License to thrive

View This Article in BOSS Magazine

From governmental agencies to driver’s licenses, the State of Connecticut is going digital. The state’s first official CISO offers a glimpse of the transformation

In March of this year, Connecticut Governor Ned Lamont introduced a yearlong initiative to create a new information technology organization within the state’s government. Centralization is the cornerstone of the effort, which, in addition to inculcating cybersecurity best practices across all state agencies, will give them the comprehensive support they need to be more secure.

Prior to the move, each state agency adopted their own IT solutions, an approach taken by many other state governments. The optimization program will unify the way IT and cybersecurity are managed across agencies, in the hope of greatly reducing risk. With a dozen executive offices and over 75 departments and agencies, many operating in a technology bubble of their own choosing, that risk level is not insignificant.

The governor’s action also opens the door to modern technology that can be updated more sustainably than legacy systems and is more convenient for the state’s 3.6 million citizens — 30,000 of whom work in government — to use. As Lamont stated in his announcement of the undertaking, “From Day One, our administration promised to streamline government services and make interacting with the residents of Connecticut much easier.”

The forward leaps the Nutmeg State have already made include the “CT Business One Stop” web portal to “provide a seamless digital solutions to current and potential business owners with full-service, personalized guidance about planning, starting, and operating a business in Connecticut,” according to the governor. (Prior to its summer 2020 launch, businesses were forced to work with multiple agencies to obtain the licenses, permits, tax information, and other requirements. One Stop is one of the state’s early steps toward wider centralization.

Overseeing the security aspects of the modernization project is the state’s first official CISO, Jeffrey Brown. An expert in information security and IT risk, Brown implemented cybersecurity controls for some of the world’s most recognized financial institutions, including GE Capital, Citigroup, and Goldman-Sachs, prior to his appointment. He is also the author of “The Security Leader’s Communication Playbook: Bridging the Gap between Security and the Business.”

“Security needs to touch every single employee across a business or across a government. We have training and awareness material we have to communicate, we have to let individuals understand security responsibilities, and translate technical concepts for the audience,” Brown said. Connecticut’s work to consolidate IT and security is rooted in communicating with the populace, which is essential for a society that’s becoming increasingly reliant on digital technology.

“Many states have started on the journey to digital government, but Connecticut has made a lot of progress. We’re moving to flip the model upside down on how a citizen interacts with the state, and essentially moving to a 24/7 government,” he said. “We’re putting funding and people behind this effort. Other states may talk about heading in this direction, but our state has a tangible program with tangible results.”

For Brown, taking a “citizens first” approach to digitization is critical. “It’s very important to our mission to make sure we are ultimately serving our citizens. The best way to do that is to ask them how they would like to interact with the state government,” he noted. The success of Business One Stop has helped to make way for the development of a digital twin for residents’ needs, which includes the creation of single-citizen user identities.

“When you go to the DMV you have to register, create a login and password. If you go to get a fishing license or whatever you need, you have to start all over again. We’re looking to unify that experience and reduce the friction in our citizens’ interactions with their government,” he said.

One bold leap toward that goal is a recent partnership with Apple that will make Connecticut one of the first states in the nation to adopt digital driver’s licenses and state IDs.

“We’re excited to bring a new addition to our state’s modernization efforts that will make our residents’ lives easier, and keep their identities secure through the use of mobile driver’s licenses in Apple Wallet,” the governor said in a late September release. “We’re looking forward to taking the next steps to make sure this new feature benefits our residents.”

The TSA is fully onboard; the technology is intended to get domestic flight passengers through their ID check faster.

Digital ID will also speed visits to the DMV. “Many people hate going to the DMV,” Brown admitted, “but in this state it’s one of our shining points since you can do so much of what you need to do on the Internet.”

Another is the ability to renew licenses and state IDs online, which was something of a stealthy addition to the state’s services. Online renewals quickly outstripped in-person visits. “It’s amazing. It happened fast, and mostly by word of mouth. There wasn’t a big advertising campaign, but, boy, has it been well received,” he added.

Unifying cybersecurity technology and processes under the Executive Branch is also being applauded. “The state used to be very federated, with each agency taking care of their own security vulnerabilities. There was no holistic view across the entire state of what everyone’s vulnerabilities look like." he said.

Brown called on vulnerability management experts at Tenable to find each agency’s exploitable weaknesses. “Now we have a very clear, centralized view across all of our agencies in terms of what our security risks and vulnerabilities are.”

The state has also ended the legacy method of providing security monitoring only during business hours, implementing round-the-clock surveillance and triage across all agencies with the help of cybersecurity leaders Binary Defense. “They gave us a better security operations center, which automatically gave us better coverage than anybody had in any of the agencies. Most of the agencies were lucky to have a person or two dedicated to security. You can't do 24/7 monitoring with two people,” he said.

“State governments have to be held to the same standard as the private sector,” he concluded. “We have to take the same precautions that they take, and we have to be held at the same security standards as them. That’s why taking a citizens-first view is our compass that sets the direction in everything we do.”