Chief Information Security Officer, Michigan
Dan Lohrmann asked why citizens would trust a government that can't keep hackers out of their data.
Eight years ago, when e-government was still pretty new, Michigan was busy consolidating its 19 separate state agency Web sites into one. As a senior technology officer at the time, Dan Lohrmann was monitoring the effort. He knew that centralization would bring efficiencies and make it easier for people and businesses to do transactions with the state. But he also was concerned that a single state site would be a tempting target for hackers. "The whole effort of e-Michigan could come tumbling down if the right security wasn't in place," Lohrmann says.
Lohrmann pressed then-Governor John Engler to protect Michigan's technology investments by creating an IT security position that would report to the CIO. Engler agreed, and hired Lohrmann as Michigan's first-ever chief information security officer. Not many states had CISOs at the time. So it was a role that Lohrmann had to define himself. And as more and more states grew worried about cyber threats, they looked to what Lohrmann created in Michigan as a model.
Lohrmann has built a staff of 29 whose job seems to get harder by the day: The number of network attacks is exploding, and online criminals are getting more sophisticated and stealthy at what they do. Lohrmann has put a variety of tools in place to detect attacks and respond to them quickly. But his main objective is to be proactive about security, rather than respond to crises after they happen. Lohrmann strives to make security a concern at the beginning of IT projects — not an afterthought.
This way of thinking about security can bring significant savings. Simply by filtering ads from the state's 55,000 desktop computers, Michigan is preserving 30 percent of its bandwidth for more critical uses. Lohrmann estimates the state saves about $30 million per year by keeping such ads and "spyware" from slowing down systems and reducing technician visits to fix or rebuild attacked PCs.
But Lohrmann knows that security is not just about fending off villains and saving money. It's about maintaining the trust that citizens put in their government. Recently, Michigan became one of the first states to comply with what's known as Payment Card Industry Standards. That's a technical certification that allows Michigan to continue accepting credit card payments for things such as drivers' licenses and campground reservations. Michigan now does about 3 million of these transactions per year, and Lohrmann wasn't about to risk losing that channel of citizen convenience.
Worse, a data breach could melt away all the digital advantages that Michigan has worked so hard for. Citizens would worry about doing electronic transactions with the state. "If they lose trust in e-government," Lohrmann says, "everyone goes back in line again."
— Ellen Perlman
Photo by Kim Kauffman