Mike Marshall is the agency information security officer (AISO) for the California Environmental Protection Agency (CalEPA), a position he has held since December 2017. He was previously the agency’s chief information security officer for more than three years, and before that he was an information security architect for the California Public Employees’ Retirement System. Before joining the state, Marshall’s private-sector experience includes more than three years at AT&T Wireless, where he was a functional architect, a security architect and a project manager.
Marshall has a bachelor’s of science in management information systems from California Polytechnic State University, San Luis Obispo, and has done post-graduate work in advanced forensics at the SANS Institute.
Techwire: As CIO of your organization, how do you describe your role; and how have the role and responsibilities of the CIO changed in recent years?
Marshall: I have a unique role, as in, at the agency level, we typically don’t have an operational aspect to our role — but we do in my instance. I act as the agency information security officer, which oversees the six different BDOs (boards, departments and offices) under CalEPA. I’m also the ISO for the Office of the Secretary, which is our agency-level operations. I’m also the privacy officer and the risk officer for the entity known as the Office of the Secretary. … In regards to the operational and the agency level, I manage a fairly small security budget within the shared services … throughout the agency. … We all live and we all sit in the same building … minus our satellite offices. And we try to share services as much as possible, and we utilize some of our security spend in our budget to support the BDOs across the agency. Technically, CalEPA is an umbrella agency; we have six different BDOs: the California Air Resources Board, CalRecycle, the Department of Pesticide Regulation, the Department of Toxic Substances Control, Office of Environmental Health Hazard Assessment, and the State Water Resources Control Board. Given that we call ourselves the Office of the Secretary of that agency, technically that’s another office as an entity, so there are seven of us total.
Probably the biggest challenge right now is that the security is ever-changing and very dynamic. It’s my job to utilize all the available funds that we have and the staff that we have and the technology to stay on top of any and all potential vulnerabilities within the agency. I not only have to stay aware of what’s going on within my organization, but what’s happening out in the other agencies, the other departments; and stay in very close contact with the California Department of Technology. I tend to have a very close relationship with CDT. I got involved heavily in their different endeavors. Cal-Secure is one of the bigger ones that I dealt with and was involved with. From … the agency perspective, not the operational perspective so much … I’m trying to get staff within the agency and across the BDOs cross-trained. We’re … trying to work with them to identify ways we can reduce expenses across the agency and the state, and one way … is to look at getting our BDOs to agree to some of the same security-related products. … With seven of us in one building, we have some economies of scale we could take advantage of. … The economies of scale work in our favor if we can get all the BDOs to come together and buy one product and utilize it, and cross-train people and have those backup types of scenarios with staff that understand the products across the agency.
There’s a lot of hats I wear, but the biggest changes I think since coming into this role have been really more trying to take a functional level with CDT and a bigger-picture role, to try to spread that down, first to start the policies, to start engaging with CDT. I’ve taken a very active role with … ISLA (the Information Security Leadership Academy) … being a coach, being an adviser, trying to train people. Given our deficit of security workforce, we’ve been … working with CDT to come up with ways to train people and get them into the security world. There’s a very large demand in the private sector for security workforce, and the government workforce is not … as competitive as a lot of the private-sector firms. … Cal-Secure is what we are looking to as our strategy for the next five years. … The bigger picture from the CDT perspective, we try to stay in line with that from an agency down through all of our BDOs, we try to push all that down into … to stay streamlined within the agency. We do have a ‘one CalEPA’ theme that we are looking for; we’re trying to continue that theme.
Techwire: How big a role do you personally play in writing your organization’s strategic plan?
Marshall: I do play a role; we have different levels of strategic plans. I work fairly closely with CDT and Cal-Secure. My boss and I decided that we would take Cal-Secure and let it flow down from a security perspective to our agency. So, developing Cal-Secure for me was really developing a high-level strategic plan for our agency. Once we did that … we did an agency security plan … that went into the overall IT strategic plan; and put together initiatives for all of our BDOs. And under the new administration, Secretary (Jared) Blumenfeld and Undersecretary (Serena) McIlwain, we’re working more across the agency and the BDOs to develop common goals and priorities as one CalEPA team. This perspective goes throughout the organization, working together on initiatives. We contract with the same IT security products and services to achieve economies of scale … and cross-training staff. What we’re trying to avoid in some of these initiatives is (having) seven different entities throughout our building doing seven different things as far as IT is concerned. … We’re really trying to take that to heart and trying to do as much as we can from a security perspective (as) one agency. We’re truly taking that to heart and trying to put forth a concerted effort to save the state money in that regard, save the agency money and have cross-trained employees from a security perspective. There’s a common theme in where we’re trying to go and that is the ‘one CalEPA’ team.
Techwire: What big initiatives or projects are coming in 2021? What sorts of RFPs should we be watching for in the next six to 12 months?
