By William Jackson
When it comes to security credentials, Dan Lohrmann has some powerful
training. He became Michigans first chief information security officer
after a career in IT and security that began at the National Security
Agency. He moved to state government in 1997, when he became chief
information officer and IT services director for Michigans Department of
Management and Budget. From there, he oversaw the agencys 2001 launch of
the Michigan.gov Web portal. He became the states CISO and director of
the office of enterprise security in the Department of IT in May 2002.
As CISO, he plays roles in a number of other IT security initiatives,
including the Multi-State Information Sharing and Analysis Center. We
caught up with Lohrmann to find out how cybersecurity is playing out at
both the national and state levels.
GCN: How did your work with the National Security Agency help prepare
you for your current role as a CISO?
DAN LOHRMANN: It was a fantastic way to begin a career. The focus on the
culture of security was unique and, I think, very helpful. It was a
shock when I first started in state government, which is at the opposite
We have been able to change that after 9-11, and people have taken
security more seriously. Were never going to be an NSA, and we shouldnt
be. But their practices and procedures are world-class, and it provided
the basis for my job in Michigan.
GCN: You led IT restoration efforts in the wake of an August 2003
blackout that rolled through the Northeast. Did you have a recovery plan
in place, and how did you organize the response?
LOHRMANN: We had a plan we had just developed and ... tested in a
variety of scenarios. We didnt have a scenario that actually matched the
blackout, but people did know where to go. I was the emergency
management coordinator for [the states Department of IT], and the
governor declared an emergency and launched the State Emergency
Operations Center. It was a statewide center where my counterparts from
other agencies reported during the emergency. We spent the better part
of four 18-hour days there.
There were a lot of issues you wouldnt anticipate, like getting water
from one side of the state to the other, road permits, food was spoiling
and people were having to close restaurants, and supporting the food
inspectors was a problem.
GCN: What lessons did you learn from this?
LOHRMANN: Our main core data center where our Emergency Operations
Center was had a generator backup. Two other major data centers did not
have generators. We knew immediately we had to get generators for those
facilities. We have been able to get Homeland Security and other funding
to get those generators in place. Last February we had a local,
weather-related outage in Lansing, and the generators kicked on and we
were operational. Had we not had them in place, it would have impacted
state government statewide.
We did an after-action report, and we have worked the lessons learned,
like the importance of keeping the Web up and getting information out
quickly. We didnt realize how important our Michigan.gov portal was
going to be. We were hosting it out in Boulder, Colo., but we didnt have
the facilities locally to get them updated out in Colorado. ...
GCN: How is the federal government doing in sharing information with the
LOHRMANN: It varies state to state, and on the national level it is a
mixed picture. [But] weve been fortunate to have a good relationship
with DHS. It started slow, but in the last year or two Ive seen a
definite improvement. On the personal level, Ive been able to establish
relationships with people and get the kinds of information we need. ...
The groundwork is laid now for information sharing to become much better
and more efficient than it has been.
GCN: Last year, you took part in DHS Operation CyberStorm, a simulation
of cyber and physical attacks on the counrtys critical infrastructure.
What did you learn from that?
LOHRMANN: Some of the scenarios really surprised us. We were not
planning for things like extortion. The behavior of the vendors that
they simulated was interesting, and a lot of the things that happened
were very much a surprise to us. We learned that some of the basic,
simple things are hardest to do, like who are you going to call? You
make assumptions about who is going to have the information you need and
who is going to be available, and we found they werent available. So you
find yourself in a situation where you have to make decisions in a
vacuum. Communications is the biggest problem in an emergency.
GCN: What has been your greatest achievement as CISO in Michigan.
LOHRMANN: Its hard to put one down, but I think overall it would be
building the team that we have. We have a group of about 30 people in
our office of enterprise security that looks at 55,000 state employees.
We interact with people at the state, local and federal level, and I
know that its going to outlive me. One sign of success in any manager is
if you can make yourself irrelevant. I dont know that Im irrelevant yet,
but it will outlive me.
The second one would be working to see a return on our investment in
eliminating costs. ... With anti-spam and antivirus products we have put
in place, we believe we would show $765,000 cost avoidance per month in
spyware and viruses, by not having to go out and visit infected
machines. About 70 percent of our inbound e-mail is spam, we blocked
more than 6.25 million viruses per month last year, we see about 720,000
external network scans per month and 1.4 million Web-based attacks on
our network per month. So by putting the tools in place on an enterprise
basis were providing more protection and not as much response and
GCN: Whats the biggest challenge left?
LOHRMANN: Continuing to work on the culture, to help people understand
how important security is at an individual level. ... Helping people
understand the impact of their actions, I think thats the biggest
Visit the InfoSec News Security Bookstore