[ISN] Interview with Dan Lohrmann, Michigan chief information security officer

From: InfoSec News (alerts@private)
Date: Mon Mar 05 2007 - 22:33:09 PST


By William Jackson
GCN Staff
03/05/07 issue

When it comes to security credentials, Dan Lohrmann has some powerful 
training. He became Michigans first chief information security officer 
after a career in IT and security that began at the National Security 
Agency. He moved to state government in 1997, when he became chief 
information officer and IT services director for Michigans Department of 
Management and Budget. From there, he oversaw the agencys 2001 launch of 
the Michigan.gov Web portal. He became the states CISO and director of 
the office of enterprise security in the Department of IT in May 2002. 
As CISO, he plays roles in a number of other IT security initiatives, 
including the Multi-State Information Sharing and Analysis Center. We 
caught up with Lohrmann to find out how cybersecurity is playing out at 
both the national and state levels.

GCN: How did your work with the National Security Agency help prepare 
you for your current role as a CISO?

DAN LOHRMANN: It was a fantastic way to begin a career. The focus on the 
culture of security was unique and, I think, very helpful. It was a 
shock when I first started in state government, which is at the opposite 
... extreme.

We have been able to change that after 9-11, and people have taken 
security more seriously. Were never going to be an NSA, and we shouldnt 
be. But their practices and procedures are world-class, and it provided 
the basis for my job in Michigan.

GCN: You led IT restoration efforts in the wake of an August 2003 
blackout that rolled through the Northeast. Did you have a recovery plan 
in place, and how did you organize the response?

LOHRMANN: We had a plan we had just developed and ... tested in a 
variety of scenarios. We didnt have a scenario that actually matched the 
blackout, but people did know where to go. I was the emergency 
management coordinator for [the states Department of IT], and the 
governor declared an emergency and launched the State Emergency 
Operations Center. It was a statewide center where my counterparts from 
other agencies reported during the emergency. We spent the better part 
of four 18-hour days there.

There were a lot of issues you wouldnt anticipate, like getting water 
from one side of the state to the other, road permits, food was spoiling 
and people were having to close restaurants, and supporting the food 
inspectors was a problem.

GCN: What lessons did you learn from this?

LOHRMANN: Our main core data center where our Emergency Operations 
Center was had a generator backup. Two other major data centers did not 
have generators. We knew immediately we had to get generators for those 
facilities. We have been able to get Homeland Security and other funding 
to get those generators in place. Last February we had a local, 
weather-related outage in Lansing, and the generators kicked on and we 
were operational. Had we not had them in place, it would have impacted 
state government statewide.

We did an after-action report, and we have worked the lessons learned, 
like the importance of keeping the Web up and getting information out 
quickly. We didnt realize how important our Michigan.gov portal was 
going to be. We were hosting it out in Boulder, Colo., but we didnt have 
the facilities locally to get them updated out in Colorado. ...

GCN: How is the federal government doing in sharing information with the 

LOHRMANN: It varies state to state, and on the national level it is a 
mixed picture. [But] weve been fortunate to have a good relationship 
with DHS. It started slow, but in the last year or two Ive seen a 
definite improvement. On the personal level, Ive been able to establish 
relationships with people and get the kinds of information we need. ... 
The groundwork is laid now for information sharing to become much better 
and more efficient than it has been.

GCN: Last year, you took part in DHS Operation CyberStorm, a simulation 
of cyber and physical attacks on the counrtys critical infrastructure. 
What did you learn from that?

LOHRMANN: Some of the scenarios really surprised us. We were not 
planning for things like extortion. The behavior of the vendors that 
they simulated was interesting, and a lot of the things that happened 
were very much a surprise to us. We learned that some of the basic, 
simple things are hardest to do, like who are you going to call? You 
make assumptions about who is going to have the information you need and 
who is going to be available, and we found they werent available. So you 
find yourself in a situation where you have to make decisions in a 
vacuum. Communications is the biggest problem in an emergency.

GCN: What has been your greatest achievement as CISO in Michigan.

LOHRMANN: Its hard to put one down, but I think overall it would be 
building the team that we have. We have a group of about 30 people in 
our office of enterprise security that looks at 55,000 state employees. 
We interact with people at the state, local and federal level, and I 
know that its going to outlive me. One sign of success in any manager is 
if you can make yourself irrelevant. I dont know that Im irrelevant yet, 
but it will outlive me.

The second one would be working to see a return on our investment in 
eliminating costs. ... With anti-spam and antivirus products we have put 
in place, we believe we would show $765,000 cost avoidance per month in 
spyware and viruses, by not having to go out and visit infected 
machines. About 70 percent of our inbound e-mail is spam, we blocked 
more than 6.25 million viruses per month last year, we see about 720,000 
external network scans per month and 1.4 million Web-based attacks on 
our network per month. So by putting the tools in place on an enterprise 
basis were providing more protection and not as much response and 

GCN: Whats the biggest challenge left?

LOHRMANN: Continuing to work on the culture, to help people understand 
how important security is at an individual level. ... Helping people 
understand the impact of their actions, I think thats the biggest 

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Mon Mar 05 2007 - 22:43:32 PST