Ahead of his presentation at the Internet of Things Summit in San Francisco on April 19 & 20 2017, we spoke to Gary Hayslip, Deputy Director, Chief Information Security Officer (CISO) for the City of San Diego.
Gary is responsible for developing and executing citywide cyber security strategy and leading teams focused on Enterprise Risk Management, Security Engineering, Application Security, Cyber Security Operations, & Cyber Security Resiliency. His mission includes creating a ‘risk aware’ culture that places a high value on securing city information resources and protecting personal information entrusted to the City of San Diego.
1. We have recently seen connected devices being used for a well-publicized DDOS attack, what do companies need to do to prevent this in the future?
I think one of the first things companies can do is have an accurate inventory of all assets that are on their network. This will give them insight into what organizational assets they have that may be attacked and possibly leveraged against them. I also believe, what we are seeing with these new types of attack vectors should make organizations update their incident response plans/training to account for how they would respond to these types of attacks. They should look at what procedures they would take, who should be contacted i.e. via a communications tree and how the organization should respond with well documented RACI matrix so Incident Response team members know who has authority to make decisions to protect the organization. What it comes down to is breaches are going to happen, you need to build a network, team, and policies that will be resilient and absorb what happens without going completely down and inoperable.
2. With the nature of cyber threats constantly developing, how would you advise companies and cities to adapt their data security strategies when developing smart city technologies?
I would advise them that many of the emerging smart city IoT technologies that are being implemented have unknown risk issues. What I mean by that is in the emerging IoT space there is no specific security framework or compliance framework that is being followed to ensure new IoT solutions have "Security by Design" baked in at the planning stage of creating the technology. Because of this uncertainty, you need to have a mature security framework implemented with a continuous monitoring, scanning & remediation process. They need to understand that with these technologies comes a quotient of risk that needs to be planned for and monitored. As cities proceed to adopt the ISO 37150 & ISO 37151 smart city frameworks they will implement new technologies to provide services and manage open government initiatives. To do this effectively they must account for the risks of these technologies and have a mature process to manage it.
3. You are a member of several advisory boards, how important do you think these kinds of positions and networking with other IoT experts with the technology developing so quickly?
I am fond of saying "Security doesn't exist in a vacuum, however, it will thrive in a community". In my 30 years of working in IT and CyberSecurity, I have found the threat space is intricately dynamic and the rate of technological change is accelerating. To account for this and to manage it for your organization a CISO must constantly educate themselves through collaborating with their peers, attending training sessions & seminars and be willing to research and write about what they are doing well and receive information on what they can do better. I see the position of CISO and the CyberSecurity community is in a state of growing maturity and to survive you must get involved in the community to be an effective valuable business partner for your organization.
4. The IoT presents some significant opportunities for smart cities, which are you personally most excited to see develop?
Cities tend to have amazing amounts of data on the operations of their departments and the technologies/services they provide. Much of this data can go back decades and I am finding the use of sensors and new analytics platforms to crunch that data and develop datasets for Open Data Initiatives fascinating. I also am very interested in how sensors can be used in everything from detecting leaks in municipal water main systems to street sensors that collect data on traffic flows and specific parking patterns. One last technology I am very interested in is drones, drones that can be used to inspect remote equipment stations so you don't have to send resources out for manual inspections or drones that could be used for emergency operations exercises for alternative video and data communication methods.
5. Where do you see the IoT and connected devices within urban development in 10 years time?
I see them as a common part of the smart city technology architecture. I believe many of the technologies being developed by companies like GE or Cisco for intelligent infrastructure projects will have matured and their risks will be better documented and understood. Best practices, security controls, and risk remediation processes will have been tested and will be commonplace for cities as the continue to implement software defined networks, cloud technologies, sensors systems and new data analytic methodologies.
Gary will be presenting at the Internet of Things Summit in San Francisco on April 19 & 20.