Editor’s note: This is the third in a series of interviews with the session leaders of the upcoming GSO 2025 event being held August 16-17, 2023 at LinkedIn’s global headquarters in the heart of Silicon Valley, Calif. The event is named with a future date because it takes a 3- to 5-year look ahead at where security leadership and security technology are going. Registration is open now.
SIW Managing Editor John Dobberstein recently spoke with Maria Sumnicht, who – as the Urban Technology Architect for NYC Cyber Command – was the Cyber Security Lead for the Critical Infrastructure industrial control systems (ICS) for the City’s water systems and for IoT for the City of New York, responsibilities that included the ICS/OT Simulation & Testing Laboratory and the IoT Penetration Testing Laboratory.
SIW: The technology deployments for your NYC Cyber Command responsibilities were much larger and more complex than what most of the GSO 2025 attendees have to oversee. Are some of your lessons learned still applicable to the more narrowly focused enterprise security technology deployments?
Sumnicht: They definitely apply. Although the scale of their security technology infrastructure is smaller and less complex than the totality of what we dealt with, many of the people, process and technology elements are very similar, including the technology risks. The practices and approaches we took – still in effect now – can be used to assure success across city agencies and enterprise organizations.
SIW: Can you describe some of the practices and approaches that were critically important to your successes?
Sumnicht: Yes, there are three critical elements that we could not have been successful without. The first is governance. This is especially important for multi-city and multi-country deployments. You need to have some sort of governance established from a security perspective that gives you the ability to work in the realm of cybersecurity and be able to execute on that mission, which is securing technology.
For example, when the former mayor established Cyber Command for the City of New York, he gave that agency governance in the cybersecurity realm over all other mayoral reporting agencies. If you are charged with assuring the functionality and availability of the technology systems, you need to be enabled to act on those responsibilities.
For enterprise business technology deployments, IT typically holds that responsibility. However, I am told that in the early days of locally networked physical security systems -- with no Internet connections and few if any system integrations -- it was a practice to exempt security departments from business computer and network requirements. And in some organizations that practice has carried forward into the present day.
Security convergence is a second important element.Security convergenceis formal collaboration between previously disjointed security functions. Organizations with converged cybersecurity and physical security functions are more resilient and better prepared to identify, prevent, mitigate and respond to threats.This collaboration is so important that the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has produced a planning model for Cybersecurity and Physical Security Convergence to facilitate the protection of the 16 U.S. critical infrastructure sectors, which include transportation systems, information technology, healthcare and public health sector, financial services, critical manufacturing, communications and commercial facilities.
Additionally, security system AI-based analytics now can generate a wealth of data having both security and business operations value. Some of this data is classified as personally identifiable information (PII), and some is business confidential.
The liabilities involved in failing to properly handle and safeguard the data can be substantial. This is part of why the governance aspect is so important. In an enterprise organization, this usually involves collaboration with the IT, legal, finance and compliance functions.
SIW: Aren’t many IoT, OT and ICS technologies installed and serviced by external service providers? How can you extend governance to them?
Sumnicht: That’s involves a combination of the other two critical success points. Point number two is tying the procurement of technology into a review process for cybersecurity. This was our Cyber Command technology, cloud and IoT review process – more popularly known as the Department of Information Technology Cloud/IoT Review Process.
City agency purchasing goes through the NYC Office of Management and Budget. We worked with them to establish a process so that when an agency wanted to purchase technology, they would ask, “Have you gone through Cyber Command?” That’s a simple 'Yes' or 'No' question. So that’s the number two critical requirement. Cybersecurity is a non-negotiable, as is the review process for it. It's a firm procurement requirement.
SIW: And the third critical requirement is?
Sumnicht: The third key success pillar is legal agreements. It’s the legal agreements that bind the vendors to the review process. Of course, we clearly communicate to the vendors what the cybersecurity requirements are and what processes are involved. We want the process to be smooth for them and us, which overall means having clearly defined processes and evaluation points.
There are 3 legal documents that a technology vendor entered with the City. These documents are presented to the vendor at the Department of Information Technology Cloud/IoT Review Process. The documents are:
- Hosted Cloud Legal Agreement (Cloud Rider)
- Service End User Level Agreement (SEULA)
- Penetration Testing Agreement
The Cloud Rider was focused on securing the cloud environment and protected the City legally in a hosted cloud environment.
The Service End User Agreement protected the City by clearly defining service, support and upgrades for the technology.
The Penetration Testing Agreement allowed the City to perform ‘red team’ testing and legally protected the City in that the vendor was legally bound to remediate all Critical, High and Medium vulnerabilities discovered during the testing process.
SIW: Will you be at the GSO 2025 event for both days?
Sumnicht: Yes, my session is on Day One, and I’m looking forward to discussions with attendees at mealtimes and in the second part of Day Two, which is dedicated to networking and individual discussions.
SIW: Well Maria, it was a pleasure to talk with you today. Best of luck and we look forward to hearing more from you at GSO 2025 next month.
Sumnicht: Thank you John, I am both humbled and honored to be a part of GSO 2025 Conference. I look forward to event.