Marshall: All tech from the agency level just kind of floats down to all the BDOs, but formalizing our risk program is something that is — we do it today but we’re trying to make a more formalized process. … And that goes with formalizing our privacy program as well and our privacy office, if you will … . Risk is one of the major tenets of security, but programs themselves should be set up in a more formal way. … The other thing we’re doing is pretty major; it’s been going on for quite some time, we’re moving a majority of our data center to CDT to (Tenant Managed Services) TMS … . This has been a large initiative that has been going on for three to four years now — contracts and planning and everything — and right now we’re in the implementation stage. This is a green initiative; it’s going to reduce our carbon footprint, save on energy costs. It will add space for staff, workstations as well, because we take up quite a section of our building with our data center currently. I believe it started four years ago; they’ve given us a November timeframe in which this should be complete. We’re going to be utilizing the cloud-first strategy, so we’re looking at doing some things like … moving our file servers over from on-prem to a cloud-based, SharePoint type of scenario.
There are quite a few RFPs that will be (coming) later. I don’t think that we are ready to announce any of these yet … . The whole state is working on a Microsoft contract; I think the RFP is out right now for that. Basically, we’re looking at procuring a higher-level suite from Microsoft and of those, try to, again, look at purchasing altogether as a state and utilizing the product suites that they have, so we don’t have these spare products floating around.
Techwire: How do you define “digital transformation,” and how far along is your organization in that process? How will you know when it's finished?
Marshall: Digital transformation is coming up with effective and disruptive ways of leveraging technology to make both internal and external business processes more efficient. Information technology is here to support the business and, given our expertise within IT, it is incumbent upon us to ensure our business stakeholders understand what is available technology-wise to streamline their business processes and create efficiencies within the business.
Techwire: What is your estimated IT budget and how many employees do you have? What is the overall budget?
Marshall: The IT budget — it’s a little different for us. We have a security budget that I manage specifically, which is pretty small; it’s only $475,000. But that was meant for specific items. Our BCP (budget change proposal), it was put together for the military assessments that are done for the agency, and about half of that budget is consumed annually by the military assessments for each of the entities within EPA. Like, one year, three of them will go; the next year, four of them will do their ISA (independent security assessment), and we balance that budget. About half that budget goes towards that annually. Then the other portions of that budget go towards different security tools, mitigation tools that are more for our shared environment. Really, they’re more to support the BDOs. Our shared environment, it’s a pretty healthy environment that … most of the BDOs in one way or another utilize. We buy security products and security services with that portion of that budget, to help to mitigate risk within the shared environment. But then, the overall IT budget — that’s something that we would have to talk with (CalEPA AIO) Sergio Gutierrez about. Sergio holds the overall IT budget and deals with that from the AIO perspective. From an IT budget, a lot of times, we come together … as an agency and try to purchase items together. I think five or six of us use one set of firewalls, and ultimately, we will all likely be using the same ones, as we’re in this building. But we’re going through a bit of a transition because we are moving some stuff to TMS, so we are working towards that; and again, working together as one CalEPA team.
From a budgetary perspective, I just threw this in here moreso because this was proposed in the governor’s Jan. 10 (2021-2022 Fiscal Year budget), of security audits and security operations and costs. Those costs currently are tacked on every year. They’re outside of the independent security assessments, which the agency pays for on behalf of the BDOs. But the security audits are $80,000 a year for entities and they are $80,000 a year for four years. That’s a $320,000 price tag over a four-year period for an audit and a check-in audit. You get one audit; the next year you get an ISA by the Military Department; the following year you get a check-in audit; and the fourth year you get an independent security assessment. ... So, that and the security operations center (SOC) costs, which we all have with CDT, which we appreciate, they’re definitely useful — but those two, we’ve been working on BCPs. Last year, we worked on a BCP to remove that from a budget line item for the entities … so no longer will the entities incur those costs. The part that I don’t know, because it’s just proposed at this point, is where that cost will shift to. From a security perspective, this is, especially for some of our offices … they have a very small budget and an $80,000 hit annually is something they could use to help their … security risk profile as opposed to paying for an audit. So, if this goes through as proposed … both the SOC costs and the security audits … will be a pretty big burden lifted off the entities; and the ability to increase your security posture, as opposed to paying SOC costs and security audits. That’s a fairly big thing for a lot of people. … The little guys that we constantly hear about in CDT meetings that we attend are not doing well with that and it’s very difficult for them.
Editor’s note: The AISO indicated he serves around 100 staffers in the Office of the Secretary, but has “oversight responsibilities” for about 5,000 other staff in the building “from an Information Security and Privacy perspective.”
Techwire: How do you prefer to be contacted by vendors, including via social media such as LinkedIn? How might vendors best educate themselves before meeting with you?
Marshall: Typically, I prefer vendors reach out to me via email. However, I typically am reaching out to vendors myself. … What I don’t like is to see … is just a cold email, just a blast come out. And I know it’s hard because they don’t all have relationships with me. But at the same time, unless there’s even an inkling of an idea that we have some need for that product, then it’s really going to be spam. I like to have the relationships and I like to know, maybe I’ve reached out to you in the past, or maybe you’ve reached out via email and we’ve chatted — not necessarily just come in with a hard sell. I will say, if you’re a vendor and you’re out at an event — and this is probably pre-COVID — introduce yourself. I’d like to have the introduction and maybe then we’ll talk product-wise. I’m very much a person that likes to have some sort of communication with you and not just, ‘This is my product … .’ I want to have some sort of interaction with you.
