When it comes to government organisations, cybersecurity has to be a top priority. The sensitive data of individuals and businesses is at stake for bodies like the Virginia State Corporation Commission (SCC). The regulatory agency’s authority covers a range of areas, from utilities to financial institutions to railroads. This means having robust security is a must, and in November last year, in stepped someone with a proven track record of creating brand new cybersecurity landscapes from almost nothing: Glendon Schmitz.
When we last spoke to Schmitz back in 2023, he was working his magic at the Virginia Department of Behavioral Health and Developmental Services (DBHDS). There, he built a cybersecurity function from scratch to support Virginians’ wellness and recovery needs. In an area where information is particularly sensitive, Schmitz delivered the security that was needed.
Since his success at DBHDS, he has moved on to SCC for a new challenge as Chief Information Security and Privacy Officer. For this, Schmitz feels that his work at DBHDS added a new string to his bow to help him tackle the role. “The skills I’ve learned over the past few years working at DBHDS that have translated over to here include putting together teams and getting the right people in the right places,” he explains. “That job honed my skills in evaluating my current team and really looking at their strengths and weaknesses, as well as putting them in areas where their skills best help the organisation.”
A New Challenge
Schmitz knew, upon stepping into this position, that this would be another interesting challenge. His team at SCC is tiny – only two other people – making up the Office of Technology Governance. This means that there is a vast array of topics under Schmitz’s purview.
“I’m talking about data privacy, data governance, SSPs, all things governance, risk, and compliance (GRC), making sure we’re ready for audit – all of that,” he explains. “And I have this team of two people. So this is where having people in the right places becomes extremely vital. I need to put them in the right places at the right time and then develop them as we move along in the organisation.”
Risk-Based vs. Compliance-Based
Virginia’s IT agency has dictated about 1,400 controls for a system, and makes no differentiation between criticality, data classification, or data sensitivity. Because of this, Schmitz is morphing SCC into a risk-based organisation, rather than compliance-based. “When I showed everyone my system security document, their heads exploded,” he says. “So I explained that we’re going to classify our data and organise it by security tiers. If it’s tier one – the highest classification – that’s the most sensitive data that we must protect. Tier two may have 75% or 80% controls. Then as we work down to tier three and four, maybe it’s just a cursory look.
“The reason for all of this is that in my previous organisation, we spent about 90% of our time trying to secure the data 2% more. That doesn’t make sense,” says Schmitz. “With a team as small as mine, I don’t have time to sit and try to get it to 100%. It’s a waste of cycles. So looking at it from a risk management framework perspective for GRC works for us.”