As part of Industry Insider — California’s ongoing efforts to educate readers on state agencies, their IT plans and initiatives, here’s the latest in our periodic series of interviews with departmental IT leaders.
Dan Falzarano is information security officer (ISO) at the California State Water Resources Control Board, a role he has had since October. A 14-year veteran of state service, Falzarano was previously ISO at the California Department of Fair Employment and Housing from June 2017-October. His other state roles include serving as information security analyst for the California Health Benefit Exchange.
Falzarano has a bachelor’s degree in business management from the University of Phoenix.
Industry Insider — California: As a technology leader at your organization, how do you describe your role? How have your role and responsibilities changed in recent years in terms of their intersection with IT and innovation?
Falzarano: They continue to change almost every year. I consider my role as a security consultant for the organization. The reason being, there’s usually not a specific yes-or-no answer to a lot of questions. So we have to do our research, look at things, ask questions back and forth, and determine what’s the appropriate level of security that needs to be applied to something. So in that sense, it’s also as a consultant about education with people in the organization. A lot of times, there’s not the understanding of why security is important or why it applies in a certain situation. We have to give them some background information, and once we do that, I find it always changes the tone of the conversation. It’s just like anything else with anybody who doesn’t understand something, if you educate them, then they have the background and they understand why somebody needs to be involved in some type of situation. But that’s where I see myself as a consultant. I think a lot of times, the organization and staff are going to see us as being a technical security analyst. But as an information security officer, running an information security program, there’s a whole compliance side of our work that a lot of people do not see and do not understand. And that generates a lot of questions when I’m going out doing some outreach, as to why I’m doing it and why it’s important for the organization. Everybody assumes that security is all technical. I almost put that at about 25 percent of what we do. The other 75 percent is compliance and assessments and engaging the program areas to what needs to be done and how to secure information.
IICA: How big a role do you personally play in writing your organization’s strategic plan?
Falzarano: I joined this organization in October, so I’m still learning a lot of it and I haven’t been involved in the strategic plan. I want to know if a previous ISO has been involved, so I’m going to be learning that as I go forward. But obviously IT is, so I’m hoping there’s a component for information security. But it’s becoming more prevalent. A lot of times, I’m having to point to new legislation that’s coming out as to why we’re being involved. Again, always changing. I try to get that point across as well; we’re not static. We have to evolve with whatever the current threat environment is, and legislative environment as well.
IICA: What big initiatives or projects are coming up? What sorts of RFPs should we be watching for in the next six to 12 months?
Falzarano: I know we had a lot of ongoing projects. I don’t see any new ones coming up here in the near term. Security-wise, I don’t have any initiatives that require funding or anything like that. It’s more along the lines of internal initiatives for the program that I want to get done. There’s no cost involved in them at this point. At a high level, it’s on the administrative side of what we do. It’s compliance. We spend a lot of our time on that and that’s probably the hardest part of our job is the compliance and finding the staff that are knowledgeable in it. Coming out of the schools, they’re all focused on the technical side. So, when we’re looking for people to help us on the administrative side, we have to dig deep to try and find those individuals. It’s also about trying to find an individual that is teachable, because we don’t find the skills of being able to do the analysis that is necessary. It’s just on-the-job training, and how I learned, a lot of it was on-the-job training.
IICA: Compliance is a moving target, isn’t it?
Falzarano: It is. Every year, every few years, the security standards get updated, so we’ve got to keep abreast of that. Our assessments that we have performed by the California Military Department, we’re intimately involved in those. And then we have our audits that are done by CDT (the California Department of Technology), the Office of Information Security. Every year or two years, we have something going on that’s compliance related and that keeps us on our toes, which is good. They’re pointing things out and we’re making adjustments in our environment to resolve anything they might point out. But yes, it’s very time-consuming, the compliance side, also.
IICA: What term or phrase do you use to refer to what many call “digital transformation?” How far along is your organization in that process and how will you know when it’s finished?
Falzarano: Digital transformation is taking everything that was done in the paper format and converting it to electronic format. For me, that’s digital transformation. The term is loosely defined out there (as) going from on-premise IT to a cloud environment, but I view it as something different. Converting from paper to electronic, because for me, data’s data. In information security, it doesn’t matter if it’s on paper or it’s electronic, you still need to protect it at the same level that it warrants. And that’s one reason why I think a lot of people in information security are able to go from one state department to another state department, because it really doesn’t change. There are a few departments that have a lot more security involved. But for the majority of us, we can go from organization to organization, and step into a role and be able to perform. That’s kind of unique that we’re able to do that.
IICA: What is your estimated IT budget and how many employees do you have? What is the overall budget?
