In March 2019, Boston Mayor Martin J. Walsh announced Greg McCarthy’s appointment as the city’s first chief information security officer (CISO). McCarthy will lead the cybersecurity team within the Department of Innovation and Technology.
In this interview, we discuss his career, how the role of cybersecurity has changed within the city, and how security in the public sector can be different than in the private sector.
A great place for us to get started would be your role at the City of Boston, and how you began your involvement with identity management there.
I’ve worked in the public sector my entire career. The city’s cybersecurity program is now ten years old, and I have been a part of it for nine. I started as a project manager and was the second person on the security team. My predecessor, who was leading the team, had been with the city for about a year.
Together we built the first cybersecurity program for the city. I began managing the cybersecurity team five years ago. Previously, security was a manager position. The city just recently elevated the position again, now reporting to the CIO instead of the CTO. This enables a much more direct line of communication with senior leadership in our department and within the city.
What was your experience before joining the City of Boston?
I started my career in public service with the Rhode Island Department of Corrections, and my undergraduate degree is from Northeastern University in criminal justice. I was working in grant management for the department of corrections and performing a lot of data analysis. With that came quite a bit of work with our IT department to enhance the data systems that collected the data I was analyzing, as well as putting needed data validation mechanisms in place to make data collection and analysis easier.
From there, I returned to school for my master’s in information assurance at Northeastern University. That was when I leaped from criminal justice to cybersecurity.
That’s an interesting and unique path to cybersecurity. A lot of information security officers came in from the military or networking in the 90s. I think it’s great to have diverse backgrounds.
Although I’m not a network engineer or an application developer, I have a strong understanding of the technology and how it functions. I also know how to hire very talented people to help in areas in which I may lack skills. When I was working at the Department of Corrections, I found it interesting how technology and the criminal justice space worked hand in hand. I became very interested in pursuing technology and criminal justice. The information assurance program at Northeastern worked in collaboration with their college of criminal justice and their college of computer science. So, when I went to my grad program there, I thought it was a fascinating marriage of the two areas.
How important do you see the ability to communicate security broadly, to a general business audience?
I don’t think you can have a successful program if you’re unable to communicate it effectively. If you find within the first few seconds of your presentation peoples’ eyes glazing over, it’s generally not going to go very well for you, especially when you try to get funding, move a project forward, or when you’re trying to get executive-level sponsorship for projects. If you can’t articulate why you’re making a change in a nontechnical way or in a way that that resonates with the business owner, you’re not going to be successful at executing it because they’re not going to understand it.
Communication is critical to a security team’s success.
What are some of the mistakes security professionals typically make when presenting that makes co-workers’ eyes roll and glaze over?
I think part of it is knowing your audience. For us, being in the government, we work with a diverse workforce from public works to public safety, to elected officials and technology professionals. If I explain in detail how malware propagates through a network, that would likely mean nothing to them.
However, I can tell them a story about someone having their paycheck stolen and that they need to enroll in two-factor authentication to protect themselves. Something like that would resonate with them a lot more.
Are there unique security challenges in public IT that might be different from corporate security?
We have a lot of different processes that private corporations don’t have to deal with. The best example might be elections. At the 2017 Def Con conference, there was a lot of publicity around the ease of hackers compromising voting technology. Therefore, as we approached the 2018 midterm elections, there was a strong focus around ensuring the elections process was secure.
We found the technology and processes used throughout the elections process were rather secure, but the area of highest risk was the confidence in the process. We have to ensure citizens have confidence in our election process and its results, as it’s the core of our democracy.
That’s something that no private organization would have to deal with because they don’t worry about election processes.
How important is identity to an overall security program in the public sector?
Before IdentityIQ onboarding was a big issue, people would arrive and didn’t have an account or the access they needed on day one. You shouldn’t start a new position or a new job here and have to wait three days before you’re able to access the resources you need. You should come in on day one and have the access that you need to do your new job, and all of the work should happen automatically and behind the scenes.
Additionally, employees in the public sector usually remain employed with the organization their entire career. I don’t think this is as common in the private sector. This is where the importance of identity governance and lifecycle management becomes critical. Having a single identity where access is granted or revoked as you change roles within an organization allows for secure, convenient and reliable user experience.