Quantcast

Norwalk to hire CISO to protect City and school system

NORWALK, Conn. — Norwalk will be advertising for its first chief information security officer soon, a new position authorized Tuesday by the Common Council.

“Ransomware attacks have been increasing for quite some time and met a record high last year, costing victims millions and millions of dollars. Municipal governments and educational institutions are particularly vulnerable to ransomware attacks. And one of the things that’s really scary is that we store huge amounts of identifiable information that are at risk,” Common Council President Barbara Smyth (D-At Large) said. “…I feel really strongly … that we really, really need the position of chief information security officer.”

The vote was unanimous, creating an ordinance position with an annual salary range of $124,565 to $170,455, designed to protect both the City and Norwalk Public Schools.

“I envision the CISO as being a cabinet level position that reports to the Mayor and the Council,” Chief Financial Officer Henry Dachowitz said. The CISO will also report to the Superintendent of Schools.

“At the cabinet level, this person must be able to move within the organization laterally and not politically. So I am 100 percent supportive,” Council member Thomas Keegan (R-District D) said.

The move stems from a security audit done by Blum Shapiro for $39,000, authorized by the Council in November. “One of the key findings is we need a chief information security officer,” Dachowitz said.

The United States was hit by a record number of ransomware attacks in 2019, affecting at least 948 government agencies, educational institutions and healthcare facilities at a cost of more than $7.5 billion, a memo from Dachowitz and Information Technology (IT) Director Karen DelVecchio said. It’s a 60 percent increase from the previous year.

They said the attacked organizations include:

  • 103 federal, state and municipal governments and agencies.
  • 759 healthcare providers.
  • 86 universities, colleges and school districts, with operations at up to 1,224 individual schools potentially affected.1
  • Closer to home, both Middletown and Wolcott school systems were hit with ransomware that disrupted school operations from 4 weeks to several months and resulted in data loss. Wolcott was hit twice in 2019.”

 

“Government agencies and schools have demonstrated to cybercriminals they are easier targets and less-prepared to protect against cyberattacks. The size of ransoms which these municipalities have been forced to pay was upwards of several million dollars,” they wrote.

In October 2016, a City payroll & accounts payable supervisor paid a nearly $900,000 fraudulent bill, in a scam thought to originate in China. Farmington also fell victim to the scammers. Norwalk eventually recovered $515,000 of the loss through insurance settlements.

Dachowitz said Tuesday that credit rating agencies were recently fascinated by Norwalk’s cybersecurity approach. It’s three pronged:

  • A technology based approach, where Delvecchio and NPS Chief of Digital Learning and Development Ralph Valenzisi “work with our outside consultants to make sure the endpoints, the network, the training of people so that they don’t succumb to phishing attacks”
  • The City’s operating and capital budgets have had “definitive budgets for cybersecurity” for five years, and an insurance program
  • It’s about human resources, training our people repetitively to be on the lookout, whether it’s emails or other information, and we put all of that together, but it’s never ending. It’s not like a project where you finish and then you can forget about it. It keeps on going and keeps us on our toes.”

 

“We in Norwalk are viewed as being as doing a pretty good job,” he said.

But, “We need a central point of responsibility,” DelVecchio said. “Someone who is at a peer level with the senior leadership team, whose primary focus is dedicated to the creating the Security and Information Privacy plan and making sure that those guidelines are being adhered to across all departments, as well as to work with departments in order to help them be in compliance.”

“I think COVID has exposed the dependence that we have now on technology and the need to secure that technology. I’m glad we’re moving forward with this,” Council member David Heuvelman (D-District A) said.

“It’s something that I and others have discussed over the last several years. And I think it’s a critical need for the city,” Council member Tom Livingston (D-District E) said.

But it’s more, Council member Greg Burnett (D-At Large) said.

“One of the roles of the position … is business recovery and disaster recovery,” Burnett said. “I think we’ve experienced impacts to our community, due to natural occurrences and to ensure that we have a business recovery and disaster recovery plan in place, I think is critical to our operation. So I’m very supportive of this individual coming in and ensuring that we have a sound and capable and tested plan.”

“CISOs are in very high demand everywhere,” Dachowitz said. “And maybe, knock on wood, but maybe with COVID and people being unemployed, we might get lucky and get a better individual than we might have gotten at other times.”

CISO 20-0825

7 comments

Bruce Kimmel August 27, 2020 at 10:28 am

Excellent decision. This is an increasingly important area of concern for towns and cities across the globe. I am glad the CISO will deal with both BOE and “City” concerns. Perhaps, longer term, another discussion can begin about the cost/benefits of combining the BOE and “City” finance departments. Cost savings aside, any organizational adjustments that reduce the conceptual divide between the BOE and the “City” is a good thing.

Bryan Meek August 27, 2020 at 10:31 am

Says a lot about the current IT staff and their capabilities 20 years into the 21st century.

What’s next? Create another position for someone who can properly index the city’s website and keep it somewhat updated?

Bruce August 27, 2020 at 3:35 pm

This is a great move. Cyber Security is a very specialized field.
Also I am surprised that Meek would have issues with this as he beat it onto the ground when the city got scammed a few years back . Maybe he was just playing politics.

Bryan Meek August 27, 2020 at 4:21 pm

@Bruce. 1000%. Will this city ever go for the obvious synergies and shared services, or will it continue it’s 100 year old model of governance?

David August 27, 2020 at 10:27 pm

As Bruce said, the role of CISO is specialized. Every medium and large sized company has the role and an organization to support this effort.

Bruce Kimmel August 28, 2020 at 8:50 am

For the record: Bruce Kimmel has no idea who Bruce is. But of course I welcome his or her excellent comments.

Bryan Meek August 28, 2020 at 3:31 pm

@Bruce. Cyber security would not have prevented the $900k walking out of city hall. A proper system of internal controls with respect to vendor master file maintenance is a financial control issue, not cybersecurity which would be applied by the financial institutions we use to maintain our depositories. More over, IT professionals have been obtaining these certifications for the past 20 years now. I guess no one in City Hall felt the need to develop skills so we need to go outside for a function that should be completely outsourced. Try again.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>