Falzarano: Our budget aligns with, or is inside of, the IT budget, what we budget for specifically for security. Again, that’s something I haven’t been involved in yet. I’m sure here, in the near future, I will be. Staffing-wise, we’re a small unit, three people, and that’s something I need to work on as well. I think that’s something that every organization, not just the state, every organization, is going to struggle with, staffing. Having the appropriate levels, and providing the justification for the additional staffing. Then that’s something I’m going to be working on this year, to adjust our levels to match what is required by the state. That’s something that, because there has been turnover here, it’s been hard to justify it in the past, I think because of that turnover. And if you’re in an efficient unit, that also doesn’t help you. But it still doesn’t remove the amount of work that is involved. Where I’m coming in, from outside the organization, from being involved in other organizations, I see that, yeah, there is work that needs to be done and we need the staffing to do it, but I also have to go back and justify it. And you should justify it. I totally agree with that. You just can’t ask and get positions. You have to back it up with the work that needs to be done, and also find out that it’s ongoing work. We don’t do one-time work. It’s not a one-time project for us. It’s not a one-time fix, because the threats are always evolving. The landscape is always, the organization is always changing. So we need to adjust with it.
IICA: How do you prefer to be contacted by vendors, including via social media such as LinkedIn? How might vendors best educate themselves before meeting with you?
Falzarano: For me, I like to research if I’m in need of vendor assistance. See what solutions are out there. I don’t put my information out there and I’m careful with the newsletters and things because I don’t want to get bombarded. Because if I did, if I put my information out there, I would be bombarded every day with requests from vendors. So, I really try to limit it to what’s important to security. And just for me, for my part of security, I guess that what I would say is, you have your vendors, they’ll have a lot of products, but I always focus on the security products that they’re offering. And what we’re finding is, there’s a lot of consolidation. Vendors are, you know, names change all the time. And vendors will offer multiple products, but a lot of times we don’t need multiple products. We need one product. I get very choosy in who I want to share information with also. I don’t want to bring in a bunch of vendors and share information. And when we do sit down with them, yes, we’re going to be more open because we’ve decided that this is something we want to talk about and that they have something that could help us. I’m always saying, all of our products are under constant evaluation to see if it’s providing the information we need and the support we need. Threats always change so a tool today might not work tomorrow for us.
IICA: In your tenure in this position, which project or achievement are you most proud of?
Falzarano: I like the way our organization embraces security. Decisions were made before I took the position around multifactor authentication (MFA), and that’s been a big push for us and we’re staying in front of it. And that’s a battle I don’t have to fight. That makes my job a lot easier. I know they do embrace security. There’s always a cultural shift with staff and I expect that with every organization. But taking a few minutes to educate makes a world of difference. I think security should be running in the background. It shouldn’t be a barrier to what we’re doing. It should be accompanying what needs to be done for the organization, securing your data, securing your network. And it should be seamless for the end users. The end users, their role in information security cannot be overstated because they’re out there basically on the edge of our perimeter. And it is the phishing attacks that really concern us. It’s the prospect of ransomware.
IICA: If you could change one thing about IT procurement, what would it be?
Falzarano: I don’t know how much can be done with the budgeting aspect of this and the procurement process, because we are kind of locked into that state methodology. But for security, I think we need a little bit more flexibility because of the emerging threats. We never know what’s going to happen tomorrow, if we’re going to need to purchase some type of tool or gear to mitigate a threat. With the cyber threats, you know, you have zero-day threats out there. So, if there is something out there new that happens and everybody has to get the one tool that does it, you’re already behind the eight ball and trying to find the funds. And I understand, you’ve got a budget for everything, but we do need a little bit of flexibility and availability to expedite some of these tools or resources that we need. I think it’s just something that I believe a lot of people recognize, that the need is there. Just figuring out how best to do it is kind of hard at times.
IICA: What do you read to stay abreast of developments in the gov tech/SLED sector?
Falzarano: I get a lot of security alerts from different sources, so I’m reading those on a near-daily basis. And then, believe it or not, I rely on the news reports quite a bit, because they’re usually the first to find out if something’s happening out there and if it’s going to impact organizations. Or if people in the organization might have been impacted by something, a bank experience, some type of incident. It’s just relaying that news to an organization that we feel is helpful to staff. Because one of the things we also look at is education. When we’re educating people, I want them to understand that it’s not just for when we’re here at work, it’s for when you’re at home as well, on your own devices and with your own information. I always try and tie it back to that as well. I also network with other ISOs. We share information. But really, I research things as I need to, so I know I don’t really rely on one source of information.
IICA: What are your hobbies, and what do you enjoy reading?
Falzarano: I like to ride the motorcycle in the mountains. I like to get out of the Sacramento area and get up in the mountains and ride on the windy roads and have fun that way. And for reading, I like self-improvement and leadership books.
Editor’s note: This interview has been lightly edited for style and brevity.
State Information Security Leader: ‘Threats Are Always Evolving’
