Connecting state and local government leaders
Erik Avakian, Pennsylvania’s chief information security officer, may be a new breed of ‘black swan’: the optimistic cybersecurity professional.
Erik Avakian has been serving in a security role with the Commonwealth of Pennsylvania since 2005, and has served as the state’s chief information security officer, or CISO, since 2010. Over that time, he has seen dramatic changes in the field of cybersecurity, and with it, his role. What was perhaps most striking from Route Fifty’s interview with Avakian earlier this month is how optimistic he seems about the opportunities for information security to empower business processes rather than hinder them—not a common trait among information security professionals.
“We’re talking about projects that actually enable the business,” Avakian said.
Avakian remarked that when he started out with the commonwealth in 2005, “security was really ensuring viruses weren’t on systems, and it was very, very limited and it was very, very technical.”
In 2017, Avakian sees a more proactive role for the CISO that is enabling and empowering the business of the state—something often seen as counterintuitive with security. “If we think about [what] it’s becoming today... it’s a business issue. It’s all about the business and enabling the business and securing data and securing business processes so that the business can thrive.”
For example, Pennsylvania is building a “citizen-centric identity portal where citizens will be able to basically get an account, login and from there they can get access” to multiple state services across the entire state enterprise. That means one place to get everything from registering your car to obtaining a fishing license. It’s not only a security feature, but it helps “create an experience for our citizen where they have that unified account” as opposed to multiple logins for various services and agencies. As Avakian explained, it’s not only a security feature, but also what citizens have come to expect from the online business environment.
The focus on the business environment is a conversation that Avakian is eager to have with executives in government, who are also becoming more aware of cyber risk. “When you think back just a few years ago when we started seeing a lot of the breaches, such as Target and Home Depot, and you really started to see cybersecurity … it started to become personal,” he told Route Fifty.
This saliency provided an opening for Avakian to discuss the business risk environment more often and directly. “My role in Pennsylvania has really morphed into communication… being a good communicator—especially when you’re dealing with high-level executives—and trying to understand and talk about risk management in ways that they can understand,” he explained. “What’s really great about having those discussions is it really helps get the buy-in for cybersecurity.”
Asked about the increase in data, and the risk of an increasingly connected world, Avakian again struck an optimistic tone.
“I think the landscape is an exciting time for cybersecurity,” Avakian said. “I remember when mobile devices came out that was a big thing and people were saying, ‘well what are we going to do? How are we going to deal with this?’ and it’s the same approach.”
“New technologies will always come out and we can apply … similar approaches to how we identify risk, how we quantify that risk, and put in best practices to ensure those systems, those networks, those devices, and the data is secured. There will always be nuances to that, but it’s exciting with the advent of all these different technologies.”
Mitch Herckis is Senior Director of Programs for Government Executive's Route FIfty and is based in Washington, D.C.