IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Toxic Substances Security Leader: “My Role as the CISO Has Expanded”

An image of Nathan Black, CISO for the California Department of Toxic Substances Control, below a quote that reads, "Continuing education is crucial for any true technologist to be optimally successful, whether the focus may be on application development, systems engineering or information security. The technology landscape and threat landscape in particular are constantly evolving and becoming increasingly more sophisticated."
As part of Industry Insider — California’s ongoing efforts to educate readers on state agencies, their IT plans and initiatives, here’s the latest in our periodic series of interviews with departmental IT leaders.

Nathan Black is chief information security officer at the California Department of Toxic Substances Control, one of six entities under the umbrella California Environmental Protection Agency (CalEPA). It’s a role the 20-plus-year IT executive has had since January 2021, when longtime state technology executive Don Foley joined the department as chief information officer and deputy director.

Data management and data empowerment are areas of focus for likely future IT initiatives at his department, the CISO tells Industry Insider, adding he views his role as one that “extends beyond” traditional definitions. Black was recognized in February with a Leadership Award at the 2023 California Public Sector CIO Academy*. A seasoned outdoorsman, the CISO enjoys visiting national and state parks in California and Colorado in his spare time, as well as motorcycling.

Industry Insider — California: As the CISO at your organization, how do you describe your role? How have your role and responsibilities changed in recent years in terms of their intersection with IT and innovation?

Black: While many people might think of the CISO as the role simply responsible for information system compliance, policy development, policy enforcement, information technology risk management and incident response, my role at DTSC extends beyond those traditional domains. I am not only a technical influencer like some of my peers in other state agencies, but a business influencer, translating information technology risks to business risks. In fact, I’d define my role now as a business role as much as a technology role, perhaps more so. As impactful as security incidents may be when they occur, I do not spend much time worried about responding to them; I am more concerned with our business processes and the potential risks that they can pose when information security is not actively engaged with the business. These business processes, some more than a decade old, are often the “why” a security incident can be so impactful. A careless click by someone in personnel or financial services, for example, combined with processes that still utilize poor data management practices for sensitive or confidential information, can be a hugely impactful event, regardless of the security controls in place. My role as the CISO has expanded to include fostering relationships and building trust with business and program partners as a primary component of the CISO role. This trust is especially crucial as the business and programs expand and attempt to streamline their operations. Our business partners look to bring in new ways to become more efficient through innovation, some via our internal information technology services and others outside of information technology’s direct control. Regardless of the solution or the service provider, without the business’ buy-in to include information security’s input and modify processes in a way that can mitigate departmental risk, we would be unable to make the risk mitigation progress we need as an organization.

IICA: Does your organization have a strategic plan? How big a role do you personally play in writing that strategic plan?

Black: Our department does have a strategic plan (found here). DTSC’s five-year strategic plan was developed in 2020, prior to my January 2021 arrival at the department. I look forward to participating in the creation of our upcoming strategic plan in 2024/2025.

IICA: What big initiatives or projects are coming up? What sorts of developing opportunities and RFPs should we be watching for in the next six to 12 months?

Black: Data. DTSC is looking to address our data management shortcomings and embark on a data empowerment initiative. DTSC is aware that we must position ourselves to make informed, data-driven decisions. Our team has recently begun the foundational work for this initiative. This initiative is anticipated to be a three-phase project that will span the next three fiscal years. DTSC is also heavily investing in our new services hub powered by the ServiceNow platform. We anticipate ServiceNow expansion over the next two fiscal years to include hardware asset management, software asset management, an implementation of ServiceNow’s human resources management system and contract life cycle management. CalEPA and DTSC will be looking for implementation partners to enable these efforts. Additionally, the information technology teams and, in particular, the information security team, have prioritized automation of many of their operations. With a small team, staying operationally afloat requires efficiencies beyond what can be achieved with traditional manual processes. We anticipate looking for support from the vendor community to accelerate our efforts in this area.

IICA: In your opinion, what should local government be doing more of in technology?

Black: Digital transformation to improve operational efficiencies and simultaneously reduce risk. As an information security professional, I’m concerned with the assets that we cannot audit, monitor or otherwise control. A common example of this that I’ve experienced at multiple government entities is information assets printed to paper medium. While we can audit and, in some cases, control what information assets are printed to paper, once they have been printed, that uncontrolled information becomes a risk as it could potentially end up anywhere. This can be especially significant if data classification or data loss prevention tools are not in place to identify potential confidential or sensitive information. Unlike other media, technical security controls like encryption are obviously not a feasible solution to secure printed data. I’m surprised at government hesitance with making concerted efforts to go paperless. While we have seen progress in this space, especially as state departments interact with the public, internally, many agencies have not opted to make significant changes. Printing information assets to untracked paper is a risk that, in 2023, generally does not need to be accepted. The vast majority of internal business processes within local governments can be accomplished without printing via the support and guidance of their IT shops, yet over the past years, especially at previous departments I’ve worked for, I’ve noted a rise in requests for printers to accomplish business transactions. I use the example of data printed to paper, as it illustrates risks that are often not managed by agencies. Government agencies need to manage risks, and not only risks to their information technology systems, but also to their information assets (data) regardless of the format, medium or location. Digital transformation is the vehicle that will advance government in this area.

