{"id":1948,"date":"2025-02-14T22:41:09","date_gmt":"2025-02-14T22:41:09","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1948"},"modified":"2025-02-14T22:41:09","modified_gmt":"2025-02-14T22:41:09","slug":"ciso-success-story-how-la-county-trains-and-retrains-workers-to-fight-phishing","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1948","title":{"rendered":"CISO success story: How LA County trains (and retrains) workers to fight phishing"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

It cost neighboring San Bernardino County $1.1 million to resolve a ransomware attack on its sheriff\u2019s department earlier this year. Jeff Aguilar, the chief information security officer for neighboring Los Angeles County, hopes to prevent a similar fate in any of the 38 county departments he\u2019s charged with safeguarding.<\/p>\n

Aguilar, who has held high-level security posts in LA County since 2018 and became its CISO last year, is keenly aware of the increasing vulnerability of federal, state, and municipal agencies\u2014cyberattacks targeting the public sector\u00a0spiked 40%<\/a>\u00a0in the second quarter of 2023 over the same time the previous year. And although LA County has so far avoided a major incident, Aguilar knows maintaining that record will require diligence, resolve, and\u2014this is key\u2014constant communication and coordination with industry peers as well as the county employees under his watch.<\/p>\n

This helps with his own department\u2019s benchmarking efforts, to be sure. And more than that.<\/p>\n

In fact, unlike many CISOs, he\u2019s a strong believer in sharing useful insights that might\u00a0help other state and local government agencies counter threats<\/a>. This willingness to hear and share varied viewpoints is perhaps borne of his own varied resume, which includes stints in government, healthcare, financial services, and transportation.<\/p>\n

Focal Point\u00a0caught up with Aguilar to learn more about his collaborative approach and what makes him one of the nation\u2019s top governmental cybersecurity chiefs.<\/p>\n

(The following interview has been edited for clarity and length.)<\/em><\/p>\n

At first glance, LA County\u2019s reporting structure \u2013 who reports to whom \u2013 seems, well, fairly complex<\/strong>.<\/p>\n

We have a federated model: I report to the county CIO. Each department acts as an independent business and has its own department CIO and information security officer. Their job is to enact the cybersecurity policies and strategy my team sets forth at a board level.<\/p>\n

I have two deputies reporting to me and I\u2019m hiring two more. We organize the county into clusters (for operational purposes), with each cluster representing a specific area of our business. So, for example, healthcare is one line of business and law enforcement is another. My deputies will cover different clusters depending on their skill sets and the needs of the clusters. We establish the cybersecurity guardrails from a high-level perspective, and departments work within those.<\/p>\n

Both the LA Unified School District and LA Housing Authority recently suffered data breaches. When you see those things so close to home, does it raise alarm bells for you?<\/strong><\/p>\n

Yes, any organization with sensitive data is a potential target.<\/p>\n

I speak to lots of state and local municipal CISOs. We\u2019re constantly sharing lessons learned and asking, \u201cWhat\u2019s worked, what hasn\u2019t, and what can I emulate so I don\u2019t have to reinvent the wheel?\u201d I think that\u2019s one of the things that, maybe, LA County does differently than other government agencies. We\u2019re pushing collaboration in government. There\u2019s transparency.<\/p>\n

Obviously, I don\u2019t want to get into the weeds with what specifically we\u2019re doing. But we are constantly having great discussions, especially around strategy and\u00a0incident response<\/a>, from a regional perspective.<\/p>\n

You oversee cybersecurity policy for departments with more than 100,000 employees. All it takes is one of those departments to go rogue for good planning to go sideways. How do you ensure compliance?<\/strong><\/p>\n

Yes, it\u2019s a challenge. Fortunately for us, we are constantly under internal audit. I know a lot of folks don\u2019t view audits as adding value. But I do because you only know what you know, and audits are a great way to ensure compliance and identify gaps.<\/p>\n

So, our department doing those audits runs though somewhat of a checklist. They\u2019re looking for compliance against internal board policy. We have technology directives and standards. Each department is reviewed and must then be validated against those policies and directives. This is ongoing. Every department gets hit with it multiple times per year.\u00a0<\/p>\n

And then, every once in a while, we\u2019ll also see a federal audit.<\/p>\n

With our internal audits, I\u2019ll often point to where I think gaps might exist and let them see what they can find. After their report comes in, we\u2019ll typically create an improvement plan. That moves up the organization\u2019s leadership chain for awareness purposes. This way, we know we\u2019re getting the proper attention to resolve whatever the issues might be.<\/p>\n

With that many county employees, you must have your hands full.<\/strong><\/p>\n

For sure. One of the fundamental security principles is the person \u2013 the employee \u2013 is always the weakest link.<\/p>\n

Organizations dump millions of dollars into a control environment, and it can all be circumvented by a single missed click. So, we\u2019ve been extremely aggressive with awareness training down to each individual line of business \u2013 because the way business is done from one department to the next might be completely different.<\/p>\n

For National Cybersecurity Awareness Month, we\u2019re speaking to employees, and bringing in vendors and industry leaders to share lessons learned as well as to share security Dos and Don\u2019ts. And I think we\u2019ve gotten better at telling the story.<\/p>\n

