Michigan CSO: From DHS to White House to Lansing

Michigan’s top security officer is quick to clarify why his title is chief security officer rather than chief information security officer.

“I think the CSO position tends to be a bit broader to include things like having some of the physical security portfolios, or you may run an insider threat program or things like that,” Chris DeRusha said. “But I also wear the CISO hat, right? So, I tend not to correct people when they call me the CISO.”

Like so many other states Michigan had a change in administrations last fall, and since taking office this year Gov. Gretchen Whitmer has made significant changes in the CIO organizational hierarchy. Previously, the director of the state’s Department of Technology Management and Budget (DTMB) was also the state CIO, a role held by Dave DeVries until he stepped down at the end of last year.

Chris DeRusha, Michigan
Chris DeRusha, Michigan state chief security officer

Now the state is conducting a nationwide search to fill the CIO position, which will report to the DTMB director instead. DeRusha expects that such an appointment may come in the next month or so.

Before coming to Lansing, DeRusha spent almost six years at the Department of Homeland Security and two at the White House. He also spent a year at Ford before accepting the state deputy CSO position.

DeRusha said his Washington experience “really kind of took me into the cybersecurity realm and I chased after it immediately and spent the better part of a decade in Washington, working various positions at Homeland Security and then moving over to the White House to work for the federal CIO at the time, Tony Scott.”

A centralized CSO governance model

Like other states Michigan has centralized its security operations along with budget, procurement and IT within the  (DTMB). DeRusha reports to the state chief information officer, who reports to the department director. There are 21 different state agencies and about 55,000 employees.

“That means that we’re providing cybersecurity and infrastructure protection services to all those agencies as well,” he said.

The governance model including authority and jurisdiction is always a critical issue for a CIO or CSO, and DeRusha recognized the critical role it plays.

“I think we’re fortunate here that again, we have a governor’s office and the director who very much understand the risks and the opportunities in this space.”

Advertisement
To that end Michigan established an executive committee to coordinate the different cyber missions across Michigan State Police, the National Guard, DTMB and other key leaders. There’s also a governing committee of agency security officers which meets monthly, as well as for a quarterly strategy session. While these committees are trying to make decisions on priorities and enterprise decisions together as a group, since it affects each agency directly, DeRusha said that at the end of the day DTMB has the centralized power, meaning he has the authority to make the call.

The state has several key security related initiatives, in particular the Michigan Cyber Civilian Corps. This is an all-volunteer force of people who work at companies in Michigan. Some work for government and some work at the Guard but all are highly trained, instant response and forensics professionals.

“When a local government entity gets overwhelmed with a ransomware attack or something else and needs that help getting back up to operations, we can send in one of these teams and on pretty short notice, we can quickly deploy,” DeRusha said. “And we’ve some really successful engagements with that. And we think it’s a great model.”

New bill could codify federal-local cyber relations

Funding for cybersecurity initiatives is often challenging and that’s part of the reason that recent congressional legislation was part of our discussion. Last week Sens. Gary Peters (D-Mich.), and Rob Portman (R-Ohio) introduced the State and Local Government Cybersecurity Act of 2019 to strengthen cybersecurity coordination with state and local governments. DeRusha explained that every day state and local government networks experience millions of intrusion attempts and such legislation is welcome.

“This is a really good act. It’s bipartisan legislation,” DeRusha said. “What it’s really doing is it’s codifying that cybersecurity relationship between the Department of Homeland Security and the Multi-State Information Sharing and Analysis Center (MS-ISAC).”

MS-ISAC is DHS’ round-the-clock cyber threat monitoring and mitigation center for state and local governments. While this relationship has existed for years, it’s not yet in statute.

“I think that’s really important for down the line as it continues to grow. It’ll be important for ensuring future funding streams,” he said.

While the bill in its current form does not mention funding per se, DeRusha said it paves the way for that in the future.

“And the bill contemplates issuing new grants in different types of cooperative agreements,” he said. “And so if that’s to happen, there obviously needs to be some funding components that will come at a later date.”

In a somewhat related matter I recalled that last summer Bo Reese, CIO from Oklahoma and then-president of National Association of State Chief Information Officers, testified before House Oversight, Intergovernmental Affairs Subcommittee about how federal security regulations that were imposed upon the states were duplicative, complex and often conflicting. In addition, the regulations hindered states from achieving a more effective and efficient IT enterprise and cybersecurity posture.

Obviously NASCIO is much more positive about this new legislation.

“We greatly appreciate the introduction of S. 1846, bipartisan legislation that strives to make serious efforts to strengthen communication and coordination between the Department of Homeland Security and state and local officials to combat cybersecurity threats,” according to Matt Pincus, director of government affairs at NASCIO.

With states allocating only between 1-2% of their total IT budget on cybersecurity, NASCIO commended Peters and Portman for including provisions in the bill to provide additional federal grant opportunities to state, local and tribal governments to safeguard against cyber threats. NASCIO also said that it supports the pilot deployment of enhanced capabilities to state and local governments to identify and filter malicious network traffic, which are currently only available to federal agencies.

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.