State Government Technology Response to COVID-19
How have government technology organizations responded to the global pandemic? What security actions were implemented in state government to address increasing COVID-19 cyberattacks? Where is this overall situation heading next as states begin to reopen?
To answer these questions and much more, I can think of no better technology and cybersecurity leaders than Craig Orgeron and Jay White — the current CIO and CISO in Mississippi state government.
Dr. Craig Orgeron was selected as the executive director of the Mississippi Department of Information Technology Services (ITS) and the chief information officer of Mississippi in July 2011.
Orgeron has over 29 years of information technology experience in the private sector and the federal and state level of the public sector. Orgeron began his career as a communications-computer systems officer in the United States Air Force. Currently, he serves as the executive director of the Mississippi (ITS) and CIO of Mississippi. In this role, Orgeron provides statewide leadership in the provision of services that facilitate cost-effective information processing and telecommunication solutions for agencies and institutions. He has served as president of the National Association of State Chief Information Officers (NASCIO), served on the Executive Committee of the Multi-State Information Sharing and Analysis Center (MS-ISAC), and has participated in numerous government information technology task forces and committees, such as the Mississippi Broadband Task Force, the Digital Signature Committee, the Electronic Government Task Force, and the Governor’s Commission on Digital Government, which led to the implementation of the enterprise electronic government in Mississippi.
I have known Craig for more than eight years, and I am constantly impressed with his skill and leadership nationwide. I have seen him help numerous other states, and especially CIOs that are new to state government administration.
Mr. Jay White has been with the Mississippi ITS for more than 22 years, and he became the Mississippi CISO in 2012. He is a respected cybersecurity leader nationwide within the MS-ISAC and NASCIO, and I highlighted Jay and other state and local CISOs two years ago in his role as a leader in the MS-ISAC’s CISO mentoring program.
Jay is one of the most humble cybersecurity experts I know. If you ever talk to Jay in person, don’t let his quiet demeanor and kind, Southern manners fool you into thinking he is not smart. He is wise beyond his years and very thoughtful with his answers.
I previously interviewed Orgeron and White more than six years ago when I first started a series on top state government leaders as CIO/CISO team profiles. As far as I am aware, they are the longest serving CIO / CISO team serving in state government in the nation. What I have no doubt about is that their leadership, knowledge and technical abilities are at the top of the scale in the “world-class” category and both men are worth watching and imitating regarding state government administration and responding to incidents and emergencies.
Interview Between Craig Orgeron and Dan Lohrmann
Dan Lohrmann (DL): How has your Mississippi government’s technology organization been asked to step up and provide services during the COVID-19 emergency?
Craig Orgeron (CO): Our focus as a service organization has been to provide technology support for our agencies on the front line of the COVID-19 pandemic. While technology increasingly has taken center stage in the public sector as states implement leading-edge and emerging digital solutions, IT is ultimately still an enabler of service delivery for our citizens. Many believe that there is the prospect of waves in the progression of the pandemic, with a potential second wave arriving in the fall. Our response in the initial wave has been primarily driven by the declaration of emergency by our governor in mid-March creating an immediate and intense demand for the government workforce to telework, a challenged shared by many of our colleagues in other states. To that end, in the near term of the pandemic, our team worked to provide remote workstation capability, deployment and security. In a matter of days, much of our efforts in support of front-line agencies was in fortifying traditional telephone and teleconferencing services, scaling to allow for significant call volume surges for unemployment claims and providing call center support. In many instances, the technical platforms utilized to achieve these scaling demands stabilized within a short time.
DL: What have been the results so far? Any notable successes you can share?
CO: Results have been good. Mississippi was in the process of migrating from a hosted VPN solution to an enterprise managed solution when Executive Order 1458 was issued by Gov. Tate Reeves. Our team increased the volume of VPN migrations while responding to a significant surge in new requests as most state employees transitioned to remote work. Our telecommunications team assisted agencies in setting up Avaya One-X Communicator and Avaya EC 500 to enable the ability to send and receive calls utilizing office numbers while working remotely, as well as created nearly 1,000 Zoom accounts working with our Emergency Management Agency, State Department of Health, and the Office of the Governor. Additionally, our e-government team deployed the website www.coronavirus.ms.gov providing Mississippi citizens with a central site that would direct them to the appropriate resources, and updated MISSI, our chatbot on www.ms.gov with information related to COVID-19.
DL: What have been the biggest obstacles in providing information technology services during the pandemic? How have you addressed these problems?
CO: To be honest, this is a work in progress. The challenge is not just in provisioning IT services to enable remote work, it is managing the team of remote workers providing the tools for that work. Government, except in certain pockets, is a traditional industry. State employees in Mississippi, as elsewhere, work in a traditional office setting. I wouldn’t call the management of a remote workforce an obstacle, as much as a new — and very sudden — challenge. Communication is never easy but can be strained even more if teams never meet in person. To continue to foster trust and collaboration our executive team holds a Zoom meeting daily, walking through the issues of the day. Similarly, we gravitated to Microsoft Teams, setting it as a standard inside our organization for chatting, posting information, and document sharing. Despite the challenges, I believe virtual teams are here to stay in government.
DL: Do you see telework (that is working from home) continuing over the next few months? How about into 2021? Will we ever go back to the way things were before the pandemic regarding telework?