IICA: How do you define “digital transformation?” How far along is your organization in that process, and how will you know when it’s finished?

Black: Digital transformation is the embracing of technology to process and analyze data, solve business problems and automate processes generally done manually or via paper. Digital transformation utilizes information technologies to vastly improve how an organization can meet the changing needs of its customer base and dramatically improve process efficiencies. DTSC is actively making inroads in this space. While we are in the early stages of this journey, our information technology team is aggressively pursuing solutions that will bring operational efficiencies to our customers’ business processes and to internal information technology teams by implementing new technologies, including artificial intelligence. While we are not far along in our digital transformation journey, we believe that we may never be truly “finished” as our customers will continue to develop new use cases and our IT teams will continue to innovate to meet those demands.

IICA: What is your estimated IT budget and how many employees do you have? What is the overall budget?

Black: Information Technology at DTSC has 106 positions, five of which comprise the Information Security team. Our information technology team has grown by 20 percent since last fiscal year. In the last 18 months, the Information Technology program has had the privilege of welcoming new talent to the senior management team. The senior management team is not just focused on being a partner with, and enabler of, the business. We are also focused on building a new culture at work, breaking the mold traditionally seen in state government. We are striving to create a culture that promotes our core values, embraces compassion and where appreciation is valued. Building collaborative partnerships, being supportive, keeping both an open mind and a growth mindset are priorities. As our CIO at DTSC said, “Effective leadership creates the culture, culture brings people together, people execute vision and strategy, vision and strategy advances the organization.” I believe in the value of creating and maintaining a positive work culture, and this value is understood and appreciated by each of the other members of our leadership team as well. Our overall department budget this fiscal year was about $585 million, with nearly $25 million of that allocated to the information technology program.

IICA: How do you prefer to be contacted by vendors, including via social media such as LinkedIn? How might vendors best educate themselves before meeting with you?

Black: I have a strong preference to be contacted by members of the vendor community via LinkedIn. Cold calls and unsolicited emails, which always seem to come at less-than-convenient times, are my least preferred contact methods of communication with new prospective vendor partners. It is always appreciated when vendors have done their homework before engaging with us. Understanding what our department does and the compliance requirements imposed by law and mandates from our external authorities is a great start. Understanding our compliance requirements generally allows for valuable discussions with vendors out the gate. That said, DTSC’s information technology and information security programs do not look for just vendors, we look for partners. Quality partners with whom we can build relationships based on respect, trust and integrity, qualities that mirror a subset of the core values our teams have adopted.

IICA: In your tenure in this position, which project or achievement are you most proud of?

Black: When I started at DTSC, I had the privilege of building a new security program from the ground up. It’s the second time in my career I’ve had such an opportunity. Getting a (budget change proposal) BCP approved, building a team, architecting a risk management program, implementing a vulnerability management program, deploying continuous monitoring tools, and defining new information security standards are some memorable projects and efforts I’ve especially enjoyed. Although capable information security skill sets are difficult to find, I have been blessed to have great members on the information security team. I’m proud of the overall body of work the team has performed in a relatively short time frame. If there is one achievement that I’m most proud of, it would be the results from our last independent security assessment, which validated all the hard work done collectively by DTSC’s information security team.

IICA: What has surprised you most this year in government technology?

Black: With more than 20 years in information technology working for, or contracted with, the state of California, there hasn’t been anything I’ve found particularly surprising so far this year.

IICA: What do you consider best practices for staying well-versed on potential threats? How much continuing education is necessary in your role?

Black: Continuing education is crucial for any true technologist to be optimally successful, whether the focus may be on application development, systems engineering or information security. The technology landscape and threat landscape in particular are constantly evolving and becoming increasingly more sophisticated. New vulnerabilities and exploit kits against those vulnerabilities are seen at a daily rate. Adoption of not just new technologies, but also processes, techniques and tactics are vital to remaining ahead of the game. Having a growth mindset is key to true success. We should always be looking to grow and improve our skill sets on a daily basis. It is more than acquiring your continuing education credits that are needed; it is a commitment to mastery of your domain.

IICA: What are your hobbies and what do you enjoy reading?

Black: As an avid outdoorsman, I enjoy my time hiking in the woods, backcountry camping, horseback riding, and generally taking part in outdoor activities. I always look forward to my time in the national and state parks here in California, as well as Colorado, where I regularly visit. However, the activity that brings me the most joy is motorcycling. Whether it’s riding a dirt bike down mountain trails, a weekend road trip, or just commuting to and from work, motorcycle riding brings a smile to my face.

Even though I find myself most often reading nonfiction, especially American history and technology subjects, I enjoy reading historical fiction. More than 20 years ago, I read the book Snow Wolf by Glenn Meade, which solidified historical fiction as my favorite genre. I’ve particularly enjoyed the historical fiction works of novelist Robert Harris. Several of his books top the list of my favorites.

*The 2023 California Public Sector CIO Academy was hosted by Government Technology magazine, a publication of e.Republic, which also produces Industry Insider — California.

Editor’s note: This interview has been lightly edited for style and brevity.