Missouri CISO Michael Roling Leaves a Legacy of Excellence in Government Cybersecurity Leadership

Michael Roling’s last day in Missouri government will be Sept. 28, 2018. He is leaving for another private-sector position as the “lead technical project manager at a company that has several SaaS offerings.”

Coverage of his announcement has been widespread with related articles in Government Technology magazine and other publications. Over the past few years, I have highlighted Mike’s national cybersecurity leadership role on several occasions, such as in 2015 and in early 2017. Nevertheless, more coverage that highlights Mike’s remarkable Missouri accomplishments and his influence in state and local government circles is needed, in my opinion.

I am a big believer in positive tech leadership role models and pointing to security leaders who are making a positive impact every day. Public- and private-sector technology and security leaders around the world can learn from the way Mike and his team implemented enterprise protections against cyberattacks in Missouri.  

Mike Roling has won many security awards, and was twice a finalist for the prestigious SC Magazine CSO of the Year — which includes both public- and private-sector CSOs. Mike’s LinkedIn profile shows an impressive 36 projects, 25 publications and eight honors and awards during his time as the chief information security officer (CISO) in Missouri. He helped Missouri receive an “A” in the Digital States Survey 2016, was named to the list of a GovTech Top 25 Doers, Dreamers and Drivers and also was given a CSO magazine CS050 Award in 2017.

What his profile won’t tell you is that he is truly a humble, team-focused cyberpro who not only cares about his staff, his gov tech colleagues, his business customers and the residents of Missouri, but also implements strategic and tactical plans in cutting-edge, measurable ways. Mike is a passionate public servant who goes the extra mile to deliver gov tech results. He strives for excellence and getting the right solutions implemented and maintained.

As a peer CSO in Michigan government, I met Mike in 2011 at MS-ISAC events. I was immediately impressed, and even after I left Michigan government in 2014, we would talk numerous times a year on what they were doing in Missouri. We met for breakfasts at several RSA Conferences in San Francisco, and we talked over meals at NASCIO conferences and other events.

Mike speaks quietly, and chooses his words carefully. He “knows his stuff” when it comes to cybersecurity protections, but also has a strong strategic mindset regarding the big picture in state government technology problems and programs. He survived the transitions to new CIO managers on several occasions, and he remained well-liked and respected by his team, peers and management — which is not easy to do in government.

To get a sense of Mike’s personality, here is one of his YouTube interviews on competing with the private sector for talent:

  

Simply stated, Michael Roling has set the standard for what a top-level government CISO looks like for several years. Along with Agnes Kirk and Elayne Starkey, two top-notch women CISOs who recently retired from Washington state government and Delaware government, respectively, Mike’s departure will leave a void in state government cybersecurity leadership at a national level within groups like the MS-ISAC. 

Exclusive Interview with Missouri CISO Michael Roling, as He Prepares to Move to the Private Sector

Dan Lohrmann (DL): You’ve been in Missouri government since 2003, what are some of your best memories?

Michael Roling (MR): Lots of great memories have been made over the last 15 years in state government. Looking back at them, the top memories involved working closely with my team and my peers under difficult situations. Multiple times during my tenure as CISO, state government was under siege by various threat actors. While these were strenuous times, strong teamwork combined with a little grit and ingenuity got us through them. My team and the rest of the Information Technology Services Division (ITSD) are what kept me here for so long.

DL: What was the hardest part of transition to the CISO role? Why?

MR: Understanding scope and governance are the most difficult pieces for a new CISO to grasp, especially in a large enterprise environment. It takes time to understand all of the moving parts in government, how they interact with each other, and at what level controls can be implemented. Also, CISOs can no longer work in the IT bubble. CISOs need to know where the business side is headed and see eye-to-eye on various topics relating to security and privacy.

DL: How has your CISO role evolved? What challenges did you face and overcome?

MR: My role as CISO has definitely evolved over the last nine years. Communicating organizational risk was a difficult task early on because it was a challenge to calculate and there was the perception that security exclusively fell on a small team in a dark corner of IT. I was able to change this perception early on in my tenure with help from my leadership. Today, I can comfortably say that cabinet members and administrative assistants alike know their role in keeping Missouri’s data safe. In the early days, we had no budget and only five people. Our capabilities were quite limited as a result. We overcame these challenges by gaining support from the Governor’s Office and the Legislature through the use of effective communication. Currently we have 20 staff members on the security team and a $9 million budget.