CO: Yes, I see remote work continuing into the summer to accommodate social distancing guidelines related to COVID-19. And, in the longer term, I think remote work will grow in acceptance across industries, including public sector. Many workers in Mississippi, and across the country, have taken part in an unprecedented experiment of working remotely. This experiment overcame a tsunami of inertia that existed in normal working conditions, posturing our ability to adapt and change as something imminently doable. That is hard to reverse. Of course, challenges exist. And while remote work has been shown to both increase productivity and lower attrition, often remote workers can feel alienated or disconnected when compared to onsite employees. The management of remote workers on virtual team will require the establishment of clear goals, facilitating productive meetings, and providing effective communication. On a personal note, I have never held a job in my professional career that allowed for extensive remote work. My own experience was marked by spending less time on the road, getting the commute time back. And while establishing a routine took time, I did feel more productive on given days and was able to find more time for fitness.
DL: Moving forward, has the pandemic changed your project priorities for Mississippi government? If yes, how?
CO: For the most part, our overarching strategic focus remains intact. The most pressing unknown in our state is the full magnitude the pandemic and shelter orders will have on the budget. Our budget for FY21 is not yet set, nor is a complete view of the potential impact to the budget in the current fiscal year.
Interview Between Jay White and Dan Lohrmann
Dan Lohrmann (DL): When your team first got the word that staff would need to work from home, how did the security team respond? What (high-level) steps did you take?
Jay White (JW): Just as it was for most of the country, the reality of being in a situation where staff would be required to work from home came to us quickly. In February, our team began the technical implementation of a project that was initiated in late 2018. To advance the enterprise approach to cybersecurity, the State initiated a project to implement a centrally managed enterprise VPN remote access solution that would increase the security posture of the Enterprise State Network and improve the risk profile of all participating agencies. Because remote access is obviously critical to a work from home scenario, this presented a unique challenge for our team.
While we also had to consider other cybersecurity concerns, just like other public- and private-sector entities during this unprecedented time, we also had to develop a plan for facilitating a smooth transition from a legacy VPN remote access design to the new enterprise solution. Because many IT professionals have more experience working remotely to support IT systems, our major concern was the complexity of supporting the end-user transition to a new solution without the convenience of hands-on assistance. After working through some of the logistical complexities, I am happy to report the migration project is moving along with success.
DL: How has the cybersecurity team’s response evolved during this emergency regarding people, process and technology? Do you see these activities continuing?
JW: The cybersecurity team was able to quickly transition to a remote work setting for performing existing functions in a similar fashion as prior to the COVID pandemic. However, we have been tasked with addressing cybersecurity solutions to accommodate new requirements and strategies for conducting state government business. For example, the need for greater access to Internet resources while connected via the VPN solution was communicated by state agencies almost immediately. This required our team to implement a unified threat protection tool specifically related to Internet access for VPN users. We had planned to tackle this project later in 2020, but we had to modify our plans and address it much sooner than expected. Now that it is implemented, it will become part of our enterprise cybersecurity portfolio of services.
DL: Do you feel that teleworking is (at least for the most part) being done securely both in your government and (in general) nationwide in the public and private sectors? What problems/tips should readers be aware of?
JW: I believe we can look at the security of teleworking and draw some of the same conclusions as we would with most other cybersecurity topics. While some are more secure than others, I believe all organizations have a subset of security concerns that can and should be improved upon. The security around teleworking is no different. While I believe that many organizations are implementing best practices for securing telework scenarios, they all have weaknesses in one area or another that require continuous review and consideration. As it is often said, security is a journey, not a project.
While organizations must implement solutions to protect its data and IT resources, security awareness training plays a significant role in improving the security posture for teleworking. Employee awareness training that provides users the information they need to increase the security posture of their telework environment is pivotal to the security health of the organization. As the telework footprint for an organization increases, the importance of an evolving security awareness training program also increases.
Employees must remember that the security of the organization is a shared responsibility and that they have the same obligation for protecting data and IT resources regardless of their work location. Employees should never be afraid to ask questions if they have concerns about the security of their home office.
DL: Moving forward, what are your top cybersecurity priorities for the rest of 2020 and heading into 2021?
JW: We have several initiatives underway for implementing new enterprise technology solutions designed to reduce the cyber-risk profile for our enterprise state network. As cloud computing gains traction within our state, we continue to work on an enterprise security architecture for facilitating a smooth transition for those services and applications that are destined for the cloud environment. The governor also recently signed an executive order establishing a task force with the goal of identifying cybersecurity weaknesses, developing recommendations for improving the state’s security posture, and creating requirements for ongoing cybersecurity awareness training. Cybersecurity improvement continues to be a priority for the state.
DL: Anything else you want to share?
JW: Trying to divert some of my attention away from the current pandemic, I have been watching (like many Americans) the new documentary about Michael Jordan and the Chicago Bulls. Watching the highlights from the documentary, it is easy to understand why many believe that Jordan is the best basketball player that has ever lived (In full transparency, I am a Larry Bird fan). Before Jordan was dunking from the free throw line, consistently knocking down 18-foot jump shots, or winning multiple NBA championships, he had to master the fundamentals of basketball.
I believe it is safe to say that Jordan would not have been able to overcome the challenges he faced during his career without a strong commitment to the basics. It is important to remember that the best way organizations can be prepared for the next big cybersecurity challenge is to ensure that proper focus has been placed on addressing the fundamental strategies for protecting their data and IT resources.
On a final note, I would like to thank all of the health-care workers that are on the front lines of battling the novel coronavirus disease (COVID-19).
DL: I want to thank Mississippi CIO Craig Orgeron and CISO Jay White for providing us all a glimpse into life in state government technology and security response to the COVID-19 pandemic. I know that your efforts are making an incredible difference for your state, and your model is extremely helpful to CIOs and CISOs globally.
