Lester Godsey – Chief Information Security and Privacy Officer for Maricopa County
Lester Godsey is the Chief Information Security and Privacy Officer for Maricopa County in Arizona, which is the 4th largest and fastest growing county in the United States.
He is a technology and cybersecurity professional with over 25 years of higher education and local government experience, starting his technology career at Arizona State University while completing his BA in Music, where he worked for 10 years with increasing levels of responsibilities, including that of web and system security while also completing his MS in Technology.
From there he built the IT department for the Town of Queen Creek in Arizona, where he was the first full-time technology employee. Over his seven and a half-year tenure his achievements ranged from implementation of all enterprise technology systems for the Town to negotiating two separate cable franchise agreements, to implementing all technology services needed for the first town traffic system to helping stand up Queen Creek’s Fire Department and everything in between.
From there Lester worked for the City of Mesa for 9 and a half years where he supported multiple enterprise systems, including those of the utility payment system and municipal courts. During this time, he became the city’s second CISO and first Chief Privacy officer, a post he held for three and a half years. He functioned as the city’s HIPAA Security Officer and was responsible for the organization’s PCI compliance in addition to all aspects of cybersecurity, including SCADA and IoT seurity.
Lester has presented at the local, state and national level on topics ranging from telecommunications to data management to cybersecurity. As a certified PMP and CISM, Lester has taught at the collegiate level for over 10 years in the areas of cybersecurity, technology and project management. He is a published author and an active participant in the cybersecurity community.
Why did the role of CISO appeal to you?
I feel that, other than the role of CIO or perhaps CTO, there is no other position within a traditional IT organization that requires such a diverse set of technical, planning and leadership skills. From a technical perspective information security is the only field that encompasses all seven layers of the OSI networking model, so to speak. What I mean by this is there is no aspect of technology that information security doesn’t touch – networking, systems, middleware, application support and development and everything in between.
Then, from a non-technical perspective, you have your cyber risk management functions as well as those of assurance and compliance. Information security is perfect for someone who has a wide swath of skills and experience.
Given my technical background, I have been a professional ‘jack of all trades’ and master of none – I have performed in pretty much almost all tech roles other than DBA. What I do excel in is program management and strategic planning.
Being in the CISO role allows me to take advantage of all my experience and skills while constantly pushing myself to learn as information security is never stagnant.
How does one get across to the board the importance of information security?
Speak their language. I believe part of the reason that, until recently, CISOs haven’t been ‘invited’ to the board’s table is because of how they have represented what they bring to the organization. At the end of the day, I believe the CISO should be able to speak in business terms as it relates to cyber risk. We don’t just provide technology services around information security; we help the organization identify what cyber risks exist and provide solutions that reduce the risk to a level that is acceptable to the organization.
Often times, especially for those orgs that don’t have a mature approach to enterprise risk (and not just cyber risk), we often help the board articulate what their risk threshold and tolerance levels are by speaking in business terms, not technical ones. If we do this, then we are automatically adding value to the organization. The ‘old school’ way of delivering information security services was to throw roadblocks in the way of the organization by telling them, including the board, all the reasons why they shouldn’t do X, Y or Z. That was the easy approach and one that would quickly erode any confidence a board might have in a CISO or desire to ask for their guidance again.
If we put ourselves in the shoes of the board and align the information security program of a company with their vision and mission, we then become business enablers. We educate the board on the risks a certain direction may have but in the same breath we share what we can do to mitigate that risk to a level that is acceptable.
Really good CISOs will take that one step further, which is to see where technology, business, the cyber threat landscape and other variables are taking the company and then determine when and how the board needs to course correct. In short, if we can demonstrate how we support the overall strategic and operational goals, we can show the importance of information security to the board.
How can CISOs/Leaders better understand a business’ needs?
Spend time understanding your business, starting off with reviewing anything that outlines the company’s strategy. For example, how many CISOs know what their respective company’s Vision and Mission are? Put yourself in their shoes – who you are dealing with in the organization makes all the difference in the world. At face value, understanding that the CFO is probably more interested in the organization’s PCI compliance versus your benefit administrator, who is concerned with HIPAA compliance.
While this is a simplistic example, the truth is by engaging in dialogue with leaders throughout the enterprise, you can start to better understand their challenges. As a CISO, if you can identify risk that will keep your CEO out of the news and the ire of his/her Board of Directors, that demonstrates pretty good knowledge of what is important.
What unique security challenges does your industry face?
From my perspective, what is unique with local government is the nature of the services provided and subsequently, the data that is created/stored/used to deliver and enhance these services. Frankly, there are services that local government provides that no one else can. Good examples of these include, but are not limited to: courts, utilities (water, gas, electric, wastewater, etc.), elections, transportation and the like.
The private sector does not provide identical alternatives along these lines, making these services and the data used/created potentially valuable in their uniqueness and reach. The best example of this was the November 2020 elections in the US. Maricopa County, where I work, is the fourth largest county in the US by population and played a big role in the outcome of the elections.