DL: As you built your team, there were obviously staff members coming and going. You also worked for different leaders (CIOs and governors). How did you approach those changes?

MR: I approached each change as a new, positive opportunity to educate the future leadership of state government. Over the years, we learned some tactics from NASCIO and other states on how to educate incoming leadership. Keeping an up-to-date overview of who’s attacking us, what’s at stake, and how we’re presently safeguarding government has been key in quickly on-boarding leadership. Quantitative metrics used to convey effectiveness are important but only if they’re understandable. We have changed from reporting large figures (attacks blocked) to low or 0 figures (successful attacks). Reporting that we block 100 million unwanted connections a day sounds impressive. But should it be 200 million? Or 50 million? To simplify how we convey ROI and overall performance, we report in a similar tone to how a factory safety division reports injuries: 0 incidents since …

DL: I know it is dangerous to name just a few, but any people or organizations in particular that you want to mention? 

MR: I would like to give a big thanks to MS-ISAC and NASCIO for their support over the years. They have been tremendous resources for us. While they may not want to be known for it, continuity in the face of drastic change is the biggest service both of them provide to state IT leadership. I would also like to thank you, Dan, for your support to me and other fellow CISOs throughout the years. You have been an invaluable mentor and have left a significant positive mark within state government; not just in Michigan but throughout the states.

DL: What are you most proud of during your time as CISO?

MR: I am most proud of assembling the team of outstanding security professionals that come together every day to carry out the Missouri Office of Cyber Security’s mission. They are some of the most dedicated and driven individuals that I have ever met.  We have deployed numerous successful technologies and processes over the years but none of them would have taken off without them.  I am also proud of the culture shift that has taken place during my tenure. Non-IT state employees realize now that they play a tremendous role in protecting state data.           

DL: What significant challenges are left for your security team when you are gone?

MR: I have 100 percent confidence in Stephen Meyer, the announced interim CISO. He has been a part of my team since the beginning, and I have known him for well over a decade. Missouri’s team will continue to have success with him. With that said, the team will have to evolve and adapt to the ever-changing threat landscape and develop new strategies to mitigate risk. I thoroughly enjoyed that component of being CISO and know that Steve will pick up right where I left off.

DL: As you think back over the last few years and look to the future, how do you see the role of state CISOs (and wider security and technology teams) changing? What may be significantly different in three to five years?

MR: CISOs will be more involved in human safety in the next three to five years. We’re on the verge of everything being software controlled and interconnected, for better or for worse. The convergence of OT and IT will be quite interesting to watch as OT tends to demand 100 percent uptime versus IT’s demands of patching and securing. I also think CISOs will shift to being security brokers as many solutions today are fully managed SaaS offerings. This shift should be embraced as it will allow CISOs and their teams to focus more on the big picture than on the nuts and bolts.

DL: Is there anything else you would like to say?

MR: Our growth and success have been dependent on an already-strong IT organization (ITSD) and executive leadership willing to invest in the necessary resources. The Governor’s Office, the Office of Administration’s Commissioner, and our Legislature over the years have supported us fully. If there’s a “not so secret” secret about state government IT security, it is having a strong IT foundation with unwavering support from the top.

DL: I want to thank you Mike and thank your team and the wider Missouri leadership for your outstanding example of what it means to be a leader in cybersecurity in 2018. You have demonstrated professional excellence in a rare, ongoing manner over the years. I certainly wish you all the best as you move on, and I also wish the best of success to your Missouri cyberteam as we head into 2019.  

Final Thoughts

We are entering a new phase in cybersecurity leadership in state governments — all over the nation. Not surprisingly, Mike Roling and other top state and local government CISOs are being offered roles in the private sector with very attractive packages, sometimes including stock. In addition, the new elections this November will likely bring many new CIOs and CISOs to state and local governments across the nation.

For more than six years, Mike Roling learned the business of government before he became a CISO, and he adapted to changes once in the leadership role. Many new CISOs do not have this public-sector background, making their job harder to achieve success. Mike showed what patience and perseverance can achieve when combined with excellence in a government career.

As new CISOs are appointed, they would do well to follow Mike’s example and his approach to security management. He was a rare cyberleader who maintained great relationships in multiple directions (with staff, peers, management, customers and vendors.)    

Michael Roling will be missed in Missouri government and around the country in public-sector CISO circles, but his (primary) legacy, which is the team he led, will live on to achieve even more. In addition, the technology, cyberdefenses integrated and processes achieved will protect the people of Missouri in the decade ahead.