Connecting state and local government leaders

CISO-as-a-Service’s Fate Will Be Decided by Michigan’s Localities

Christopher Paulin /


Connecting state and local government leaders

The pilot has helped 11 jurisdictions obtain cybersecurity expertise they wouldn’t otherwise have, Washtenaw County’s innovations and process improvement manager explains.

BALTIMORE — A partnership between 11 local jurisdictions in Michigan will meet this week to discuss the future of the state’s CISO-as-a-Service pilot, developed to provide them with the high-level cybersecurity expertise needed to keep pace with the evolving threat landscape.

Michigan’s state government offered to fund the program for fiscal year 2018, but it’s up to the group of counties, cities, townships and villages to determine whether it will live on as part of an existing nonprofit or private-sector company, become a standalone venture or possibly remain with the state.

Whatever their final decision, the members understand the pilot must become a self-funding, self-sustaining model where each pays a fee—perhaps upwards of $100,000, Andy Brush, Washtenaw County’s innovations and process improvement manager, told Route Fifty in an interview at the National Association of State Chief Information Officers midyear meeting in Baltimore.

“It’s always much easier when you find a preexisting group that has a need than to come in and say, ‘We’ve got this service, and who wants to buy?’” Brush said.

The pilot jurisdictions all had the same datasets and troubles affording or finding chief information security officers, or CISOs, so the Michigan Department of Technology, Management and Budget hired one for five localities originally.

Using the Cyber Security Assessment For Everyone, or CySAFE, the CISO runs through 35 critical, National Institute of Standards and Technology, and Internal Organization for Standardization controls. Each assessment costs $5,000 to $10,000.

Jurisdictions rate themselves on a scale from zero to five in each area, and at the end of the exercise, the list of controls is resorted with ones needing the most improvement at the top. Localities are advised to work on their top five challenges, whether they be penetration testing or log monitoring, and reassess.

Washtenaw County, which has about 350,000 residents and includes the city of Ann Arbor, revealed its biggest problems were at the program level, so the Board of Commissioners and administrator moved to hire a CISO internally.

“I see that partnership between local government and state allowing us to do a much better job of what we’re doing, rather than focusing entirely locally,” Brush said.

The smallest member of the pilot is Springfield Township with its population of 13,000, a range of sizes having been selected to see how CISO as a Service works across the board. Michigan has already witnessed three or four high-profile cyber attacks requiring mutual aid, Brush said, and the partnership allows localities to solve problems together.

DTMB simply can’t provide aid to every community due to the vastness of the threat landscape, Director and Chief Information Officer Dave DeVries said on Monday during the NASCIO midyear meeting.

“I do really appreciate the role of the state on the brokering side of things,” DeVries said.

But that raises the question of where to find the talent supply needed to advise localities, he added.

Initial cost models indicate the partnership would need to expand to between 20 and 25 jurisdictions for a full-time CISO to be compensated for the workload, Brush said.

“And then that person becomes a little less available to everybody,” he added.

Watch Route Fifty’s full interview with Andy Brush, Washtenaw County’s innovations and process improvement manager:

Dave Nyczepir is a News Editor at Government Executive’s Route Fifty and is based in Washington, D.C. (Photo credit: Christopher Paulin /

NEXT STORY When the FBI Calls to Say Your State Has Been Hacked By Iran