Cybersecurity in city government, taken to new heights: An Interview with Shane McDaniel

Image

When most people speak of any city government, they often mention words like “Bureaucratic”,
“Behind the times”, and “Slow.”  This is especially true when considering cybersecurity initiatives.  However, a small town in Texas is changing that view.  Seguin, Texas, which was once the smallest Texas city to have a full-time cybersecurity employee, was the only government entity to be named in the CSO50 2022 Awards. The CSO50 awards recognize security projects that demonstrate outstanding thought leadership and business value. 

The CSO Awards are quite significant, and The City of Seguin shares a position on the award list with some of the most recognized names in business, as well as global technology companies, including Bank of America, Accenture, and The MITRE Corporation.  Seguin was the only government entity to win an award.  No other city, State, or Federal government body shared this recognition. We recently had the opportunity to speak with Seguin’s IT Director, Shane McDaniel, whose dedication, and commitment made it evident that the CSO50 award was well-earned.

What was the criteria for winning the CSO50 award?

Shane McDaniel:  I told our story, which consists of a multi-year effort to build a cybersecurity program from essentially nothing. When I started in March of 2018, we did no awareness training. We had a few other early pieces of security technology, but there was no security culture. The award represents all we've done to progress cybersecurity on behalf of the organization, and on behalf of the city; the folks that we're responsible to. The award is not just a bunch of tools that are working together to protect the city assets. It's what we are doing as a culture, as an organization.

Can you expand on that idea of the culture of cybersecurity within a government entity?

SM: I've been in local government for six years now. Prior to that, I spent about five years in the private sector, specifically with a managed security services provider. And prior to that, I was with the federal government, supporting IT operations, working with the intelligence community towards national security for 15 years. When it comes to the organizational aspect of cybersecurity, in particular the cultural aspect in local government, we're all variations of one another. Nobody is necessarily reinventing the wheel per-se. You're going to have security devices in these organizations. You will have similar awareness training in place.  There are a lot of technical similarities.

It's the relationships that are established from the top down, the tactics that are leveraged to build the program that make the difference. In the case of Seguin, building that program was not so much about the tools and the resources and layers.  It was more the organizational approach to building the foundation, and how it ties to every aspect of how the city grows today. We are a rapidly growing community here in south central Texas, and we're adding resources constantly. As part of that initiative, we brought the organization to the point where security is included as part of the process for any new tools that are brought into the environment.  The senior executives in the city are all working in the same direction as well.

I also speak at every single new hire orientation. It's an all-encompassing approach to the cybersecurity culture. IT proactively addresses the security narrative from the top, the middle, and with the new folks as they walk in the door. The entire IT team promotes this initiative.  Collectively, we're all moving in the same direction, with an organizational approach.

When you started this journey did you use a particular framework that you found worked best for your environment?

SM: There has always been a lot of discussion about that. Early on, the answer was “no.” We went as far as leveraging the federal resources, with the department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency (CISA).  We have electric utilities, water/wastewater, and we're working on a drainage utility, so some of the more granular frameworks are not readily applicable to us considering our resources versus our operational requirements. However, a few years back, I delivered a presentation about the CIS Controls with one of our trusted partners, Sentinel IPS. I came to the realization that those controls are more geared towards an environment like ours, so that is the framework most closely associated with our environment today. We have continued to build off CIS ever since.

Other companies on the CSO50 awards list are quite large, having lots of money to invest in cybersecurity. However, you have proved that good security can be achieved with much less. What advice would you give to other IT Directors who also have limited budgets. How do they start?

SM: It’s best to become educated about the subject. Lean on your network of professionals, and work with strong business partners.  Other ways to learn is by attending conferences, and taking advantage of the resources that are available to you. One of the things I absolutely love about local government is that we're not competing with any other city or county out there, basically, we are all friends.

If my neighbor down the road or across the state needs help we work together to help each other.  I've literally talked to local governments as far away as the State of Alaska.  Folks have helped us as well. So, you don't necessarily have to reinvent the wheel or be the person that discovers some great free cybersecurity resource. You just have to be receptive, and open to listening to others. And you have to be curious, do a little bit of homework, and a little bit of leg work, but the information is out there.

What advice would you give to others for getting buy-in from stakeholders? How do you make the case for a good cybersecurity program?

