Herman Brown is the Chief Information Officer at SF District Attorney’s Office where he also holds the function of CISO. He’s got private sector experience to match his public sector experience. He recently sat down with us for 5 questions.
How has your mindset changed over the past 3 months?
Quite frankly, my mindset hasn’t changed over the last three months. Having a military background and having prior security experience I came into the organization thinking that security is the foundation in which we built everything upon. So I’ve always been security minded and focused.
I would say what has changed though in the last three months has been that the organization as a whole has now seen the importance of security. There is an understanding that we now have to take a bigger step as we go from having a handful of people working remotely where our risk is minimal- to now having an entire organization working remotely. So now there’s a much larger footprint of exposure and risk and a greater understanding of that risk.
What does that do to your strategy?
The biggest key for strategy moving forward is actually understanding the risks that are involved, where those potential risks lie and with whom, and then properly training and educating. You’re only as strong as the weakest link.
As the CIO and CISO, I’ve always said that security is not just an IT function- it’s an organizational function and it’s everyone’s responsibility. Our responsibility is to make sure that the staff understands the security risks and what to do and how to respond to a security risk appropriately.
What is your primary focus?
Your primary focus is prevention. That is the primary focus. It’s always about prevention and trying to prevent that threat from even happening, so that you don’t have to initiate that incident response plan. But you need endpoint protection; you need your antivirus solutions; you need your firewalls, you need your multifactor authentication. I mean, there are so many tools and technologies out there, and it’s not just one. We have security appliances in places, in the firewalls, looking at the North, South traffic. The traffic that’s entering and exiting your network, but you also want look East, West and see what’s going across your network and transgressing the network. So we have tools in place to be able to do that.
Having your security dashboard that can quickly notify you, or give you a easy, visible view into what’s happening on your network, I think is very important. And being able to monitor that and have alarms set up to automatically notify you, but these are all just tools that you have in your tool belt that you have to utilize and you have to implement, and they have to integrate with one another. It’s a huge task, it’s a daunting task, but it’s a necessary evil for fighting, the threat actors that are out there, both externally and internally.
We always talk about the external threats and the bad guys that are outside, but there are sometimes disgruntled employees that are within your organization and/or just employees that are, I don’t want to say naive, but they make a mistake. They don’t purposely, compromise the system or their accounts, but it happens.
How do you ensure a focus on both compliance and security?
Having compliance helps to drive that security initiative. It’s easier to get things through the executive team and the board, when you can say, “Hey, because of compliance reasons, regulatory reasons, we have to do these things because a lot of the times the business wants to have the least amount of impact onto the business and the staff and how they operate, which isn’t necessarily best practice or puts the organization at a higher risk. So I do like compliance. Compliance though, is not always correct or easy and that can also be a struggle for the IT organization to have to support and implement in, making sure that they’re meeting all of those touch points that are necessary.
What will be the same/different in 12 months?
I think what will remain the same is pretty much everything. I personally think that we could be in this remote new norm for the next year. You get into the winter, the flu and cold season, which some of those symptoms are very similar to COVID-19, how’s the workforce? It’s going to be, “Well, you know what? If you have a fever, you have runny nose, you have to work from home,” I think. So you’re going to see a lot of people that are going to be home because their kids are sick, or their spouse is sick, or they’re sick and they just don’t know whether or not they’re positive or not for COVID, regardless of the vaccine.
But I think that we’re going to be the better off for it from a security technology standpoint. I think we, especially in government, have proven that we’re capable of still sustaining government business and being remote. Government has been very resistant to staff working remotely because they feel like there’s such this need to be physically in the office because of that physical presence with the public, the constituents and the people in which you serve. But the truth of the matter is, is that there’s not really a lot of that face-to-face with the constituents. There’s definitely certain departments within a city and county, that has that direct public interface but we’re seeing that overall across the board, whether you’re government or private sector organizations, that people can be productive while working remote and the business can still be profitable and still accomplish its mission. So I do think this is going to be the new norm.