Indiana CIO Dewand Neely became the director of the state’s Office of Technology in 2015. He was one of the first employees hired to spearhead Indiana’s IT consolidation efforts in 2005, but now he’s turning his attention to protecting state agencies from possible cyber threats.
This interview has been edited for length and clarity.
What are the responsibilities of the Indiana Office of Technology?
Most states are traditionally federated, meaning that all of the different agencies have their own IT services. Indiana is one of those states where we chose to centralize our information into one main data center — with a backup elsewhere — to house all of our infrastructure services. We took infrastructure management away from the agencies so they could focus on their core values and mission.
On the cybersecurity side, the consolidation is a good thing from a cost effectiveness and efficiency angle, but it does centralize the attack surface for the bad guys.
As the state CIO, I want to protect our assets as much as possible, and if there are any ways that I can prevent attention and exposure it is what I’m going to do. For example, NIC, our e-government services provider, runs our consumer facing portal, and I like that a lot of people don’t know that when they think they are attacking us they are really attacking NIC.
When the Indiana legislature passed controversial legislation in 2015 that allowed business owners to refuse customers based on their religious beliefs, the state’s websites were attacked. What happened?
The hacktivists wanted to create a disruption and relate it to the cause that was in the news. They tried to take down our IN.gov portal, which delivers services to the citizens. NIC helped us slow down the attack with some of the redundancy and mitigation tools that they had in place. It helped because that work wasn’t coming into my offices and affecting my operations. But they also did a great job of mitigating and planning for it. I think that attackers tried two or three times to try to get in to take those sites down, and NIC was able to stop those forces and report information back on where we stood and how we were doing.
How is your office involved in data exchange within the state?
One of Gov. Eric Holcomb’s key pillars is to figure out how to slow down and mitigate this crazy drug epidemic going down across the country. He created a Commission to Combat Drug Abuse, and we realized the value of access to timely information because you don’t always get the whole picture when data is spread across three departments. Pulling together criminal justice data points can help with a policy decision or uncover indicators that relate back to a drug or treatment problem. We are bringing those data points together to give us a bigger picture as we look at different, creative ideas for slowing down the number of opioid overdoses and getting ahead of some of the outbreaks and trends that are starting to develop.
Your agency offers many services for Indiana agencies. What delivers the largest rate of return?
The best return for us so far is educating folks better on how much power they do possess and how to be responsible with that power. We are training them on how to spot potential scams, emails and the different aspects of social engineering that can convince them something is true when it is not.
We need to prevent our users from handing out valid credentials, so we have been conducting new monthly, interactive cyber training that lasts from three to five minutes. It has some gamification aspects that help train our workforce on some of the tell-tale signs to look for to make sure that they are not being maliciously engineered to give up those credentials. It is kind of hard to measure, but when fighting cyber, people are the first line of risk, and they need to be more vigilant and educated.