Ten years ago, I took on the role of Chief Information Security Officer with the City of Seattle.
After 20 years of security consulting, mainly with the private sector, and ultimately as the Managing Consultant for VeriSign Global Security Consulting, I wanted to work IT security from a different focal point. As soon as I got there, I came to the following realizations (among others):
- Local governments provide mission-critical services and infrastructure that sustains lives, and quality of life in the communities they serve—and it’s all enabled by information technology.
- IT security preventive controls are generally in place, but monitoring the network for signs of compromise is either not occurring or needs improvement.
- It is remarkably difficult—if not impossible—for local government to attract and retain security professionals.
Realization 1 resulted in the start-up of CI Security as a professional services firm, with a mission to serve organizations that are underserved with respect to security, yet critical in terms of the services and infrastructure they provide.
Realization 2 directed the company’s commercial focus on a managed detection and response solution – controls that are largely unaddressed, yet which serve to minimize the impact of these events.
Realization 3 helped to initiate an effort to improve the knowledge base and availability of IT practitioners available to local government. This included both the PRISEM regional monitoring project (now reformed as PISCES), and the daily IT Security News Blast.
Origins of the “Daily Blast”
Originally, the Blast was just for IT staff in the Agencies of the City of Seattle, with the focus of continuous situational awareness and unrelenting exposure to the lexicon of security. Having one place to go consistently every day to find out who's been hacked, what criminals and governments are doing, and how privacy interacts with security ended up landing better with readers than the intended effect. I won't take credit for it, but I will point out that several of my colleagues during that time left IT proper for information security roles, and they have done exceedingly well.
Eventually, through interactions with regional universities and community colleges, the Blast started to get wider distribution. Through collaboration with the military and Department of Homeland Security, the Blast started going to recipients in state and federal government. At some point, it went international.
Still Sending IT Security News, 10 Years Later
Today, the Blast is delivered every morning to subscribers in a dozen countries, the National Cybersecurity Communication and Integration Center (NCCIC), lawmakers in state and federal government including a number of senators' staffs, and to IT practitioners in both public and private sectors and students in nearly every US state. It started as simple distribution lists managed by the City's Exchange server, but it's so big now that we have to use a service to manage the thing (and a new service is on the horizon - early heads up on that).
Yes, I do the Blast myself (I get asked this a lot). I have news filters that flag certain strings, and I evaluate all those articles for curation - rejecting about 75% of them. I also go through the usual suspect sites like SC Security, The Register, et al.
Sometimes it’s a pain to do it in hotel rooms and on planes, but since threat actors and the news cycle share the same non-stop schedule—I’ll keep doing it. Eventually I may need to cede the activity to something more automated, but for the time being, I'm pretty sure that it requires someone with some experience to avoid those, "Local Expert Says Use Anti-Virus" articles.
Happy 2019, and you'll be hearing from me.