Techwire: As CISO of your organization, how do you describe your role; and how have the role and responsibilities of the CISO changed in recent years?
Leon: As chief information security officer (CISO), I am responsible for overseeing the information and cybersecurity risk management programs, which includes the development and implementation of policies, strategies and processes that protect Covered California’s assets. This includes ensuring compliance with applicable control agency policies, standards and guidelines within the State Information Management Manual (SIMM) Section 5300. In addition, as the nation’s largest state-based marketplace, I am responsible with ensuring compliance with the policies and standards within the Centers for Medicare and Medicaid Services (CMS) Minimum Acceptable Risk Standards for Exchanges (MARS-E) and the Internal Revenue Service Publication 1075 Information Security Guidelines. Working with our partners at the Department of Health Care Services (DHCS) and Office of Systems Integration (OSI), I oversee the development of policies and standards to ensure the confidentiality, integrity and availability of the California Healthcare Enrollment and Eligibility Retention System (CalHEERS). The role of CISO, like many IT leadership roles, has evolved from one that simply required good technical skills. The CISO role is now seen as a trusted adviser for the organization, that serves as a thought partner to manage enterprise risk and how technology can enable the organization. The role of CISO today is far more complex with responsibilities including leading teams to handle real-time threats and mitigation of attacks, security architecture, development and implementation of security policies, cybersecurity risk, security awareness, audit, and regulatory compliance. CISOs of today must understand the business goals of the organization and how cyber risk fits in the overall organization’s strategy. Finally, the CISO must serve as a mentor to develop the next generation of information security leaders so they are prepared to respond to the ever-changing security landscape and needs of the organization.
Techwire: How big a role do you personally play in writing your organization’s strategic plan?
Leon: I’m fortunate enough to have joined a strong leadership team, which is taking a key role in contributing to the organization’s strategic plan. My primary focus is on the cybersecurity risk strategy and how it integrates with our enterprise risk strategy. Our IT leadership team has a tremendous amount of experience in various, highly regulated industries that allows us to offer unique perspectives and influence on our strategic plan.
Techwire: What big initiatives or projects in cybersecurity, IT or innovation are coming? What sorts of RFPs should we be watching for in the next six to 12 months?
Leon: At Covered California, our mission is to improve health-care quality, lower costs and reduce health disparities of California’s citizens through innovation. Our initiatives and projects always place the consumer and their experience at the core. There is a strong focus on the value and importance of big data and how we can continue to leverage that data to enhance the consumer journey and consumer experience. As we continue to innovate, we are also focusing on how we can better serve our internal customers and provide the necessary services to provide consumers a positive experience. The addition of these innovative and critical services requires my team to continuously evaluate and implement appropriate security tools and safeguards that not only protect but also enable Covered California.
Techwire: How do you define “digital transformation” in an information security context; and how far along is your organization in that process? How will you know when it’s finished?
Leon: Digital transformation is essentially the evolution of how organizations use people, process and technology to pursue and develop new business models, driven by changes in expectations by the organization and consumers. Covered California started its digital transformation journey a few years ago with a strong focus on the 360-degree view of the consumer, including development of personas and journey maps, as well as investing in tools and technologies to enable the transformation. Rapid adoption of new process and services can expose organizations to significant vulnerabilities and threats if information security is not included as part of the transformation. Covered California has enhanced several processes to regularly evaluate the security implications of digital transformation and has included security as a strategic initiative to manage these risks. Working with our IT operations team, we have expanded the use of multifactor authentication (MFA) with conditional access, revised our information security awareness training, and conducting table-top exercises. In response to your final question, the reality is digital transformation will never be finished. Digital transformation is an iterative, continuously evolving process.
Techwire: What is your estimated cybersecurity budget and how many employees do you have? What is your organization’s overall budget?
Leon: Our estimated all-inclusive cybersecurity budget including an operating budget is in the eight-digit range. This number reflects our maintenance and operating costs of our eligibility system, the California Healthcare Enrollment and Eligibility Retention System, which is responsible for providing affordable health care for 1.6 million Californians. This fiscal year, we are planning significant investment in tools and services to enhance our existing security program and improve our overall security posture. The information security team at Covered California includes a core team of security professionals and the CalHEERS security team that ensures the confidentiality, integrity and availability of our most critical asset at Covered California.
Techwire: How do you prefer to be contacted by vendors, including via social media such as LinkedIn? How might vendors best educate themselves before meeting with you?
