California state CISO: the goal is “operating as a whole government”

The State of California experiences more than 200 million malicious probes every day – the equivalent of nearly 139,000 malicious correlated events per second. 

And they’re gunning for what may be the largest collection of digital information assets in the United States.

California CISO Vitaliy Panych is charged with safeguarding it all.

The way he sees it: “Our mission is to keep all Californians online and in business by enabling our government agencies to continuously enhance [our] security posture through effective oversight and provide scalable mitigation capabilities to keep up with all threats against their privacy and our ability to serve our residents.”

It’s a monumental task, but there’s a firm structure in place to effectively manage the mission.

Panych and his centralized staff oversee the security of more than 140 state departments. Together they provide assessment, governance, and oversight as well as auditing and operational services to those entities, adding their experience and expertise to a collection of other state officials who work together to secure California’s vast digital holdings.

It’s a team effort, for sure, Panych says.

“The coordinated team approach allows agency and independent departments to be held accountable to set remediation standards, while statewide operational efforts mitigate threats. This level of coordination results in streamlined and holistic risk prioritization throughout state government.”

Execution from day 1

Panych brings nearly 20 years of experience in state government to the role, including three years as agency CISO for the California Department of Corrections and Rehabilitation (CDCR)—the largest agency in the state and the third largest law enforcement organization in the country.

During his tenure there, he initiated and completed the buildout of CDCR’s security intelligence and operations center, focused on insider activity, and developed a forensic and investigation lab to support correctional and law enforcement efforts.

He also worked with then-state CISO Peter Liebert on CalSecure, a five-year cybersecurity strategy for the state’s executive branch agencies. The strategy provides a guiding framework for the state government’s various departments and entities. It was the first time the state’s executive branch had such a plan.

Panych became the state’s deputy CISO in January 2019, working in that position until he became acting CISO several months later when Liebert left for the private sector. The Governor’s Office made Panych’s title official in January 2021.

Having come up through the government ranks, Panych says he was able to focus on execution from day 1.

Now, looking forward, he wants to build zero-trust concepts into the state’s defense strategies to mitigate supply chain threats and fraud; incorporate collaboration and transparency between localized security teams so they act together to mitigate threats; enhance the policy and standards framework so that he and his team focus on applicable threats in a risk-based fashion and are more prescriptive in how they do it; and ingrain privacy and security into identity and access so that the agency can facilitate services without trading off user experience and accessibility.

Fostering collaboration, unity

California state government is a federated system, so the various departments and agencies have their own IT and security organizations. Panych oversees all the departmental CISOs and security leaders, with his position reporting to California’s state CIO.

As the state CISO, Panych and his 70-member team lean on the state’s cybersecurity strategy to provide governance, direction, policies, procedures, and standards to all departments, agencies, boards, and commissions that make up California’s government as well as multiple independent entities that fall outside of state jurisdiction but voluntarily collaborate.

Panych says the security roadmap demonstrated its value during the pandemic.

“We designed it to be adaptable and agile, so any initiatives under people, process, and technology were malleable as the threat landscape changed,” he explains. “That was super conducive to the Covid environment. We had to shift some priorities to support remote [engagements], and we were able to support gaps and deficiencies that our departments could not solve alone in a silo. We could adapt our oversight and be there as a consultant and an advisor to our departments.”

Panych considers that advisory role as well as the ability to promote collaboration between all the units as a big part of the value he and his team provide.

“The less our departments operate in a silo, the more successful we’ll all be. That’s our high-level vision and strategy: to unify and be more service-oriented, to act as one team,” he adds.

He says collaboration is critical for continued success, and as such he’s focused on strengthening his partnerships with other state entities.

The goal, he says, is “operating as a whole government, where we are working in unison,” noting that these partnerships elevate security capabilities and enhance information-sharing to provide better security overall.

The California Cybersecurity Integration Center (Cal-CSIC) is a prime example of the benefits produced by such collaboration, Panych says. The center serves as a hub for the state government’s cybersecurity activities and coordinates information-sharing with local, state, and federal agencies, tribal governments, utilities, and other service providers, academic institutions, and nongovernmental organizations.

Panych is also focused on building up centralized security services, such as its security operations center, and offering its capabilities as if it were a managed security service provider.

Laying the groundwork

Like any other CISO, Panych is well aware of the challenges facing him as he seeks to make good on those objectives. He acknowledges that recruiting and retaining security talent remains a challenge. So does making processes as efficient as possible.

He has plans to address those areas.

For example, his Office of Information Security has workforce development programs, including a cybersecurity training bootcamp and an IS leadership academy, to develop the skills it needs.

He’s also bringing automation to oversight and auditing to get real-time security metrics from systems, instead of having those activities be manual and human driven.

And he’s working on a single sign-on identity and access management initiative aimed at enhancing security policy management and how access is facilitated statewide.

Additionally, he and his team are working to strengthen oversight of the technology supply chain and the state’s third-party providers, in alignment with President Biden’s May 2021 executive order seeking to improve security in federal networks.

“[We have to] create transparency between providers and their providers and work as one team to mitigate any gaps or issues that a provider or partner may introduce,” Panych says. “So we’re looking at enhancing security procurement and contracts to make sure we’re addressing those third- and fourth-party risks.”

The objective of all these initiatives, Panych says, is to further elevate and mature the security programs, procedures, and policies throughout state government.

Panych applies insights from his almost 20 years of studying JiuJitsu to his role as CISO, noting that martial arts, like security, emphasizes fundamentals. “It deemphasizes fancy moves,” he explains. “Everything we do in the martial arts world builds on the foundation and the fundamentals, which is what our security is all about. You can’t implement a new next-generation security tool without security 101 and those basic security controls being there first. And that’s congruent with what Jiu Jitsu is all about, building basic moves into muscle memory. practicing your plans, building processes and practices into the limbic system and thinking 10 steps ahead of your adversary.”

Success in both Jiu Jitsu and security happens, he adds, “by practicing a thousand times until you can’t get it wrong.”