NORWALK, Conn. — Norwalk will be advertising for its first chief information security officer soon, a new position authorized Tuesday by the Common Council.
“Ransomware attacks have been increasing for quite some time and met a record high last year, costing victims millions and millions of dollars. Municipal governments and educational institutions are particularly vulnerable to ransomware attacks. And one of the things that’s really scary is that we store huge amounts of identifiable information that are at risk,” Common Council President Barbara Smyth (D-At Large) said. “…I feel really strongly … that we really, really need the position of chief information security officer.”
The vote was unanimous, creating an ordinance position with an annual salary range of $124,565 to $170,455, designed to protect both the City and Norwalk Public Schools.
“I envision the CISO as being a cabinet level position that reports to the Mayor and the Council,” Chief Financial Officer Henry Dachowitz said. The CISO will also report to the Superintendent of Schools.
“At the cabinet level, this person must be able to move within the organization laterally and not politically. So I am 100 percent supportive,” Council member Thomas Keegan (R-District D) said.
The move stems from a security audit done by Blum Shapiro for $39,000, authorized by the Council in November. “One of the key findings is we need a chief information security officer,” Dachowitz said.
The United States was hit by a record number of ransomware attacks in 2019, affecting at least 948 government agencies, educational institutions and healthcare facilities at a cost of more than $7.5 billion, a memo from Dachowitz and Information Technology (IT) Director Karen DelVecchio said. It’s a 60 percent increase from the previous year.
They said the attacked organizations include:
- 103 federal, state and municipal governments and agencies.
- 759 healthcare providers.
- 86 universities, colleges and school districts, with operations at up to 1,224 individual schools potentially affected.1
- “Closer to home, both Middletown and Wolcott school systems were hit with ransomware that disrupted school operations from 4 weeks to several months and resulted in data loss. Wolcott was hit twice in 2019.”
“Government agencies and schools have demonstrated to cybercriminals they are easier targets and less-prepared to protect against cyberattacks. The size of ransoms which these municipalities have been forced to pay was upwards of several million dollars,” they wrote.
In October 2016, a City payroll & accounts payable supervisor paid a nearly $900,000 fraudulent bill, in a scam thought to originate in China. Farmington also fell victim to the scammers. Norwalk eventually recovered $515,000 of the loss through insurance settlements.
Dachowitz said Tuesday that credit rating agencies were recently fascinated by Norwalk’s cybersecurity approach. It’s three pronged:
- A technology based approach, where Delvecchio and NPS Chief of Digital Learning and Development Ralph Valenzisi “work with our outside consultants to make sure the endpoints, the network, the training of people so that they don’t succumb to phishing attacks”
- The City’s operating and capital budgets have had “definitive budgets for cybersecurity” for five years, and an insurance program
- “It’s about human resources, training our people repetitively to be on the lookout, whether it’s emails or other information, and we put all of that together, but it’s never ending. It’s not like a project where you finish and then you can forget about it. It keeps on going and keeps us on our toes.”
“We in Norwalk are viewed as being as doing a pretty good job,” he said.
But, “We need a central point of responsibility,” DelVecchio said. “Someone who is at a peer level with the senior leadership team, whose primary focus is dedicated to the creating the Security and Information Privacy plan and making sure that those guidelines are being adhered to across all departments, as well as to work with departments in order to help them be in compliance.”
“I think COVID has exposed the dependence that we have now on technology and the need to secure that technology. I’m glad we’re moving forward with this,” Council member David Heuvelman (D-District A) said.
“It’s something that I and others have discussed over the last several years. And I think it’s a critical need for the city,” Council member Tom Livingston (D-District E) said.
But it’s more, Council member Greg Burnett (D-At Large) said.
“One of the roles of the position … is business recovery and disaster recovery,” Burnett said. “I think we’ve experienced impacts to our community, due to natural occurrences and to ensure that we have a business recovery and disaster recovery plan in place, I think is critical to our operation. So I’m very supportive of this individual coming in and ensuring that we have a sound and capable and tested plan.”
“CISOs are in very high demand everywhere,” Dachowitz said. “And maybe, knock on wood, but maybe with COVID and people being unemployed, we might get lucky and get a better individual than we might have gotten at other times.”