Eyes on security: State’s chief information officer tackles digital safety

0
254

BY JARED COUNCIL
Indianapolis Business Journal

Dewand Neely is the chief information officer for the state of Indiana, overseeing a 300-plus employee operation that is the sole provider of IT services to about 100 state agencies. He’s been at the Indiana Office of Technology since its inception in 2005 (agencies previously had their own IT teams and resources), and he assumed the helm in October 2015 after Paul Baltzell stepped down.

Neely, 38, recently spoke with IBJ about cybersecurity, the innovation his office is driving, and being one of only a few African-American state government CIOs in the country. The following are edited excerpts from that conversation.

IBJ: You’ve been in your job for a little over a year now. How have you made your mark on this office?

Neely: I came in (in 2005) as an infrastructure guy a few years out of school and was lucky enough to be one of the first folks to work with the newly created Office of Technology. One of the things I remember early on is the struggle we had with changing the culture when we started doing consolidated IT — how much we had to bend over backward to make sure we were being customer-service focused and delivering value to win over people who were against consolidation.

One of the things I did right away after (becoming CIO) was to really put another focus on that. We were doing some really cool things, but sometimes that work can get in the way of the customer service.

Have there been any initiatives that either you started or your predecessor started that you are continuing?

Something that was started right before Paul left was really putting together a sound, solid plan for cybersecurity. Paul put some really foundational things in place. So that’s one of the main things I’ve taken and run with since he’s been gone—making sure that we’re executing through on that plan and continuing to constantly evaluate that.

What does that plan entail?

We’ve taken a really strategic approach in helping all the agencies use standards put out by the National Institute for Standards and Technologies. And you can apply that to their business and say, “Let’s pull out your highest risk levels and put those on a plan to attack first.”

Give me some examples.

Sometimes risk is just a bad business practice. It could be that you allow certain employees more rights than they need for their particular role. And if you don’t combat that, then that allows the opportunity — if that employee makes a mistake or they do something unknowingly — to create a bad situation for a large environment.

And what kind of risks are we talking about in terms of outcomes — hacking, denial-of-service attacks, something else?

The hackers these days, they don’t spend a whole lot of time trying to penetrate networks. They found out a long time ago it’s much easier just to craft a really clever-looking email. This is the time of year when you’re going to see tons of, “Hey, you got a shipment. Click here to track your package.” And people are ordering so many things right now, they won’t know the difference. Then those are the phishing emails that take over those machines.

What are some of the things these hackers are looking to do once they break in?

With these phishing campaigns, they’re kind of just throwing things out there and seeing what they find. And ransomware is definitely one of the most popular ones, and that’s where they’re out to make some money. So they steal or block your files and hope you don’t have a backup and hope that you’re going to pay them. And unfortunately, that just happened to Madison County here a couple of weeks ago, here in Indiana.

Personal information is one of the hot areas as well. They want to grab as much of that as they can and sell that on the dark web and on the black market. From what I’ve been reading and seeing so far, though, I think these hackers and bad actors are probably making more lucrative engagements off of the ransomware than what they are off of personal information.

I’ve been seeing figures and numbers that personal information, once its captured, on the dark web, they’re selling those things for, like, five and $10 bucks a record. Whereas with ransomware, they’re asking between $15,000 and $20,000 for people to get their files back.

What would be the biggest goal or initiative you have over the next 12 months?

I’ve mentioned that we are focusing on customer service. Another piece of that is delivering high value at a low cost to the state agencies.

So I just completed a benchmarking exercise to evaluate how my office delivers services to the state, compared to other states and compared to private sectors as well. And so, I’m using that as kind of a feeder for our strategic plan on how we can get better and how we can drive lower-cost IT, but still deliver great value to keep the cost down and to keep competitive with what’s going on in the private sector.

Doing these benchmarking exercises is going to force us to change some ways we do things, particularly with data centers and the cloud.

Speaking of the cloud, how widespread is its use? Is it something that state agencies have embraced or are they still a little hesitant given security concerns?

I would say Indiana is definitely a laggard in that area. A lot of the cloud that Indiana is using today, they’ve been kind of forced into by the vendors. So as vendors move to a (cloud-based) subscription model, we’re being forced to go down that road.

And then the other area where we’re embracing it is around storage of data that’s not really sensitive. The traditional data center servers — compared to what Amazon and Microsoft can store those things for — is just much cheaper there.

What areas would you say that we really stand out in or outperform other states?

One area that we’ve always been touted for … is how we use our data to make better decisions. We’ve been able to successfully mine our data and run analytics on our data to help solve some pretty complex problems that we haven’t been able to solve in the past.

What kind of problems?

The one that’s gotten the most attention deals with the infant mortality issue. Indiana was in the top three, I believe, in the nation for infant deaths. That was a problem that we had been trying to solve for years, whether we thought it was smoking or just bad practices by younger moms.

And then finally, after taking a look at the problem outside of just what we thought it was — instead of just looking at just one agency, we looked across all the agencies that may be involved. And bringing all that data together, we could specifically identify (that) the infants who had issues were infants who had mothers who weren’t making the required amount of visits while they were pregnant.

Another good example right now that the Indiana State Police is working on is how to prevent fatal crashes. They have been mining data that we’ve collected for the past decade on all accidents that resulted in a fatality. And we’ve brought in data like current events that were going on at the time, weather data for the past 10 years, and road and traffic data. And they can now go and predicatively place a trooper or an obstacle to get people to slow down in those areas where our highest percentage of fatalities could occur.

And we’ve also been trying to tackle the opioid issue as well — looking at data on where hot spots are in the state, what our forensic labs are bringing in, and trying to make sure troopers are in the right areas there to have a better chance at saving a life as well.

It seems like your office has a dual mandate: delivering IT services to government agencies and, at the same time, steering the way for agencies to use data to solve problems. Is that a good way to frame it?

That’s a perfect way to frame it. When my office was initially created, it was just to consolidate servers and desktops and email to provide that support. But I think, over time, we’ve matured and we’ve realized that IT really needs to be a business partner, too.

What got you interested in this career path?

I kind of had a curiosity in programming late in high school and early in college. I found out pretty quickly that I didn’t want to be a straight app-development-type person, and then I found that there were some programs that focused on infrastructure and networking technology.

And so I went down that track and really enjoyed just doing infrastructure-type work — consolidations, migrations, things like that. But it wasn’t until I got to the state that I got connected with a great group of people who had a strong will to make state IT better.

It kind of rubbed off on me and, 12 years later now, for some reason I’m still here. And honestly, when I first came in, it was really as a resume builder. I just knew (that), after three or four years, I would be off in the private sector making tons of money, but I fell into the trap of public service and got that vibe of, “This is for the greater good. The things that we do are making a difference for our state here.”

There don’t appear to be many African-American state government CIOs. Is that something that you’ve seen, and is that changing?

There’s a great organization called NASCIO — National Association of State CIOs — that keeps us all talking, sharing information and helping one another. So that’s where I get to meet my counterparts and I’m trying to recall—and I’m hoping I’m not leaving anyone out—but I believe there’s only one other (black state CIO) and that’s James Collins in the state of Delaware. He and I obviously connect quite a bit. But, yeah, you’re right—it really isn’t a popular role for our demographic and I’m not really sure why.

Do you think it matters for this industry to become diverse or is it fine the way it is?

Speaking on a personal note, I think it matters. There’s still a subset of the younger generation that look for role models that kind of fit their background or fit their demographic. And that’s what they gravitate to. And I think the more we can branch out into different areas, the more that younger generation sees hope for other areas where they can achieve—instead of just the ones they’ve been told that they’re going to.