided some valuable information to the Fusion Centers that, we are told, resulted in a response being taken against individuals in the Middle East.
Have the recently enacted Rhode Island privacy statutes had an impact on state operations?
Huhn: The new laws, such as the Rhode Island Identity Theft Protection Act of 2015, are mostly externally focused. However, it requires that all new systems have a risk assessment. That gave me pause because it requires a lot of effort. With a risk-based approach, you have to follow the NIST cybersecurity framework and other associated guidelines such as NIST [Special Publication] 800-153, "Guidelines for Securing Wireless Local Area Networks." So you need someone really versed in those things, and everyone on the development team has to be properly prepared. It is a big undertaking; so far, it is working out well. There's a lot of documentation that had to happen, but it is something that should have happened anyway.
What steps are you taking to strengthen your cybersecurity?
Kurt HuhnCISO, state of Rhode Island
Huhn: We do training for our people when we can afford to send them. More often, I get my people out to conferences where they can interface with other subject matter experts. Most of the talks are very tech-based, geared toward engineering and analysts. That helps them with new tools and getting a broader understanding of the threat and the risks; that is what is easiest for us. We also get feeds from Information Sharing and Analysis Centers and U.S.-CERT [U.S. Computer Emergency Readiness Team] and others to help us keep on top of things.
To get more formal training from Sylvan and New Horizons is usually expensive, and there is not a huge appetite for spending these days.
What is the biggest threat?
Huhn: The biggest right now is phishing attacks. That is where training comes in, and thanks to Mike Steinmetz, we have enterprise-wide training programs for users. That is helping, because we find our customers are actually reading messages that come to them and forwarding more things to us that look suspicious. We have been hit mostly by those trying to skim Office 365 credentials. One of the lessons learned is that because Office 365 is PowerShell-based, we can fire up PowerShell sessions and easily review a suspicious log in the reports.
What are you doing beyond training?
Huhn: We use a multilayer approach to defense, engaging with different vendors. We really have four layers of security that you have to traverse to enter into our network, even by VPN. Our chief technology officer and I are of the same mind about this. There are plenty of vendors selling "next generation" things that claim to address everything; but you may find out later they have had problems and have gone out of business or moved into a different area of focus. We don't want to be dependent on vendors that can just disappear. In that situation, no matter how capable the vendor is, you're sunk. However, if you separate what you are doing into layers and implement each with a different vendor, if one of them goes away, it isn't such a big deal; we can crank up the service with another vendor. There was also the fact that some vendors will be quicker on the draw than others, so you might have one that is quicker on heuristic scanning or virus definitions. So, theoretically, it behooves you to get some diversity so you can best provide countermeasures, whether they're coming in the front door or the back door.
I saw you quoted in a publication of the National Association of State Chief Information Officers (NASCIO). What groups do you find helpful?
Huhn: Our CIO [Bijay Kumar] is a very active member of NASCIO; he goes to their conferences. They also have a CISO subgroup, and I get their communications.
Within Rhode Island, there is a joint cyberterrorism task force conducted by the State Police Computer Crimes Unit. I have sent some people to their training events, along with the people in our networking group, and they participated in red team versus blue team activities -- attacking and implementing countermeasures. They learned a lot.
In such a geographically compact area, do you end up working cooperatively with neighboring states?
Huhn: On an irregular basis … the option is available within the Joint Cyber Task Force. For example, Connecticut is within that group, and it isn't just government but also major players in the private sector like Citizens Bank, Santander [Bank], CVS and National Grid. They all bring a perspective, and a lot of it proves useful. There are also mailing lists through which people can post information or request information. Sometimes, once we get to know our counterparts, we go to them directly.
Are there any aspects of your hobbies -- pipe making and knife making -- that have applied to your cybersecurity work in the role of CISO?
The attention to detail comes to mind. The difference between doing something and doing it so well that other folks notice it is being able to create something or engineer something that works right every time. To do that, you have to have a mind for the details. Anybody can take something to an 80% level, but the last 20% takes the most effort and the best understanding. Great engineers and architects are craftsman. Creating great knives and pipes involves something other than just the need to have artistic merit; they also need to be very functional. Taking that approach with a customer means understanding what kind of pipe or knife they want and finding an ideal solution. It is similar with IT security challenges. You have to find out about the customer's business needs and translate that into a technical solution that works.