A National Guard man with 33 years’ experience serving the military on his resume, California’s Chief Information Security Officer Keith Tresh knows firsthand the importance of keeping sensitive information safe. In an exclusive interview with Techwire, Tresh talks about his day-to-day life keeping an eye on government data and trying to sleep with the weight of the large task on his shoulders.
Tresh began his foray into information technology on the military side, serving as a telecommunications manager and then on the help desk side. After earning a master’s in Computer Information Systems from the University of Phoenix, Tresh was deployed in 2005 as an Army Brigade Signal Officer.
Returning from a 2006 combat tour in Iraq, Tresh became the Chief Information Officer for the California National Guard, overseeing the network security for the guard’s Department of Defense network. The position gave Tresh responsibility for securing the network and included plenty of training from the federal government.
“The security on the military side is much more stringent,” Tresh said. “So that’s kind of where I got into the IT security, learning and then working from high-side classified networks and having to adhere to those standards, so that’s the nexus.”
Tresh then heard about his current position, held within the California Technology Agency and was encouraged to apply.
“I have been a state employee for about 10 years, because in the guard they’re both federal and state, so it’s been a very easy move,” Tresh said of moving from the military into state government. “The transition from federal to state as far as the way things operate has been great.”
Tresh took the position with the Office of Information Security within the Technology Agency in August 2011, taking on all the worries and concerns that come with overseeing all state data and systems.
“There are so many different types of threats and actors out there in cyberspace,” Tresh said of the daily concerns that come with his job. “Nationstate actors, organized crime, folks that are doing it just for fun and those who are trying to make money. Each threat is different, they adapt and change but we keep conquering the threats.”
Tresh said “working closely with each state agency and department can feel a bit like a juggling act”.
“We have to remain constantly vigilant and it’s my office and specifically my job to make sure that all the state agencies know the threats and keep pressing them and helping to make sure they don’t let down their guard for one minute,” he said.
As Chief Information Security Officer, Tresh functions as part of the California Technology Agency and will be subject to the governor’s reorganization plan passed in July 2012. He works closely with federal agencies, the Department of Homeland Security, the Multi-State Information Sharing and Analysis Center, and the California Highway Patrol, which handles reported IT crimes.
“It starts at the federal level, down to the state level, and now we’re coming even closer with the cities and counties and the universities,” Tresh said. “This threat is so prevalent and different that we have to share things so we can pool our efforts and our resources to try to combat it.”
The office will remain busy through the Fall, keeping an eye on cyber threats and hosting informational events for government. On August 22, OIS hosted a security roundtable with House Cybersecurity Subcommittee Chairman Dan Lungren (R-CA), for a discussion about federal cybersecurity activities. In October, Tresh’s Office will host the eleventh annual IT Security Awareness Fair aimed at increasing government and business leaders’ awareness about IT security risks.
While government data must remain protected, Tresh cautioned California citizens to exercise caution when downloading applications and using social media on home computers.
“People are worried about their data and about systems at work, but they also need to be diligent about their home computers,” Tresh said. “Just
because everything’s cool like social media and downloading files, doesn’t mean people can assume it will OK, because some of these bad actors end up owning and taking over computers.”
A hacker can gain access to a home computer to deny service on a state department or agency’s computer system without the home computer’s owner ever knowing, according to Tresh.
As for his three decades of service in the military, Tresh’s fulltime position keeping information safe for the state has not allowed him to forget his roots. Tresh still maintains a position commanding a logistics brigade in the National Guard based in Roseville.
With the weight of IT security on his shoulders, Tresh says his OIS “well-oiled” and “hard-working” crew of six make his life much easier, though he still requires stress relief.
“I run many miles in the morning,” Tresh said. “I’m an avid runner and that is my stress relief. And lots of Starbucks.”
Role of the Information Security Officer
Statute requires state departments and agencies to appoint an Information Security Officer.
Each agency or department ISO has the responsibility for maintaining standards and security protocols for incidents and breaches within their organization, and reporting to OIS. This includes collecting information and doing the forensics and follow up, says Tresh. ISOs are the lead security officer for an organization and the liaison with OIS which sets policies for the entire Executive Branch.
During a bimonthly ISO meeting, Tresh and his staff walk through best practices related to risk mitigation and risk assessments. A basic training for new ISO’s focuses on basic duties and responsibilities and the reporting process for an incident, according to Tresh. OIS also maintains an email and communications channel with ISOs to provide alerts and information for ISOs on a daily basis, he said.
In a hacking incident, Tresh explained that the work flow begins with the individual agency or department. In a hypothetical scenario in which a hacker breaches an agency’s network and gains access to personnel information, such as names, addresses, social and pay data, the agency quickly reports the potential threat to the computer crimes unit at the California Highway Patrol and immediately has staff conducting troubleshooting and determining the scope of the data loss.
“We work with the agency in helping them solve problems and provide them with resources and guidance, and provide help and training, if needed, to abide by the standards related to risks and incidents.”
The Office of Information Security’s team gets involved to determine the type of data loss, ensure the agency secretary and the governor’s office have been notified and help with any additional workload needed from the individual agency. OIS will guide the agency, work through public release of information about the hacking, and answer the question of “now how do we fix it?,” Tresh explained.
“We walk through and work with them until it’s complete,” he said.
The entire process could take a few weeks.
“The process lasts over a two week period, from the time they report it, to give us what their plan is,” Tresh explained. “But depending on how big the breaches are and how much data was lost and how many assets there are, it could be weeks or months.”
This article originally appeared in Techwire Magazine mailed to subscribers in September.