Leon: I prefer to have vendors contact me via email. Even if we don’t have a need for a particular solution right now, there may be a need in the future, so I do maintain a catalog of tools and solutions and may schedule a short call to learn more. My leadership team also does a good job of sharing information on vendors and wares, in case one of us has a need that the other was not aware of. I recommend that all vendors do some research to understand who we are and what we do. We are a highly regulated agency, and vendors must understand what those regulations are so I can understand how their tools or services not only benefit Covered California but also ensure compliance, reduce risk and improve effectiveness.
Techwire: In your tenure in this position, which cybersecurity or IT project or achievement are you most proud of?
Leon: My tenure in this current position began in February 2021, but the team has accomplished a lot since February. When I first came into this role, we were midway through their annual audit with CMS amid their transition to a new program format. For added complexity, we were also in the process of completely migrating the existing CalHEERS system to Amazon Web Services in partnership with DHCS and OSI. The teams worked diligently for several weeks responding to numerous audit requests and producing artifacts while maintaining our focus on the migration efforts. Through their tireless efforts, the annual audit was completed on time without any impact to the schedule, completing the CalHEERS migration in May of 2021. I’m also excited to see the career development within the team. My team members have been taking a very active role in their career development by taking advanced information security training to bolster their skills and obtain industry certifications, which results in greater contribution to the team and Covered California. I look forward to seeing the growth as information security professionals progress on their individual career paths.
Techwire: If you could change one thing about IT procurement, what would it be?
Leon: Three words ¯ workflow management system. Being new to state service, I am always reading and learning about our process and procedures. Having a robust workflow management system could really benefit Covered California. A lot of process and procedures are based heavily on emails. Procurement can be delayed if folks are on vacation or if a step is managed by a single person and they are not reachable for some reason. Organizations would benefit with the acquisition of a workflow system that includes a powerful workflow engine with configurable rules, routing and approval functions that are configurable to meet the needs of the organization.
Techwire: What do you read to stay abreast of developments in the govtech/SLED/cybersecurity sector?
Leon: Cybersecurity moved fast prior to the pandemic and has only accelerated since March 2020. I stay current on cybersecurity news and trends by reading several cybersecurity blogs including IT Security Guru and CSO Online. These security blogs are a great addition to one’s reading list to stay current on the latest trends and advancements in cybersecurity. Since beginning this role, I have established many positive relationships with other ISOs in the state, including the California Department of Technology. In my prior role in private sector, I had the chance to meet and present cybersecurity topics with Vitaliy Panych, the new state CISO. Vitaliy has been extremely helpful getting me acclimated in my CISO role at Covered California. I also stay abreast of gov tech by actively following news articles in the online news outlet Government Technology.* It’s enlightening to see how government and education embrace technology to solve complex problems in very innovative ways.
Techwire: What are your hobbies, and what do you enjoy reading?
Leon: I try to stay fairly active and enjoy many outdoor activities. My favorite activity would have to be doing anything off-road with my family. We’ve had the chance to explore some remote places in the Western United States and the Baja peninsula, and there’s nothing like visiting these remote locations and experiencing them with my family. I enjoy planning the routes, identifying as many risks as possible, mitigating risks where possible, and include redundancy and contingency planning (dual batteries, auxiliary lighting, additional fuel, safety beacons); I guess I am an IT ops/information security guy? A personal goal of mine is to complete the Pan-American Highway, but I might have to wait until retirement to complete that one. My daughters also share my affinity for off-road motorcycle riding and have logged hundreds of miles together. We also enjoy boating, snow skiing and scuba diving for recreation whenever possible. We most recently visited the Yucatan Peninsula and had the chance of a lifetime diving with whale sharks and manta rays. When I’m not outside, I enjoy home improvement projects and performing music. I’ve played trumpet most of my life and miss performing with several local community ensembles since going back to school and hope to return once school is complete and COVID-19 restrictions are reduced. My leisure reading list is short since I enrolled in graduate school. My wife and kids are avid readers, so they are always full of suggestions, and I hope to check out some of their recommendations after graduation. I did recently pick up the book titled “Thinking, Fast and Slow,” by Daniel Kahneman. It came at the recommendation of my accounting professor. The book has a strong following in the sports industry, where major decisions must be made with little information, which is a growing theme amongst managers and leaders. Kahneman illustrates that there are two modes of thought, the first mode being instinctive and emotional, and the second mode is logical and deliberate, and how biases can influence our decision-making. The book is not an easy read but does serve as a good desk reference for those wishing to make sound decisions with limited information.
*Government Technology magazine is a publication of e.Republic, which also produces Techwire.
Editor’s note: This interview has been lightly edited for style and brevity.