At least in the State of Arizona, counties are the local government agencies that provide election services. Not only was election security, cyber or otherwise, of paramount importance, but the perception of interference of the election would have been catastrophic, especially given the volatile nature of this election cycle. Not only were we focused on security controls, attacks from nation states, organized entities and hacktivists, but one of our biggest challenges was misinformation and disinformation campaigns via social media.
While not all local government services rise to the level of scrutiny of elections, or are as critical as public safety, it is clear that the public – citizens and businesses alike, depend on our services. In some cases, local governmental services are a matter of life or death, or critical to the social fabric. With this comes a heavy responsibility from an information security perspective. The data generated in delivering these services and the data needed to provide them are critical, and by extension, sensitive in the wrong hands.
What is the biggest risk, information security or otherwise, associated with digital innovation?
I believe data privacy is one of, if not the biggest, risk in the pursuit of innovation. Think about the biggest innovations over the last few years – new social media tools for communications, machine learning (supervised and unsupervised), adoption of cloud services, IoT, augmented reality, etc. What all these technologies have in common, to varying degrees, is their use of data – either the creation of new data and/or the aggregation of data such that the sum is more than the whole of their parts.
For example, machine learning can take multiple disparate data sources and aggregate them in such a way that discovers relationships between said data we knew never existed. So what does this have to do with data privacy? Current information security solutions are focused on categorizing data and assigning classifications which in turn determines what controls to apply to them and permissions to assign. How can we do this when we have no idea what the end product is going to be, such as the case of machine learning?
Here is a practical example of the above. Many cities will share 911 data online, in order to provide their constituents information about how public safety operates within their jurisdiction. Additionally, they do this in efforts to be transparent. However, they have to be careful on what they share, in order to protect the very people they are trying to serve.
So, often times police departments will either leave out or obfuscate certain data types in cases of assault or domestic violence. I don’t think anyone would object to this, especially for the reasons provided. So what if you had access to a variety of publicly-accessible information (not just governmental) from a myriad of sources and applied machine learning to correlate this data? What if you were able to determine who were the victims of domestic violence and could tie this to where they lived, worked, their social media accounts, etc.?
The problem is this – innovation is almost always inextricably tied with this concept of ease of use and personalization, but in order to automate services and make them more meaningful to a person/group/company, the innovation needs data to make this happen. The bigger problem I believe is that we are reaching the point where it almost doesn’t matter if we provide the data ourselves, like filling out a web form, as so much data is out there about ourselves and organizations.
This is where the EU is significantly ahead of the US – there is no federal law that uniformly addresses data privacy. There are industry-based compliance requirements like HIPAA that touch on their sliver of data privacy needs or there are state requirements that deal with data privacy, California being the best example of this with their California Consumer Privacy Act (CCPA). Until the United States has something that is enforceable, this concern about data privacy is only going to grow.
Why are some industries more open to sharing information than others?
One of the great reasons to work for local government is that what motivates government isn’t making a profit. Sure, we want to be fiscally responsible and where it makes sense, operate in a revenue-neutral manner, if not in the black but what is more important is delivering services to our residents and business community. When an organization’s focus is on service and not profit, obstacles such as competition and having to worry about others in the market fall away. While I can’t speak for other regions first-hand, most government agencies in Arizona have a great deal of trust for one another and as a result share not only strategies, tools, etc. but go so far as to share IOCs and other intelligence.
Some industries, understandably so, are so competitive that they put a premium on secrecy/privacy. Theft of intellectual property is a make or break for many industries. This doesn’t happen to be the case for local government. In our case, since this level of competition doesn’t exist and the fact that if one county in Arizona sees anomalous behavior, chances are good that others have or will see similar attacks.
Now with this being said, I believe overall sharing has improved across all sectors. For example, the FS-ISAC over the last few years has seen a significant increase in participation and intelligence sharing. However, sharing by the private sector still lags, from my perspective, behind that of government. I had previously belonged to a 503c that focused on establishing cybersecurity public/private partnerships, including intelligence sharing and while some IOCs were provided by the private sector members, the vast majority were provided by members from government agencies.
Trust is a difficult thing to gain I guess, especially if you are competing against one another. It is natural for people and organizations to want to be number one, to be the best. Governments are constantly ranking themselves against one another but when it comes to cybersecurity, our competition isn’t one another – it’s the bad guys.
Information Security has never been more important, to all aspects of society and enterprise. We’ve seen cybercrime specifically target organizations who have been working on vaccines for the virus that has killed so many people. We’ve seen nation states attempt to disrupt free and democratic elections. We’ve seen the continued, and in many instances, accelerated rate in which new and innovative technology has been adopted.
All this and more translates into information security risk, something that all organizations, regardless of sector, need to get their arms around. This is why the role of the CISO has never been more important than it is now.
We need to be able to build trust in our CEOs and boards, trust that we understand what is important to the organization and that we are looking at the present and, in the future, to head off any risks that present themselves and when they eventually do, that the organization is well-prepared to weather the storm.
Lester Godsey – Chief Information Security and Privacy Officer for Maricopa County