3 min read
Cecil McMaster wants to change the way his team thinks about security
As Chief Information Officer for the New York City Department of Environmental Protection (DEP), Cecil McMaster is responsible for securing an organization
supplying over one billion gallons of clean drinking water to approximately nine million New Yorkers. The DEP operates a massive network of pipes, regulators, pumping stations, treatment facilities and reservoirs, which is supported by information technology infrastructure, including thousands of computer servers and desktops, tablets, wireless phones, sensors, programmable logic controllers (PLCs), Data, and networks. It represents a massive physical and digital footprint to secure.
The New York City DEP runs a mix of modern and legacy information technology infrastructure. For all these assets to be truly secure McMaster says security must be built-in from the beginning. Unfortunately, as is the case with most legacy deployments, much of the infrastructure was created before the Internet was commonplace, making it difficult to secure against modern threats. McMaster believes a holistic approach to security is the best way to protect the assets already in place. In other words, creating a secure organization based on legacy assets is not just about locking down hardware and software vulnerable to cyber or physical security threats, it’s about considering the security of the entire organization, including the habits of employees. This perspective has helped him focus on promoting security best practices and education – engaging with employees across the board – when many other organizations are scrambling to lock down every device.
Visibility: A high-level approach to security education
For enterprise-size organizations in the public sector, IT assets are rarely consolidated in a single location. Instead, much like the situation faced by the DEP, physical and digital assets are spread out across different sites.
The solution is to divide and conquer, identifying the most valuable assets and focusing on securing them first. McMaster also says it’s important to break up the responsibilities among team members, making it reasonable for them to secure assets in their area of responsibilities.
By focusing on visibility – identifying all data and hardware and categorizing it by importance – organizations can better understand the full scope of their assets, which helps with data protection and overall security.
Security education: Changing habits
The next-generation of infrastructure with integrated security is still on the horizon. But waiting for more secure hardware to be implemented is not an option. Assets need to be protected against digital security threats today. Part of the answer to properly securing a large legacy organization is educating employees about security best practices.
It is not only organizations with large legacy infrastructures that can benefit from an education-first approach. "People think cyber security is drastically different than securing other things,” McMaster says. “I would challenge them. I think the tools are different but the attitudes need to be the same."
The proper attitude for this digital age is to always consider security in your daily activities, whether at work or at home, but even McMaster admits this often involves changing long-established habits. “It’s about making sure that people understand we need to start changing our behavior,” he says.
Despite the challenges, McMaster remains optimistic the future holds a more secure world.
In fact, that future may not be far off. More than ever, government departments are beginning to tie physical and IT security together, with the goal of sharing threat data to make correlations between physical and cyber threats.
It’s clear the current generation of security professionals faces an uphill battle with security education and changing habits, but as the next generation of professionals enters the workforce, those who have grown up with connected devices, behaviors and habits will improve.
Read the full interview with Cecil McMaster here.