Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:30 PM
Gary Hayslip
Gary Hayslip
Connect Directly
E-Mail vvv

What Smart Cities Can Teach Enterprises About Security

The more you simplify your security program while still being effective, the better, says San Diego's chief information security officer. Here's his three-step process.

I’ve been in the cybersecurity industry for 30 years, and even my 27 years experience with the Department of Defense and U.S. Navy could not have prepared me for the challenge I faced with building a security program for San Diego’s citywide enterprise network. One of the main things I’ve learned over these past three years is that you can’t have security through obscurity. You need a continuous and unified view of your security posture if you want to operate a top-notch program.

People don’t think of a city as a large enterprise network, but at the end of the day, that’s exactly what it is — a $4 billion dollar business that provides services for roughly 1.5 million citizens.

In fact, the two share some distinct commonalities.

First, cities are massive and they never throw out any information. That means that there is data being stored on outdated technology from 20 years ago that might not be secure; obviously, 20 years ago, no one was concerned about being hacked.

This also means that there is a mix of old and new technology sprawled across the city, including legacy applications and programs like PowerBuilder and intelligent smart city devices such as LED street lights that create security gaps and blind spots. In San Diego, there are 24 discrete networks and 40,000 endpoints that run across 40 departments, including parks and recreation, public safety, transportation, and even golf courses and cemeteries that require point-of-sale (POS) systems. 

Second and most importantly, cities never shut down. San Diego runs 24 hours a day, 7 days a week, and 365 days out of the year, which means that from a security standpoint, you can’t take the network offline or rip and replace old technology with new technology without interrupting the daily business operations of the city and its people.

This is probably very similar to your typical enterprise with its complex network with hundreds, if not thousands of devices and endpoints that process and store sensitive data distributed across cities, states, and countries. For retailers using POS systems and credit card readers, there’s also an added layer of Payment Card Industry (PCI) compliance regulations that they are required to meet and document.

Resilient Security = Visibility
Security does not exist in a vacuum. It’s a living, breathing lifecycle. The one thing I realized immediately in San Diego was that if I was going to build a resilient security program for one of the world’s smartest cities, I needed complete visibility into all its vast systems and devices, and a toolset that could properly assess and manage its security risk.

Having full visibility is crucial in understanding what security risks are out there. No city or enterprise has just one solid perimeter, especially with today’s extension of cloud and mobile technologies. The current environment is riddled with connected devices and smart technology to help improve our lives, but that also creates a more complicated and diverse threat landscape.

In order to achieve that level of visibility, organizations must start with a basic assessment of their environment. Using an industry standard, such as the NIST Cybersecurity Framework or Center for Internet Security (CIS) Critical Cybersecurity Controls is a great way for an enterprise to gauge the maturity of its network, create a baseline security standard and get an ongoing security program off the ground. These assessments help identify areas of improvement which can then become projects based on the gaps and risks that you need to fix. For example, some organizations might choose to develop a written policy for admin passwords while others would target better compliance and auditing enforcement through new software or hardware.

Start with a Framework
In my case, I immediately looked at the NIST Cybersecurity Framework as a guiding principle because I knew a baseline of security would not only set me up for success, but also make the IT and InfoSec departments’ jobs more streamlined and efficient. Implementing NIST from the beginning helped me identify weak spots in the network and figure out what solutions to put in place to reduce our risk exposure and understand the data flowing across our multiple networks.

Once we had the framework in place, we used the Tenable Network Security platform to anchor our cybersecurity suite as we continuously inventoried, assessed, scanned, monitore,d and remediated the network for cyber threats, as well as planned for future growth. For example, the city has to think about PCI compliance, as well as auditing and reporting, and has to correlate security threat and risk data from various security vendors, including Tenable, Splunk, Carbon Black, PacketSled, AttackIQ, and Sumo Logic.

One of the advantages of working with a vendor-neutral enterprise cybersecurity solutions provider like Tenable is that I didn’t just fill one security gap, I filled four and I was able to use the technology to unify data coming in from some of our other tools. San Diego averages close to a million cyber attacks a day, so having a comprehensive and continuous security monitoring tool in place was essential in identifying the most critical threats to the city.

It’s taken me nearly three years to get a complete picture of San Diego’s overall security posture, and the one thing I can’t reinforce enough is that the security lifecycle never ends; you will always be assessing for risk, which means you will always be monitoring your network. Enterprises have complex networks, so the more you can simplify your security program while still being effective, the better. All it takes is a simple three-step process:

  1. Assess your network by adopting a security framework such as NIST or CIS Critical Security Controls.
  2. Identify the network threats and gaps, and determine which policies, procedures, and solutions you need to adopt.
  3. Create a comprehensive security program that gives you a holistic view of the overall IT environment and the ability to continuously monitor for vulnerabilities.

Related Content:

As chief information security officer (CISO) for the City of San Diego, Gary Hayslip advises the city's executive leadership consisting of mayoral, city council, and 40+ city departments and agencies on protecting government information resources. Gary oversees citywide ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...