The Los Angeles Department of Water and Power (LADWP) named David Alexander its chief information security officer about a month ago. Techwire sat down with Alexander to ask him about his new position. The interview was lightly edited for clarity and length.
Techwire: What is your background and what are your goals as CISO?
David Alexander: I held the role of IT security manager before this. I was just recently appointed to the CISO position about a month ago.
Obviously, my goals are to protect the department to the best of my ability against cybersecurity risks. Establishing a good foundation for risk identification and mitigation is one of my principal goals. Another one of my goals is to establish well-defined processes for handling and identifying risks themselves. A third one is a much deeper and more involved user engagement in cybersecurity in general. My biggest defenders are my users so I want to engage them extensively.
TW: How do you anticipate doing that?
DA: There’s definitely going to be some technical solutions. I’m a firm believer in people, then processes, then technology. So I want to engage with people and teach and train them and get them on board with doing this, and then I want to make sure the processes are well defined and codified, and then I want to implement technology as technical control to make sure those processes are followed.
I want to have controls that allow me to monitor the network, to see what’s going on with it. I want controls that will also be able to identify network-based risks, like IDS/IPS solutions, as well as data loss detection devices. I’m also looking to engage some well-established governance models of software, some risk framework software. I’m also looking to do some more extensive end-point detection.
TW: How does the bring-your-own-device (BYOD) model affect the LADWP?
DA: We have devices that the department itself is issuing. and we’re actually managing some of the data access through department-issued devices that are managed with software like AirWatch. So we are actually rolling out some department equipment to manage access to emails and data sets because some of our data is very, very sensitive, and so we want to make sure that that’s not out on people’s devices. As far as access to the email environment itself, again we’re very sensitive to what kinds of information people can take from us, so we are requiring that our users use department-issued devices, but we are managing those devices with BYOD-type technology.
TW: What is your biggest challenge in this position?
DA: Honestly, it’s organizational culture. A lot of times organization users have had the habit of being able to have free-rein access to the information they use in the field and in operation. While that prolific use of the information is very beneficial to the department, it also puts the department at risk if that information is sought out by threat actors. So being able to protect access and managing that data itself helps the department protect itself. So changing that cultural dynamic is going to be my biggest challenge.
TW: Are you going to be doing any procurement in the next year?
DA: I do anticipate the purchase of some software. Hardware, we are probably pretty set on. I’m looking for frameworks, workflow management, governance, risk-compliance type software — those are probably going to be the biggest area of purchase. A lot of that technical control we already have, and it’s just a matter of leveraging it more effectively.
We’re under the purview of our board of commissioners, and as a result our procurement processes are managed without our department. We do RFIs and RFPs.