We are getting end users to care about those mis-clicks by creating an emotional response that goes beyond the county environment. They can take what they learn home and apply it in their personal lives.<\/p>\n

We\u2019ve got the holiday shopping season coming up, for example, and there will be a whole uptick in\u00a0phishing attempts<\/a>\u00a0that purport to come from, say, Amazon Marketplace, eBay, the IRS, or whatever that they\u2019ll need to watch out for. People see those things and have an emotional response and might just click without thinking. We\u2019ve really ramped up our program to help educate them on such things, both at work and home.<\/p>\n

How do you know if your awareness training is effective?<\/strong><\/p>\n

We conduct constant drilling. We do tabletops. I have click rates for every department and a roll-up at a county level. I\u2019m able to trend that year after year, and we adjust the training where it makes sense. We don\u2019t do cookie-cutter training that\u2019s the same every year. We adjust it to hotspots in the industry and hotspots in the county.<\/p>\n

So, for example, our phishing campaigns are a little different than they were right now because we are coming into a primary election next year. We are warning employees about phishing emails with messages meant to get them going, like, \u201cYour party affiliation has changed; click this link if you didn\u2019t intend for this to happen.\u201d<\/p>\n

We\u2019re always looking at regional and geopolitical issues and periodically adjust our training accordingly.<\/p>\n

Do you do anything like threat hunts to find potential vulnerabilities?<\/strong><\/p>\n

Oh yeah, although we outsource things like that because of the level of experience it requires. We\u2019re trying to build that competency internally. But for us, it makes sense to have trusted partners to help with threat-hunt exercises. Threat hunting is a great tool<\/a>, and it\u2019s not new. But it\u2019s probably still fairly new for most government agencies because it involves\u00a0endpoint management<\/a>\u00a0and a specific level of expertise, which can be complex.<\/p>\n

I\u2019m a big fan of the\u00a0MITRE ATT&CK Framework<\/a>\u00a0[a reference detailing tactics and techniques commonly used by attackers during network intrusions], and we do a lot of tabletops, based on the threat landscape we see, to identify what might be happening within our region or other jurisdictions.<\/p>\n

So again, it all comes back to collaboration. Because if the City of Los Angeles is getting hit with something that might be related to us, it could also be happening in Pasadena, Santa Monica, Burbank, or elsewhere.<\/p>\n

Tell us about a hard lesson you\u2019ve learned in the last year.<\/strong><\/p>\n

Well, fortunately, we haven\u2019t had any big incidents. But we are concerned about supply-chain risk management and trying to get better at it.<\/p>\n

The SolarWinds hack (where hackers inserted malicious code into commonly used software to breach tens of thousands of government and corporate networks) brought that to light. We\u2019re a big county. We have lots of vendors. So, getting on top of supply chain risk is critical for us. We\u2019re always asking, \u201cWhat is our third-party risk? What is the third-party risk across the entire landscape? And how do we validate vendors are complying with our security requirements?\u201d<\/p>\n

To address that, we created something called our Security and Privacy Exhibit, which lays out the county and contractors\u2019 commitments and agreement to meet their obligations under applicable state or federal laws, rules, or regulations, as well as applicable industry standards concerning privacy. It gets into everything from audits to incident response, and so forth.<\/p>\n

We have an addendum for different cloud services, and right now we\u2019re rewriting it to also address the use of generative AI because we\u2019re convinced that it\u2019s here to stay. In fact, we want to put up guardrails for that now while there\u2019s time.<\/p>\n

How do you stay ahead of the curve on these new and emerging technologies?<\/strong><\/p>\n

I think most CISOs have the same playbook for that. We talk with each other, and we\u2019re paying attention to what\u2019s happening in the industry.<\/p>\n

Being CISO for a government organization, I also get a lot of threat briefs from federal partners, including\u00a0MS-ISAC (the Multi-State Information Sharing and Analysis Center)<\/a>.<\/p>\n

There\u2019s a lot of useful information that comes out of all that. We also have monthly meetings with the FBI to get a good sense of what\u2019s happening from a nation-state threat perspective. And then, there\u2019s your own curiosity. Looking into the implications of something like ChatGPT, which is gaining momentum, and looking ahead and thinking about security in a quantum computing world.<\/p>\n

Strong leaders have the foresight to look at these out-of-the-box things and consider what\u2019s next. They might not be here today, but you have to understand what might happen if they do arrive.<\/p>\n

Learn how to protect your business-critical endpoints and cloud workloads with the Tanium platform.<\/a><\/p>\n

This article was written by David Rand and originally appeared in\u00a0<\/em>Focal Point<\/em><\/a>\u00a0magazine.<\/em><\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

It cost neighboring San Bernardino County $1.1 million to resolve a ransomware attack on its sheriff\u2019s department earlier this year. Jeff Aguilar, the chief information security officer for neighboring Los Angeles County, hopes to prevent a similar fate in any of the 38 county departments he\u2019s charged with safeguarding. Aguilar, who has held high-level security […]<\/p>\n","protected":false},"author":0,"featured_media":1949,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1948","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1948"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1948"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1948\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1949"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}