CISO Success Story: How LA County Trains (and Retrains) Workers to Fight Phishing

It cost neighboring San Bernardino County $1.1 million to resolve a ransomware attack on its sheriff’s department earlier this year. Jeff Aguilar, the chief information security officer (CISO) for neighboring Los Angeles County, hopes to prevent a similar fate in any of the 38 county departments he’s charged with safeguarding.

Aguilar (at right), who has held high-level security posts in LA County since 2018 and became its CISO last year, is keenly aware of the increasing vulnerability of federal, state, and municipal agencies—cyberattacks targeting the public sector spiked 40% in the second quarter of 2023 over the same time a year ago. And although LA County has so far avoided a major incident, Aguilar knows maintaining that record will require diligence, resolve, and—this is key—constant communication and coordination with industry peers as well as the county employees under his watch.

This helps with his own department’s benchmarking efforts, to be sure. And more than that.

In fact, unlike many CISOs, he’s a strong believer in sharing useful insights that might help other government agencies counter threats. This willingness to hear and share varied viewpoints is perhaps borne of his own varied resume, which includes stints in government, healthcare, financial services, and transportation.

Learn how secure or exposed your organization really is—get a comprehensive risk score in just 5 days.

Focal Point caught up with Aguilar to learn more about his collaborative approach and what makes him one of the nation’s top governmental cybersecurity chiefs.

(The following interview has been edited for clarity and length.)

At first glance, LA County’s reporting structure – who reports to whom – seems, well, fairly complex.

We have a federated model: I report to the county CIO. Each department acts as an independent business and has its own department CIO and information security officer. Their job is to enact the cybersecurity policies and strategy my team sets forth at a board level.

I have two deputies reporting to me and I’m hiring two more. We organize the county into clusters (for operational purposes), with each cluster representing a specific area of our business. So, for example, healthcare is one line of business and law enforcement is another. My deputies will cover different clusters depending on their skill sets and the needs of the clusters. We establish the cybersecurity guardrails from a high-level perspective, and departments work within those.

Both the LA Unified School District and LA Housing Authority recently suffered data breaches. When you see those things so close to home, does it raise alarm bells for you?

Yes, any organization with sensitive data is a potential target.

I speak to lots of state and local municipal CISOs. We’re constantly sharing lessons learned and asking, “What’s worked, what hasn’t, and what can I emulate so I don’t have to reinvent the wheel?” I think that’s one of the things that, maybe, LA County does differently than other government agencies. We’re pushing collaboration in government. There’s transparency.

[Read also: RaaS class – a defensive guide to ransomware-as-a-service]

Obviously, I don’t want to get into the weeds with what specifically we’re doing. But we are constantly having great discussions, especially around strategy and incident response, from a regional perspective.

You oversee cybersecurity policy for departments with more than 100,000 employees. All it takes is one of those departments to go rogue for good planning to go sideways. How do you ensure compliance?

Yes, it’s a challenge. Fortunately for us, we are constantly under internal audit. I know a lot of folks don’t view audits as adding value. But I do because you only know what you know, and audits are a great way to ensure compliance and identify gaps.

I know a lot of folks don’t view audits as adding value. But I do because you only know what you know, and audits are a great way to ensure compliance and identify gaps.

So, our department doing those audits runs though somewhat of a checklist. They’re looking for compliance against internal board policy. We have technology directives and standards. Each department is reviewed and must then be validated against those policies and directives. This is ongoing. Every department gets hit with it multiple times per year. And then, every once in a while, we’ll also see a federal audit.

With our internal audits, I’ll often point to where I think gaps might exist and let them see what they can find. After their report comes in, we’ll typically create an improvement plan. That moves up the organization’s leadership chain for awareness purposes. This way, we know we’re getting the proper attention to resolve whatever the issues might be.

With that many county employees, you must have your hands full.

For sure. One of the fundamental security principles is the person – the employee – is always the weakest link.

Organizations dump millions of dollars into a control environment, and it can all be circumvented by a single missed click. So, we’ve been extremely aggressive with awareness training down to each individual line of business – because the way business is done from one department to the next might be completely different.

For National Cybersecurity Awareness Month, we’re speaking to employees, and bringing in vendors and industry leaders to share lessons learned as well as to share security Dos and Don’ts. And I think we’ve gotten better at telling the story.

