During the 2007 housing crisis, Columbus, Ohio--like most municipalities--faced significant tax shortfalls and revenue constraints.
That year was also marked by security events--on the physical security side, the Department of Homeland Security completed its Sector-Specific Plans for critical infrastructure protection. On the IT side, public- and private-sector organizations faced phishing attacks focused on stealing sensitive information and intellectual property.
That was the environment when Miki Calero joined the City of Columbus as CSO.
He immediately got to work improving the city's ability to manage risk to physical and IT assets by more tightly integrating security. Early his first morning, as he picked up his ID badge, he spoke to the facilities security manager about which physical access databases could be unified first. Six years in, the implementation of an enterprise security risk management (ESRM) program has improved security across the city, ensuring Columbus complies with seven sets of regulations and streamlining costs by combining existing security and technology investments with increased efficiencies.
That's no small accomplishment for a city the size of Columbus. With roughly 790,000 residents, it's the 15th-largest city in the United States, covering 217 square miles and incorporating more than 200 government facilities dealing with permits, taxes, telecommunications and critical infrastructure for IT and utilities.
This is the story of how Calero and his team are pulling it off.
Before the ESRM program was put in place, IT security was handled by a couple of analysts and by server administrators and network engineers, all of whom had many other responsibilities as well.
As at most organizations back then, and many still today, the work of securing IT systems was getting done, but without unified authority. That likely left gaps in protection that could have proven costly.
The highest reporting level for IT security was a manager, and the analysts "were primarily focused on running antivirus, monitoring and filtering Web content, reviewing requests for system and network accounts, and similar operational responsibilities," Calero said. Each IT group had its own budget, which made it difficult to plan and control security costs.
The Franklin County Government Center along South High Street in downtown Columbus will undergo a complete renovation that could take 10 years and cost $90 million, including significant security enhancements that meld physical- and IT-based defenses.
Physical security needs were defined by individual agencies, each managing their own access control systems and surveillance cameras, using tools and equipment bought at different times from different vendors, and paid for by multiple sources. There were no standards for the tools and equipment, no security project coordination or strategy to converge with IT security.
"I have a strong view that physical and cyber security risk need to be managed holistically," Calero said, so before he would agree to take the position, he made sure the title was CSO, not CISO. He wanted to make sure he could take a convergence approach to security, which involves pursuing a comprehensive security strategy and a supporting project to implement the ESRM program.
Sign up for CIO Asia eNewsletters.