“I’m a business man, who speaks nerd” — that is how Rob Collins likes to describe himself.
Collins, who recently left after four years as the chief information security officer at the Social Security Administration, used that dual background to improve how citizens interact with the agency.
Collins, who is now the CISO at AgCo Corporation, said the business or operational efforts must be integrated with the cybersecurity efforts so both sides understand each other’s opportunities and challenges.
“SSA, for the most part, is a huge organization due to the amount of offices and processes that occur every year. But there wasn’t necessarily cyber elements embedded there. It was let’s look at it after the fact or during audits, but I really wanted to have a function that existed there all the time,” Collins said on Ask the CIO. “We now have cyber-trained people that sit with the business and understand the business. They can better shepherd questions or concerns through the appropriate channels because in a lot of times cybersecurity is kind of like a box: You put stuff into it, but you don’t know where it goes or it’s not as transparent as that. I really wanted to open that up, provide more transparency about what it is that we do, and how we do it and have a better, quicker and more efficient impact to the actual mission.”
Over the last few years, Collins set out to hire or retrain two dozen information system security officers (ISSOs) to work directly with the mission areas.
Today, those 24 cyber experts are working closely with the mission areas and creating the type of collaboration that SSA never experienced before.
Collins said many times it’s hard to show a return on investment for cybersecurity people or tools. But with the ISSOs, SSA saw the ROI fairly easily.
“A great thing about ISSOs is that they understand cyber, but they also can speak cyber. SSA has a very good cybersecurity program, but in a lot of cases, audits were being managed or done locally so the auditor or IG asked questions and there was a little bit that was lost in translation,” Collins said. “This past year, we had our ISSOs help facilitate and collaborate with those auditors. We removed quite a bit of findings there just, I think, because they were able to speak the same language. When the auditors were asking for evidence of something, it’s like, ‘Hey, I know what you’re asking for and I can get that for you, or I know who I can get that from.’ I think that that showed the value of having the ISSOs in the business area right up front because of what they can bring to the table.”
He added the ISSOs’ ability to collaborate means they can help address security gaps earlier in the development process and mitigate mission risks as they come along.
Cyber retraining for employees
Before SSA hired or retrained the ISSOs, Collins had to do some convincing or educating of the mission side.
“I think it took almost every tool in my toolkit and more [to address the change management challenges]. I learned quite a bit going through it too,” he said. “Security has a well-established bit of cultural inertia so it was really kind of conveying the need and benefit upfront, and then showing results about the benefit really quickly. I think they were cautiously optimistic, more than I would have guessed, but I still had people saying, ‘this will never do. This isn’t possible.’ Usually when I hear that, I start to salivate because I do feel like I’m an agent of positive change you’re trying to be so I like those big, complex juicy problems and solving them.”
He said recruiting current SSA employees or finding new ones with a specific set of cybersecurity and operational skills was difficult.
“We were able to bring in some really talented folks, both from internal and external sources,” he said. “One of the programs that we created was called Focus, which is basically a reskilling program to be able to reskill what some people who may have had COBOL language skills or something like that, which is not as great of need now, but they’re still technical and great resources. So how do we rescale them potentially into cybersecurity? So that was a big effort to my last year.”
Collins said 24 ISSOs is a good start, but he could see the need to increase the numbers in the coming years.
He said the ISSOs have made such a positive impact that the mission or operations leaders want more of these experts to help out.
Another area SSA made progress on over the last four years is with identity and access management.
Reducing fraud with better ID management
Collins said citizens face an extraordinary amount of fraud attempts when it comes to Social Security Administration related services and through the social security number.
“When I got there, we had just a large amount of failure rates with the old ‘know your customer approach’ of giving you these questions that are hard for you to answer but easy for the fraudsters to with the out-of-wallet questions. We still had failure rates of roughly 50% with 30 million customers,” he said. “Upon leaving, we have much higher success rates. We are in the 70% to 80% range now, with roughly 60 to 70 million customers. It really is opening up the capability for customers to engage the agency on multiple different platforms, which hasn’t been seen before. It’s really tied in, I think, to the successes that we had with responding to the pandemic because we were forward thinking on that and modernized that aspect of identity management.”
Out-of-wallet questions are designed so that, if someone loses their wallet, the person who has it couldn’t easily steal their identity. But they also are difficult for citizens to remember, such as the exact amount of your last mortgage payment or the address you lived at five years ago.
Collins said these types of questions aren’t as difficult for fraudsters who are stealing data from dozens of sources to piece together an identity.
“We changed that to provide more secure proofing. We have more tool sets with really smart people that are evaluating so knowing what device you’re using, when you are attempting to make an account, what information we use to verify your identity, like your driver’s license, things like that. It’s just different data points and using that in real time to make informed decisions about whether you are who you say you are, when you come to create an account,” he said. “We have worked with different companies that do some of that identity proofing — that specialize in that identity proofing-type stuff where you scan your driver’s license, and then that is verified through back ends through the different state department of motor vehicles divisions. We collaborated with the Post Office and said, ‘Hey, can we work with you all on figuring out how we can do identity proofing in person at your different Post Offices, you have such a great footprint across the United States.’ It really was leveraging multiple entities that we know are doing things in some type of correct way that we can increase our user base faster and with better results.”
Collins said he would like to stay involved in the federal sector as much as his new position will allow. He said he looks forward to sharing more ideas with the broader cybersecurity community.