FAQs
MISSION: To provide a forum that fosters communication and cooperation between industry and government security, law enforcement and emergency responders at the federal, state, local and tribal level to protect America's citizens and critical assets.

Chris Buse Interview PDF Print E-mail
Chris Buse Christopher Buse
Chief Information Security Officer
State of Minnesota

Kristina Tanasichuk, Director of Government & Industry Affairs for GovSec, U.S. Law & Ready, sat down with the first Chief Information Security Officer for the State of Minnesota to discuss some of the challenges and priorities for his tenure.

Christopher Buse, an experienced IT professional with an auditing background, ascended to the role of CISO from managing Information Technology Audits for the Minnesota Office of the Legislative Auditor. During his 19 years as an auditor, Buse planned and oversaw information technology audit work done on large government computer systems. He also provided state of the art technology tools and training for financial audit professionals who worked for the office.

As CISO, Buse is responsible for designing and implementing the enterprise security architecture for the state’s government.

GOVSEC: What is the greatest challenge you face as the first CISO of the State?

CHRISTOPHER BUSE: Ironically, you'd think it's "security" but really the greatest challenge is securing the financial and personnel resources to implement our plan. This is the first government wide plan for an enterprise security system and we are faced with an environment of "haves and have nots." Some agencies have spent their security dollars well, others have not, so we are challenged by varying degrees of preparedness. I was part of a team that audited our government system and we found that the State was simply trying to guard too many fronts, with too few resources, WITHOUT SUFFICIENT PLANNING OR LEADERSHIP. I'm trying to make sense of that by engaging our existing resources and personnel, utilizing their expertise, and adding to it to collectively become more secure. 

GOVSEC: What do you see as the difference between "security" and "homeland security"? 

BUSE: Information security is really a subset of homeland security, in my opinion. Homeland security involves a lot of physical threats - bombings, national disasters, etc. Information security is a subset - a vital subset - of that world. For example, Minnesota had its first tabletop planning exercise for a pandemic flu outbreak. Throughout the exercise I was struck by how much everyone relied on information technology. I realized that I have to make it happen, and make it bulletproof in order for us to really be able to respond successfully. We have to assume something really bad is going to happen and assure that our systems are still available and operational for our government to continue.

That is one of the reasons the Information Security Council is so important. All state agencies are required to appoint representatives to the newly created Information Security Council. The council's charge is to recommend enterprise security policies, procedures, and standards; monitor enterprise security policies, procedures, and standards for continued applicability and appropriateness; and discuss and recommend for approval or disapproval exceptions to enterprise security policies, procedures, and standards. I chair the council and consider it my "Board of Directors" so to speak. We have strong legislation supporting our efforts but the most critical piece is assuring that everyone is involved and bought in to the process. The council is one way we are working to achieve that.

GOVSEC: Can the private sector help? 

BUSE: Absolutely! We need to look at vendor solutions for 19 functional areas - in each we need specific vendor interaction. We will need to use vendor tools or look for managed security solutions. We are currently looking at what is most efficient: what we should do ourselves and what part should be outsourced. We will also use open source wherever possible - open source has phenomenal tools - some of the best are in open source. 

GOVSEC: Are current initiatives, particularly the Information Security Council, improving interagency communication? 

BUSE: ABSOLUTELY. I hope people don't feel like we are another government agency pushing unfunded mandates on them. The goal is to get to where we need to be by providing the tools and people to make it happen. I think of it three dimensionally. We need to clearly define what must be done. However, it is equally important for me, as CISO, to ensure that a supporting cast of tools and people are in place to translate the vision into reality. If we neglect any one of these three dimensions, we'll fail. 

I also recognize that everyone is adapting to the change. Some of the agencies that have focused on security and have systems in place are working to change their usual way of business; the agencies who have not focused on security are also adapting. One way we are easing this transition is to form "Centers of Excellence" where we review the existing structure, policies and procedures and retain the existing best practices. We do, however, want to provide some standardization so that no matter what agency you are in, you will have the basic tools to confront an information security issue.

For example, we are in the process of developing security standards for each product so that if an agency official is faced with a decision he or she will have a checklist of things to do and not do.

GOVSEC: Are you achieving other efficiencies or benefits from this move toward an enterprise-wide system? 

BUSE: Yes, and there are two aspects to it. First, this system is much more cost-effective. With every agency out for themselves, as in the previous model, there is not enough money for each to achieve a secure environment on their own. However, as we share the costs between agencies, pool our resources and leverage our size, we can and have achieved great things. We did need a fundamental change. 

Second, there is also a world of "have and have nots" among different levels of government. The city and county IT people are in some cases worlds apart in their IT spending. I think that this initiative will increase interaction between all levels of government and help to develop robust systems that can help small and large cities alike. We can cross traditional government boundaries and provide really good leadership by providing all of our cities and counties with the same tools we develop for the state-level agencies. This will improve both security and services for all the people of the State of Minnesota.

GOVSEC: As a pioneer in this new security environment, are there any other tools that could help? 

BUSE: Well, I'm looking to develop a peer network - that's part of the reason I am speaking at the GovSec event. I want to find out what others are doing and establish relationships with other CISO's from around the country. When I was an auditor for the state legislature we had a very robust peer network. I really want to find that among my new peers.

 
Glock

add to outlook calendar
community corner

U.S. Law GovSec