We are getting end users to care about those mis-clicks by creating an emotional response that goes beyond the county environment. They can take what they learn home and apply it in their personal lives.

We’ve got the holiday shopping season coming up, for example, and there will be a whole uptick in phishing attempts that purport to come from, say, Amazon Marketplace, eBay, the IRS, or whatever that they’ll need to watch out for. People see those things and have an emotional response and might just click without thinking. We’ve really ramped up our program to help educate them on such things, both at work and home.

How do you know if your awareness training is effective?

We conduct constant drilling. We do tabletops. I have click rates for every department and a roll-up at a county level. I’m able to trend that year after year, and we adjust the training where it makes sense. We don’t do cookie-cutter training that’s the same every year. We adjust it to hotspots in the industry and hotspots in the county.

We don’t do cookie-cutter training that’s the same every year. We adjust it to hotspots in the industry and hotspots in the county.

So, for example, our phishing campaigns are a little different than they were right now because we are coming into a primary election next year. We are warning employees about phishing emails with messages meant to get them going, like, “Your party affiliation has changed; click this link if you didn’t intend for this to happen.”

We’re always looking at regional and geopolitical issues and periodically adjust our training accordingly.

Do you do anything like threat hunts to find potential vulnerabilities?

Oh yeah, although we outsource things like that because of the level of experience it requires. We’re trying to build that competency internally. But for us, it makes sense to have trusted partners to help with threat-hunt exercises. Threat hunting is a great tool, and it’s not new. But it’s probably still fairly new for most government agencies because it involves endpoint management and a specific level of expertise, which can be complex.

I’m a big fan of the MITRE Att&ck Framework [a reference detailing tactics and techniques commonly used by attackers during network intrusions], and we do a lot of tabletops, based on the threat landscape we see, to identify what might be happening within our region or other jurisdictions.

[Read also: What is threat hunting and why does it matter?]

So again, it all comes back to collaboration. Because if the City of Los Angeles is getting hit with something that might be related to us, it could also be happening in Pasadena, Santa Monica, Burbank, or elsewhere.

Tell us about a hard lesson you’ve learned in the last year.

Well, fortunately, we haven’t had any big incidents. But we are concerned about supply-chain risk management and trying to get better at it.

Strong leaders have the foresight to look at these out-of-the-box things and consider what’s next.

The SolarWinds hack [where hackers inserted malicious code into commonly used software to breach tens of thousands of government and corporate networks] brought that to light. We’re a big county. We have lots of vendors. So, getting on top of supply chain risk is critical for us. We’re always asking, “What is our third-party risk? What is the third-party risk across the entire landscape? And how do we validate vendors are complying with our security requirements?”

To address that, we created something called our Security and Privacy Exhibit, which lays out the county and contractors’ commitments and agreement to meet their obligations under applicable state or federal laws, rules, or regulations, as well as applicable industry standards concerning privacy. It gets into everything from audits to incident response, and so forth.

[Read also: The chief AI officer (CAIO) is here – it’s time to make room in the C-suite]

We have an addendum for different cloud services, and right now we’re rewriting it to also address the use of generative AI because we’re convinced that it’s here to stay. In fact, we want to put up guardrails for that now while there’s time.

How do you stay ahead of the curve on these new and emerging technologies?

I think most CISOs have the same playbook for that. We talk with each other, and we’re paying attention to what’s happening in the industry.

Being CISO for a government organization, I also get a lot of threat briefs from federal partners, including MS-ISAC (the Multi-State Information Sharing and Analysis Center). There’s a lot of useful information that comes out of all that. We also have monthly meetings with the FBI to get a good sense of what’s happening from a nation-state threat perspective. And then, there’s your own curiosity. Looking into the implications of something like ChatGPT, which is gaining momentum, and looking ahead and thinking about security in a quantum computing world.

Strong leaders have the foresight to look at these out-of-the-box things and consider what’s next. They might not be here today, but you have to understand what might happen if they do arrive.

---

TO LEARN MORE

Check out other exclusive interviews with security leaders in our “Success Stories” series.

• CISO Success Story – Predicting Cyber Risk (Accurately) Is Easier With This Guy’s Formula
• CISO Success Story – How to Build Trust With the Board? Don’t Talk Cybersecurity (Much)
• CIO Success Story – Looking At the Flip Side of Third-Party Risk
• CISO Success Story – How Zoom Achieved Cybersecurity 2.0 With Cyber Risk Scoring