As part of Techwire’s ongoing efforts to educate readers on state agencies, their IT plans and initiatives, here’s the latest in our periodic series of interviews with departmental IT and cybersecurity leaders.
Ken Kojima is agency information security officer (AISO) for the California Department of Corrections and Rehabilitation (CDCR). A longtime CDCR staffer whose time there spans more than 12 years, Kojima has been an information security leader since April 2019 and was the department’s Cyber Security Intelligence and Operations Center supervisor immediately before that. He joined CDCR in January 2008 as an information systems analyst after information systems work in the private sector. His private-sector experience included time as a business analyst at Oracle.
Kojima has a Bachelor of Science in Electrical Engineering from the University of California, Davis. His professional education includes study of advanced network forensics and analysis at the SANS Institute; a master certificate in information security from Villanova University; and a certificate in Leadership for the Government Supervisor from California State University, Sacramento.
Techwire: As the agency information security officer of your organization, how do you describe your role; and how have the role and responsibilities of the ISO changed in recent years?
Kojima: The role of the CISO has been an interesting one, to say the least. My career path allowed me to experience many different areas within the information security field, from policy writing and auditing to cyber operations and threat hunting. From these experiences, I would say the basics of my current roles, and arguably all information security positions, is to gather and present reliable risk data (visibility), analyze and propose potential solutions with decision-makers (governance), and establish and implement security controls (enforcement) in support of the department’s mission and objectives. As for the changes within the CISO role over the years, I would say that today’s CISO needs to be a technologist, meaning someone who is familiar and can understand all forms of technology that exist today and in the near future. The basic concepts of protecting the confidentiality, integrity and availability of paper-based information still apply to cyber and information security, but the complexities of the risk mitigation options have increased exponentially, aligning with the technology boom over the last 20-plus years. As technology connects more systems to more data, a CISO should focus on understanding where these nodes exist to protect the data and subsequently the people.
Techwire: How big a role do you personally play in writing your organization’s strategic plan?
Kojima: As a member of the IT executive cabinet, I have a consulting role in the organization’s strategic plan to help ensure that plans include proper conversation regarding information and cyber risks. At the same time, I am directly responsible for the strategic approach to IT security operations and technology risk management.
Techwire: What big initiatives or projects in cybersecurity, IT or innovation are coming in 2021? What sorts of RFPs should we be watching for in the next six to 12 months?
Kojima: From an IT-centric perspective, an emphasis on remote and teleworking service resiliency will be one of the top goals for CDCR. The COVID-19 pandemic forced CDCR and other state IT executives and organizations to shift the approach of IT service delivery, on which staff and employees are becoming more reliant. The goal should be to invest in critical infrastructure to ensure minimal disruption to state operations. As for RFPs, based upon the current budget status, CDCR will focus on expanding court-mandated video surveillance as well as expanding technology-based rehabilitative services for our incarcerated and supervised populations.
Techwire: How do you define “digital transformation” in an information security context; and how far along is your organization in that process? How will you know when it's finished?
Kojima: I would define digital transformation generally to include the following ideas: removing reliance on paper documents that tend to be harder to store and maintain, create labor-intensive processes, and are more difficult to inventory and track; adapting manual processes to more efficient technology platforms; finding ways to innovate using current technologies. More specifically to information security, I would use the acronym SOAR (Security Orchestration, Automation and Remediation) to define digital transformation. CDCR has been on the digital transformation path for several years even prior to my arrival, and I don’t think there is an end goal to target. I would contend that the department will never be “finished” with digital transformation in the sense that there will always be new technologies or platforms that could be leveraged to improve services delivered to both incarcerated individuals and the employees. It is our responsibility as technology leaders to find ways to be augment and innovate the services that we provide to the state.
Techwire: What is your estimated cybersecurity budget, and how many employees do you have? What is the department’s overall budget?
Kojima: The current cybersecurity budget is approximately $2 million, not including certain infrastructure items such as backup storage, firewall appliances and other infrastructure services that support cybersecurity. The current ISO section has 16 positions allocated including my own. The CDCR’s overall budget as of last year was approximately $13.4 billion, with potential increases this fiscal year depending on the finalized state budget.
Techwire: How do you prefer to be contacted by vendors, including via social media such as LinkedIn? How might vendors best educate themselves before meeting with you?
Kojima: Vendors looking to grab some face-to-face time with CDCR IT executives, including myself, are encouraged to visit our CDCR Vendor Portal. Each month, we dedicate time for IT executives to listen and learn about new products, services and business that could help enhance our services that we offer. We’ve found this to be a very efficient way to engage with our vendor community and partners.
Techwire: In your tenure in this position, which cybersecurity or IT project or achievement are you most proud of?
Kojima: My choice would be the building of the CDCR Security Intelligence and Operations Center that focuses on security monitoring and incident response capabilities. My predecessor and current state CISO Vitaliy Panych had the vision of the unit, and I was lucky enough to be in the right situation to have the opportunity to build the foundation. We created better operational visibility for the IT organization, matured our security culture and increased our human capital by hiring security-minded engineers and analysts. The culmination of these efforts has increased our overall security resiliency while acknowledging there is still work to do.
Techwire: If you could change one thing about IT procurement, what would it be?
Kojima: One prospect would be to explore potential opportunities to streamline current processes. Many of these processes are likely required to ensure trust and transparency within state government’s procurement processes. That said, there could be opportunities to revisit and explore.
Techwire: What do you read to stay abreast of developments in the govtech/SLED/cybersecurity sector?
Kojima: I build relationships with my ISO community and monitor various state symposiums and conventions such as the California Cybersecurity Education Summit and the CIO Academy.
Techwire: What are your hobbies, and what do you enjoy reading?
Kojima: I read nonfiction articles, mostly bouncing in between technology (Mars and asteroid landing missions) to fantasy sports updates (Shohei Ohtani), and sometimes a little nature, mostly through the Internet. During this pandemic, like many other people, I’ve spent my time enjoying various streaming options with my family on Netflix, Disney+, Hulu, and Amazon Prime, amongst others. I do enjoy occasional camping along with listening, sharing and discovering new music.
Editor’s note: This interview has been lightly edited for style and brevity.