Techwire: In your tenure in this position, which project or achievement are you most proud of?
Marshall: Cal-Secure is something that we spent a lot of time on and that is something that … it was … weeks and weeks, if not months and months of time, putting that together. Sitting in rooms jam-packed with people trying to ferret out the details to get to a place, and we had to go back and change it numerous times with all the opinions in the room. That’s one of the biggest. And then from our perspective and from a more agency focus, is the policies that we put together. … The initial batch, there were 19 different policies that we put together, from the security perspective. And when you start writing policies … if you started to write them for just one set of managers that you had to get them approved through, it’s one thing, but when you’ve got seven different HR departments, seven different legal departments, seven different IT management areas … and then you’ve got to go through the unions, it’s not an easy process. Probably the third achievement — it’s the Information Security Leadership Academy. I’ve been involved with it every year since it started. I’ve been a coach or an adviser or sat on a panel to discuss with the individuals (participating). We just finished our third cohort in September. It’s more fun for me than it is a job because that’s helping people grow, that’s doing something selfless for other people and trying to get them to a place where hopefully they can help the overall state of California within the leadership in the future after they … mature within security and they grow as a person. ISLA is … bittersweet because I enjoy doing it but it does take a lot of my time. You’re out about nine days as a coach, so it’s hard to do because it does take your time.
Techwire: If you could change one thing about IT procurement, what would it be?
Marshall: I would say the timeframe that it takes to complete a purchase. I’m sure that’s a pretty common theme. The timeframe in which it takes to complete a purchase by the state could and should be addressed. That’s one thing, but more than that, I’d like to see something like we do right now. We started doing this when our past state CISO, Peter Liebert, was here, he started putting together what’s called the (Software Licensing Program) SLP-plus, and that’s one of the contracts that are out there right now. I would like to see this happen more throughout the state, but I think it would benefit both sides. For instance, if an entity purchases 100 licenses from Vendor A at X dollars, the next entity purchases another 500 and that purchase is then based on a 600-license quote as opposed to just the 500 they’re buying. And as it grows, your discount with that vendor increases. It can’t be done for everything … but for physical products and procuring products out there and possibly subscriptions as well, like we’re doing with Microsoft, I would like to see more of that in IT procurement. The SLP-plus, how it’s structured, I’d like to see that grow. I’d like to see more products be a part of that. And then, some way or another, figure out a way to get the timeframe in which it takes to procure reduced.
Techwire: What do you read to stay abreast of developments in the gov tech/SLED sector?
Marshall: So, I’m very active, as I said, with CDT, and a lot of the conferences and things that CDT puts on, I’m involved in. They have all kinds of conferences that they put on in regards to security, though recently with COVID this is obviously not the case. Additionally, annually, I attend the RSA conference ... and I attend the government day every year. It’s interesting to see their take on things. I also sit on the Information Security Advisory Council, which basically meets monthly, typically at CDT, and we discuss all things security related to the state. I read quite a bit of the local stuff; I read Techwire on the daily. I read CalMatters, as well; the tech in CalMatters is more probably program area, they’re not so much on the tech side. That and then … different trainings from SANDS and then trainings from CDT are also things that I utilize to keep up to date. The Sacramento Bee, oddly enough, they have some interesting input; I do read that from time to time as well. The EDD thing is something … I keep very well informed on that from a fraudulent perspective because identity is something that we deal with here in the agency, identity fraud, stuff like that.
Techwire: What are your hobbies, and what do you enjoy reading?
Marshall: Hobbies-wise, I like being outdoors, which this COVID stuff has really put a damper on, although some of the things that I enjoy doing are still available. Golfing is probably first and foremost. I took up golfing quite some time ago; it was probably 25 years ago now, maybe more. I was golfing quite a bit and got my index down to 13. These days, I haven’t been golfing as much but the other thing I do enjoy doing, especially this time of year, is snowmobiling. I’ve got a bunch of buddies that ride snowmobiles and we go out. I’m not as adventurous as I was in the past on my snowmobile. ... I still enjoy going out and carving down the mountain on my snowboard. Summertime, springtime, boating and camping are two of the favorites. And finally, whether it’s winter, summer, spring, fall, whatever, I have a 4Runner and I like to go off-roading … and do a little snow-wheeling and go across some rivers and drive through some things and try to get stuck. My big thing with reading, and it’s always been this way, I don’t read any fiction. Reading has to be something that’s going to benefit me in my development. I’ve never read any Harry Potter; I’ve never seen any of the movies. My current read right now, I’m reading Unshakeable, the Tony Robbins book. It’s a financial book; my minor in college was finance. I’m a pretty big finance guy outside of work, I’m heavily into … financial management, investments, all of the above. I’m rereading it, kind of getting back into the Tony Robbins thing; I did go to one of his seminars, so I don’t know if that’s a hobby of mine, but it’s something I did to help form myself when I was younger.
Editor’s note: This interview has been lightly edited for style and brevity.