As part of Industry Insider — California’s ongoing efforts to inform readers about state and local agencies, their IT plans and initiatives, here’s the latest in our periodic series of interviews with departmental IT leaders.
Jeffrey Aguilar is the award-winning chief information security officer for Los Angeles County, working within the Office of the Chief Information Officer (OCIO). He was promoted into that role from the deputy CISO position in May 2022, succeeding Ralph Johnson. Aguilar previously served for seven years as CISO for the Los Angeles County Department of Mental Health. He began his career in the private sector, having held consulting and project management roles with companies including Lucent Worldwide Services, Greenwich Technology Partners, International Network Services, British Telecom Professional Services and CC-OPS Professional Services.
In addition to his role with the county, Aguilar is an adjunct professor at Pepperdine University’s Graziadio Business School, where he’s also a member of the Cyber Risk Professional (CyRP) Advisory Board. He received his bachelor’s degree in telecommunications management from DeVry University and his Master of Business Administration in business administration and management from Pepperdine’s Graziadio Business School. He earned his certification in the Executive Leadership Development Program from the University of Southern California’s Sol Price School of Public Policy, and he has numerous professional certifications from the Information Systems Audit and Control Association, among others.
Aguilar was among the High Impact Leader award winners last spring at the Los Angeles IT Leadership Forum, an event presented by Industry Insider — California’s sister publication, Government Technology. He is a frequent speaker at conferences and industry forums.
Industry Insider — California: As CISO of your organization, how do you describe your role; and how have the role and responsibilities of the CISO changed in recent years?
Aguilar: I would describe my role as being a trusted adviser and change agent for my organization. Being the CISO for Los Angeles County’s information security program includes defining and leading the security strategy across 38 diverse departments representing a 100,000-plus workforce. Responsibilities include directing information security and providing executive leadership to integrate countywide security-related programs designed to protect county information technology systems and data. We have many layers of regulatory requirements we must adhere to, and it’s part of my role to translate those requirements into actionable security initiatives that enable secure business functions.
I spend a great deal of time collaborating with county departments, working on internal security strategic initiatives and building opportunities to collaborate with other jurisdictions. An ongoing theme of my day-to-day is the reduction of risk and county exposure given the ever-changing threat landscape.
As far as how has this role changed over the last few years, it is a matter of maturity. In my opinion, the county CISO was viewed as a partner to IT and potential roadblock to the business. Today this role has matured into a partner to the business and strategic change agent that not only works with IT to further build resilience, but also works with the business to understand how to secure the organization’s mission. A key component to this has been communicating and socializing security strategic initiatives to all levels of governance, from IT to business leadership; but in words that resonate to them as an audience.
IICA: How big a role do you personally play in writing your organization’s strategic plan?
Aguilar: The L.A. Countywide Enterprise Technology Strategic Plan is created in partnership with all county departments. As CISO, I participate in plan development and advise/provide input for enterprise IT strategic initiatives, short-, mid- and long-term. I’m also responsible for developing and implementing the county security strategic plan. This plan is in development, will be reviewed by the various layers of county governance and will be posted online when complete. Creating the county security strategic plan is a collaborative process in which the program’s values, mission and overarching security initiatives are outlined and have many points of intersection with the Enterprise Technology Strategic Plan. The security strategic plan is a guiding star and is written at a high level to allow for innovation and agility, which is key due to the dynamic changes with the threat landscape and introduction of new business requirements.
IICA: What big initiatives or projects in cybersecurity are coming? What sorts of RFPs should we be watching for in the next six to 12 months?
Aguilar: We have a key project and associated RFP coming, and I’m hoping it will be released within this calendar year. We will be implementing a Managed Security Services Provider (MSSP) to provide a fully managed 24/7/365 Cybersecurity Operations Center (CSOC); Security Information and Event Management (SIEM) solution; Security Orchestration, Automation and Response (SOAR) services; and a Cybersecurity Incident Response Retainer. Given the size and complexity of the county of Los Angeles, we will be engaging a partner to stand up and operate an MSSP. This environment will be integrated with the existing county-hosted SOC.
One other key project we will be moving forward with is the implementation of a countywide GRC (governance, risk and compliance) tool for all departments’ use. We spent the last year standardizing the county cyber-risk framework. We are now ready to procure and operationalize a GRC and associated platforms for trending threat data, hot spots and KPI/KRI pairings. This extends well beyond the typical reporting of compliance metrics.
IICA: How do you define “digital transformation” in an information security context, and how far along is your organization in that process?
Aguilar: Digital transformation is simply put as a method of embedding technology into the business to foster change. With this comes several types of transformation including process, business model and cultural transformation. One area not discussed is security transformation.
We all have taken part in IT transformation discussions, but I have been socializing the concept of security transformation across the county and [with] each opportunity I have to guest speak. Embedding security into business processes and technology is a fundamental need, which is rarely discussed in the concept of security transformation. The county of Los Angeles is well down this path. We have worked diligently on creating a risk-aware culture and ensuring that the county lines of business are enabled in a secure manner. Typically, security is viewed as a road bump and a risk to project timelines. If done correctly, introducing security early on in a project life cycle is key for secure and timely project success. Security as an industry is based on a defensive posture, which is why we need to begin security transformation. This can be done by leveraging AI, predictive analysis and threat modeling against geopolitical issues, as a few examples.
IICA: What is your estimated cybersecurity budget, and how many employees do you have? What is your organization’s overall budget?
