Bridging security gaps in government: Tanium’s approach

Image created by DALL·E 3.

Cybersecurity in government entails so much more than just finding the right solution to solve a problem. More often than not, the whole process is further complicated by budgetary concerns, staffing issues, and even geographical differences.

Chris Cruz, Tanium’s Chief Information Officer for the Public Sector, has a background in government, working at both county and state levels in California. He recently spoke with Frontier Enterprise about his experiences as a government CIO and his insights into resolving government cybersecurity gaps.

What was it like transitioning from government service to working at Tanium?

I retired in 2021 and joined Tanium two weeks later, after retiring from San Joaquin County, California. Having been a Tanium customer, I was familiar with the product. It’s great, and during my government tenure, I was able to figure out how to optimise its capabilities, enhancing the value Tanium offers. So I knew a lot about the tool.

Upon transitioning into my role as Tanium’s Public Sector CIO, I hit the ground running. I had a head start with the optimisation and understanding of the product’s capabilities, particularly in positioning it for our government customers and C-level executives like CIOs, CISOs, CTOs, and board supervisors.

Back during your time with the government, was there a serious gap between how vendors pitch to governments and what governments are looking for?

Chris Cruz, Chief Information Officer for the Public Sector, Tanium. Image courtesy of Tanium.

A lot of times, companies come from a very technical approach when they position and market their product. In contrast, my approach is more strategic, focusing on business outcomes and how Tanium helped me tackle complex business problems.

This has been the biggest gap I’ve seen in this transition. Many companies don’t seem to know how to position or market their products effectively to people in the business area or to C-level executives, and it’s a huge problem. In my previous role, I saw this with a lot of vendors.

Being strategic, aligning with both technical teams and business teams, and integrating these approaches, has helped us make a strong business case for positioning Tanium as a market leader. This experience, as I have sat on the other side of the seat, lends credibility and integrity to the process. I know what the expectations are, and the gaps in terms of delivering your services.

Do you see unique challenges to the public sector posed by cybersecurity threats which are separate from what it’s like in the private sector?

I do, because in government, there are varying levels of maturity and resources. I refer to them as the ‘haves and have-nots.’ Not everyone can afford the same level of technology investment or capabilities. This is particularly true for local government organisations, cities, counties, and educational institutions, which often lack the budget for adequate cybersecurity tools. This makes them more vulnerable, especially given the broad threat vectors in today’s expansive and virtual working environment.

We face a large digital divide that spans different levels of government, and is influenced by their maturity and ability to attract and retain key cybersecurity resources. Managing these tools and providing necessary mitigation, visibility, and control remain big problems in government. By fostering collaboration, sharing best practices and lessons learned, we aim to ensure that organisations, regardless of their size or budget, have the same capabilities to manage risks and address cybersecurity issues and threats.

When it comes to devolution of duties within the government, how much responsibility does a county-level CIO have, compared to the state level and further up? 

At the county level, you’re directly facing constituents. When I was at the county, I reported to the board of supervisors, the elected officials. In contrast, at the state level, my reporting was to the legislative body. At the county level, there’s a tangible connection with citizen issues, a stronger engagement with their concerns, and a focus on citizen-centric service delivery. This entails a sense of urgency in providing essential services promptly. At the county level, I could swiftly navigate and make decisions on aligning IT with business needs, including cybersecurity.

So, in using a tool like Tanium, I was able to integrate SEC OPS into a singular profile and establish a common platform to address all the varying needs within the county. This approach helped address unmet needs and gaps in our delivery model.

At the state, we were somewhat shielded from direct interaction with constituents. Our job involved setting and enforcing statewide standards and policies for technology and security, ensuring compliance at the executive level. State-level policies and security measures often didn’t effectively reach the counties or cities. County CIOs frequently had to take the initiative to develop security incident response plans and ensure a level of security that met local needs. The push from the government to the local level was critical, highlighting gaps in our service delivery model. Improved corporate governance has really helped now. In California, for instance, we established a security operations centre and an event response centre, integrated with the Federal Department of Homeland Security. This integration has enabled federal dollars in grant money to flow from the state to cities and counties, beginning to bridge the gaps with effective governance, standardised policy, and sensible frameworks.

In California, we developed Cal-Secure, a five-year statewide information security plan, which I co-authored as the Deputy State CIO. This plan aims to enhance cyber maturity, focusing on achieving specific cyber objectives and goals, and ensuring readiness for military audits. It emphasises maintaining appropriate cyber hygiene and reducing risk. By combining these elements—common issues, priorities, and objectives—we facilitate streamlined processes across various government levels, from education to state and federal. This approach allows us to connect the dots more than ever before, improving coordination in standards setting, risk management during cyber incidents, information sharing through national databases, and disseminating knowledge to local levels. We’ve come a long way in terms of maturity, though more needs to be done. However, the necessary infrastructure is now in place in the United States.

Do you see a big difference with CIOs and CISOs in Asia, with the way they approach governance, or security, or any sort of tech deployment?

It’s interesting to see that our issues, opportunities, and threats are similar in the way we’re managing them, whether in the US, Asia, or Europe. We share similar issues, objectives, and management strategies. More mature countries and organisations tend to follow similar standards. Adopting and aligning national standards across mature regions worldwide would likely position us better.

The differences I’ve seen are not so much different from what I experienced as a government CIO. Globally, we face very similar issues, it just comes down to the level of maturity.

The biggest gap in Asia, Europe, and Australia is the similar issue of ensuring that the education level in the lower levels of government have the right kinds of technological capabilities and security tools to mitigate issues and risks, and provide the necessary visibility and control. This seems to be a big issue. The US is slightly ahead of the curve in providing funding to these organisations. In some of my conversations, here in the Asian market, and with the European markets, there’s still a struggle to channel funds to these lower levels, ensuring they have the necessary tools for success. 

Additionally, workforce and resource sharing are global concerns, mirroring issues in the US. Attracting individuals to cybersecurity is a global problem, necessitating more automation within our technology. Sharing information across government spectrums and standardising technology and cybersecurity frameworks with a unified view are absolutely a must. This is a global challenge, but also a global opportunity that we’re facing.

What’s the most exciting thing going on in Tanium’s labs?

The biggest thing at Tanium is our ability to integrate machine learning. We’re currently working on this from an AI perspective, examining similar trends and patterns. In managing information technology platforms, particularly in terms of visibility, management, and controlling the endpoint, our capability to share and collaborate with real-time data is key. We’ve developed great dashboarding that manages an alliance, providing a clear understanding of your organisation’s risk level through various criteria, including vulnerability management, asset management, and discovery.

We’re continually expanding our R&D capabilities to meet our customers’ needs, but in a non-complicated way that simplifies processes. This approach allows organisations to present the best possible value proposition to mitigate risks. At Tanium, we value customer feedback. We actively involve our customers in our advisory board meetings, seeking their recommendations on how we can continuously improve our product.