On this week’s episode of Security Nation, we had the pleasure of speaking with Stephanie Helm, director of the Massachusetts Cyber Center. In this interview, we discuss how she went from working in the Navy to becoming the director of this new initiative in Massachusetts and how her team is helping municipalities develop incident response plans and getting buy-in and budget for security amidst other priorities.

Here is our recap of the podcast:

From the Navy to the Massachusetts Cyber Center

Stephanie was in the Navy for 29 years. With a degree in Slavic languages and literature, she was recruited to the Navy because of her language background. She became a cryptologist working with GCHQ and the National Security Agency and then transitioned into information warfare. During this time, she was a commanding officer, went to a NATO exercise in the Baltic, toured the Pentagon and the National Security Agency, and taught at the Naval War College.

For the majority of her time spent in the Navy, she was one of only a few women, but by the time she retired, the Navy had become much more diverse and integrated. After she retired, she worked in the War Gaming Department integrating cyber-operations into traditional war games and then was hired as director for the Massachusetts Cyber Center, where she is today.

Why the Massachusetts Cyber Center was created

The idea for this initiative was born after Massachusetts’ governor, Charlie Baker, visited Israel and was impressed by its cybersecurity sector. He knew his state could do better. Massachusetts already had a strong cybersecurity ecosystem, but it just needed a focal point for the state. The center was established in 2017 with help from the Massachusetts Cyber Security Strategy Council, which helped to create the mission, strategy, and execution of key activities.

Stephanie explained that the center has three main efforts. The first is assessing the state’s cybersecurity assets, between companies, academic research, and the investment community. These entities are capturing new ideas and innovation and helping them grow and integrate with other parts of the state’s ecosystem. The second effort is resiliency for the state, municipalities, and citizens. The third is outreach and communication to build awareness of cybersecurity, including why people should care and what they can do about it. Cybersecurity can seem daunting to people outside the industry who are not technical in nature, which is why their initiative has been to make security approachable and easier to understand.

Creating resilience across municipalities

Considering the current COVID-19 pandemic, resiliency has become more important than ever for local governments. Despite much of the country being in quarantine, adversaries are not. As of late, municipalities are seeing the same (if not more) attacks. As more people work from home and on their personal laptops, there are increased risks. There are also risks when it comes to the stimulus packages and checks coming in the mail. Within the Massachusetts Cyber Center, there is a resiliency working group that created a toolkit with considerations municipalities can take into account as their workforce goes remote. It also includes links to resources like the Cyber Security and Infrastructure Security Agency website. This has information on cybersecurity best practices.

Creating an incident response plan

Another initiative of the center is to make incident response planning a priority for all municipalities. This brings up a lot of challenges, especially considering many smaller cities and towns don’t have a CSO or even a dedicated IT person. In some cases, some towns are so small that it’s the public works director who is “in charge” of security. That’s why Stephanie and her team are providing workshops for town leaders, security professionals, and IT folks to figure out their incident response plan and how it fits in with their overall operations, risks, and decision-making processes. Helping each town and city tailor a plan to fit their own needs and available resources is important since each one is different.

For towns and cities that don’t yet have much of a cybersecurity program, there is a program called The Community Compact where municipalities can create a proposal to improve their IT or cybersecurity infrastructure. This program is separate from what the Massachusetts Cyber Center does, but it works in parallel with what Stephanie and her team are up to.

Advice for getting security buy-in amidst myriad priorities

As with any organization, security buy-in and budget need to be considered against other priorities. Stephanie’s advice when asking for buy-in or budget is to make your case using language the stakeholder you’re speaking to understands so the conversation feels more approachable. You need to make a case for why investing in cybersecurity is as important, if not more, than other investments they’re making. Does it address a health and safety issue? A human resource issue? There is a lot of complexity with running a municipality, from wastewater management systems to patching potholes, so presenting your proposal in a way that’s consistent with other decisions the town needs to make can be very helpful.

A good place to start is by listening to what else is going on in the city or town. Check out a town meeting and learn what the IT folks are up to. This can help you understand what the municipality’s risks and priorities are and where they need help. One thing Stephanie and her team did last year was a listening tour. They brought municipalities together to talk about the issues they were facing and heard in their own words what their challenges were and what would be helpful to them. Asking questions and listening to problems they have is an understatedly important step in this entire process.

Listen to the full interview

We’d like to thank Stephanie for sharing her story and some of the important initiatives her organization is up to. To hear her interview in full, be sure to check out our latest episode of Security Nation, and if you like what you hear, please subscribe!