Aguilar: The security budget is a subset of the overall county IT budget. We do not have a dedicated security budget; however, we are able to fund security projects regardless of commodity or service. My team within the office of the CISO is a team of two deputy CISOs and one associate CISO, each assigned to a different cluster of county departments. I’m currently in the process of hiring two more deputy CISOs who will work with other clusters from a strategic, governance and risk-management perspective. The county of Los Angeles’ adopted budget is approximately $40 billion to $44 billion annually.
IICA: How do you prefer to be contacted by vendors, including via social media such as LinkedIn? How might vendors best educate themselves before meeting with you?
Aguilar: To contact me, you can find me on LinkedIn. The best way to participate in county opportunities is to become a registered vendor with our Internal Services Department so you are notified of upcoming RFPs. I don’t post my personal information for several reasons including the bombardment of vendor emails, many of which are phishing. I prefer that vendors who are trying to do business with me understand the county of Los Angeles strategic initiatives and do some homework before sending a cold-call email. Our technology initiatives are posted online in the earlier-mentioned Enterprise Technology Strategic Plan. We are a large, complex environment, and a key area of importance to me is simplification of the technology stack. Adding layer after layer isn’t always the answer, and I always tell the county teams that we need to be deliberate with our technology investments; we have an obligation as a government organization to be fiscally responsible. Just because we could doesn’t mean we should. A key question I ask is, “What is the expected value and tangible outcomes we can expect to see with our IT investments?”
IICA: During your tenure in this position, which cybersecurity or IT project or achievement are you most proud of?
Aguilar: There are several wins we have from an Enterprise Security program perspective. One area is the standardized approach to address risk across all county departments regardless of cluster, business or regulatory requirements. This standardization also allows the same approach for security SMEs [subject matter experts] to address risk across departments. If a department security professional promotes to a new role or transfers to a new county department, there is minimal ramp-up time. The framework and methodology remain the same. The change comes with the new business requirements and or regulations associated to the new department, which greatly reduces time to ramp up.
Another win is with an initiative we call DISO as a service (DaaS). The majority of county departments have a departmental information security officer (DISO). There are several departments which do not, and the department’s CIO is stepping in providing security services. Under the DaaS program, my office has a dedicated resource assigned to several departments, taking the lead role as a DISO in performing security functions including contract reviews, validating compliance across the security stack, adherence to board policy, executive reporting and incident response.
We did a pilot over the last 12 months and have proven great success in which we are currently hiring a net-new resource to further expand the program. Essentially it is creating a VCISO (virtual CISO) bench within my office; we pick up the cost and allocate a percentage of utilization to county departments in need to perform DISO duties. Remaining time is allocated to enterprise initiatives in which there is an assurance that the business requirements of these departments in the program are included in enterprise security plans. It’s a new approach for the county of Los Angeles and closely resembles a consulting model used to allocate utilization across several functional areas prioritized against risk and exposure.
IICA: If you could change one thing about IT procurement, what would it be?
Aguilar: One change I would like to see is the turnaround time from a proposal to onboarding a new solution. The contract process is lengthy, with several layers of checks to ensure county requirements are being met. One item specific to vendors is we need immediate engagement with the Information Security and Privacy Requirements Exhibit. This is added to the majority of county IT projects and is typically an area of delay due to the back-and-forth nature between the department engaging in the proposed solution/service and the vendor. I have seen this exhibit become a bottleneck due to it not being addressed up front as it’s intended to be. Without agreement to the terms and conditions within this exhibit, it will stall IT procurement each and every time.
IICA: What do you read to stay abreast of developments in the gov tech/SLED/cybersecurity sector?
Aguilar: As many other CISOs and technologists, I spend a great deal of time reading articles on LinkedIn, GovTech and from feeds I receive from county-trusted partners. I also make it a point to collaborate with other CISOs across the region’s municipalities and other states. It’s essential to share our lessons learned and what our organizations are faced with. I’m not a fan of re-creating the wheel; there is a great deal of knowledge to be shared and leveraged from our personal networks and the industry at large.
I’m fortunate to have a close friend who is also a CIO for a health organization in Orange County. We spend hours discussing hot topics in the industry and strategies to further reduce exposure. Having these relationships is key to maturing my knowledge and skill set as a CISO. It is also a great way to give back and potentially help my network with issues they are facing that I might have already had to find a solution to address.
IICA: Who is your technology hero?
Aguilar: This is not an easy question to answer. I have been fortunate over the course of my career to be surrounded with great mentors and leaders. This includes the county of Los Angeles acting CIO Peter Loo; our last CIO and now CIO for the state of Washington Bill Kehoe; and my predecessor and good friend, Washington state CISO Ralph Johnson. Having great leaders to model off that inspire and promote self-thinking and creativity has always been key for me. There are many styles to leadership; I try and learn from the leaders and peers that surround me and take these lessons and apply them to my own style.
IICA: Off the job, do you have any hobbies?
Aguilar: During my personal time, my hobbies include competing in Ironman triathlons, which for those who are not aware of the sport is a 140.6-mile triathlon. This consists of a 2.4-mile swim, 112 miles on the bike and a 26.2-mile run over the course of a day. Fortunately for me, my wife also competes in these events, so we’re able to spend a great deal of time training together. I also enjoy spending time with my daughter, paddleboarding, cycling, traveling, mentoring and being an adjunct professor for Pepperdine University. Nothing takes the work stress away quicker than training for an endurance event.
Editor’s note: This interview has been lightly edited for style and brevity.