SM:  Communicate early and often. Initiating communication early on is key, and allowing that communication to filter down through the various departments and basically using that to your advantage. Coming from a military background, I look at effective tactics.  One method that worked really well is that we created “challenge” coins, that have our Seguin Cyber Champion program logo on them, which we give to staff, peers, or even citizens that reinforce good cybersecurity behavior.  It could be something like reporting a suspicious looking email.  It may seem silly to some folks, but they have been very successful.  We took the same approach with data blockers to advocate for good security practices inside and out of the office. The briefings I give at new hire orientations are also a great opportunity to share an overview of the IT department, our organizational cybersecurity approach, and how to communicate with IT staff if something doesn’t seem right.

I also leverage metrics as another tool towards communicating the importance of cybersecurity. I share the data with city management and wherever applicable. For example, we have seen an exponential increase in targeted phishing attempts over the past few years. To demonstrate why this is so important, I show actual targeted phishing attempts along with the associated metrics to new employees in orientation.  I use a brief slide deck to visualize the email coming from a legitimate employee’s name, but also how shady that same email looks on the backend. I make sure to mention that more often than not, those directly targeted phishing attempts are a request to reroute an employee’s direct deposit information.

There have been examples where I shared a targeted phishing attempt on a new employee that was actually in the room for their new hire orientation.  Upon sharing examples, I communicate that cybersecurity is far more than an organizational concern, and that it can have a direct personal impact on every city employee. For anyone living paycheck-to-paycheck their payroll could be affected, and it may take some time to correct.

I use metrics extensively, and can rattle off all kinds of fun numbers at the drop of a dime.  For example, people are genuinely surprised to learn that our environment has seen more than twelve million intrusion attempts since January 2020.  I have an operational dashboard that I built to visually represent this data through graphs and charts.  I probably drive our City Manager crazy with all the data, but I believe it is paramount to have a barometer for your organization.  

Along with the orientation for new hires, do you also have a formal security awareness training program?

SM:  Yes. The State passed a Bill that requires formal cybersecurity awareness training a couple of years back. Prior to that, no security awareness training was required for local government entities in the state of Texas. Early on, we were using an email filtering tool to catch some of the threats.  That was our first foray into awareness training; just a quick and random deal for employees. After the passage of this new Bill, every single city employee has to complete the training.  This includes council members, the mayor, everybody who has a city government email address has to complete that training as a State requirement in Texas.  As a proud native Texan, I very much thank our legislature for running with all the cybersecurity initiatives.

Is phishing one of the key threats in your industry today? What are the others?

SM: Well, you know, we're all just a click away from unmitigated disaster, ourselves included. I'm fully cognizant of that.  One way that we approached the problem is by removing the junk from people's inboxes. We're averaging about 80,000 emails a month coming into our domain, with approximately 20% of those flagged for security concerns and prevented from reaching the end user. The phishing encompasses impersonation attempts, potential malicious attachments, as well as standard spam. The next biggest threat comes from general system vulnerabilities.  We combat those by being diligent about applying security patches to our technology enterprise.

What successes contributed to Seguin winning the CSO50 award?

SM: It's an organizational award. It's not an IT department thing, because we would not be successful without our end users. One of the things that I preach around here is that we will only ever be as strong as our weakest link. So, our cybersecurity success very much takes buy-in holistically to achieve that goal. We're out here in rural Texas, and most folks would never think we would be winning awards for cybersecurity. Fact is, in the past four years we've won 14 State or National awards for several technology initiatives.  We completed a radio infrastructure project two years ago that impacted the lives of 165,000 people in this region. That project changed the game for interoperability radio communications in this region of Texas and Seguin was awarded with the 2020 IT Innovation of the Year from a leading governmental publication for that effort. You’ll often hear me say that we punch above our weight-class around here.

Our success also comes from the buy-in from the top on down.  We've invested in our infrastructure, and every leader in city government has supported our work. I just want to make sure that the organization gets that credit too, because if it was just me rambling on to a bunch of people who were tuned out, we wouldn't be receiving this cybersecurity award.  Our people are listening, they're taking it seriously, and I'm proud of what we're all doing here.

The next time you think of a city government, and what the possibilities are for world-class cybersecurity, remind yourself that the people who serve Seguin, Texas, led by forward thinking people like Shane McDaniel can achieve great things. Cybersecurity in city government, taken to new heights.