Wednesday, September 18, 2024

County allocates $38,500 for IT assessment

Posted

The Hood County Commissioners Court unanimously approved a $38,500 contract with a local firm to conduct a thorough IT assessment during a regularly scheduled meeting Aug. 27.

Early last month, Precinct 4 Commissioner Dave Eagle brought forward the idea to have the Hood County IT department undergo an audit in order to gain a clear understanding of the department’s daily activities and overall performance.

The agenda item was initially met with pushback from members of the court and Hood County residents, who argued that the audit was unnecessary given the department’s success. Others viewed it as a form of micromanagement.

Despite the resistance, however, the court unanimously decided to hire SLG Technologies out of Glen Rose to conduct a comprehensive evaluation of the IT department.

During the meeting, SLG Technologies President Ed Gossett addressed concerns about the proposed IT assessment, clarifying that it differs significantly from a traditional financial audit. Gossett explained that the IT assessment is not about assigning blame or penalties but rather about collaborating with the existing IT team to identify and address risks.

“IT is very unique,” he said. “There are threats that change daily, if not hourly. You can look in the news and go back just within a couple of months, and you can see huge companies that have been attacked and breached because of IT issues, and they have outstanding IT departments, so it’s nothing against the IT department.”

Gossett went on to explain the process will involve a collaborative effort, where his company will evaluate the current environment and then provide recommendations on enhancing processes and security. He noted he prefers not to use the term "audit," as the focus is on evaluating and enhancing the network and its security rather than conducting a traditional audit.

Hood County Judge Ron Massingill emphasized that the IT department has already proven its effectiveness by successfully thwarting a sophisticated hack that prompted immediate involvement from federal and state agencies. He noted that, unlike neighboring Parker County and the City of Granbury —which both suffered severe breaches and operational disruptions — Hood County's IT team managed to prevent any data loss or financial damage.

“Doesn't that say something for our IT department?” Massingill asked, arguing that this success demonstrates the department's competence.

"I can't speak specific to that instance, because I don't know what the attack was — but to deny that there is something out there that you can assess and constantly improve on ... I mean, that's our whole goal is to constantly improve on security, improve on processes and make things better, right?” Gossett asked. “If you are breached tomorrow, that could cost the county millions of dollars.”

He also recommended the county regularly conduct these assessments, ideally annually or biennially, to stay ahead of evolving threats.

Massingill asked how the assessment would help the county’s IT department. Gossett explained that an external review would provide another set of eyes and a fresh perspective.

"It's better to have multiple people looking at it from different angles," he explained. “We may come in and say, ‘Hey, they passed with flying colors, and everything's great,’ but if you find one incident on the network that needs improvement, then you know your return on investment is well paid for.”

Gossett then reiterated that this will be a collaborative effort and emphasized that his company is not aiming to take over or criticize the current IT team. He added that at the end of the audit, his team will ask for a closed session to review everything with the court.

"If there is something found, that doesn't need to be published to the public,” Gossett said. “That needs to be behind closed doors, and a discussion that says, ‘Hey, here you have a potential risk, and this is how you address it.’”

Gossett clarified that regardless of which company is chosen for the assessment, no firm can guarantee that future issues won’t arise. He explained that the goal of the assessment is to safeguard the infrastructure from both external and internal threats, noting that employees can be the "biggest threat" to security.

Massingill asked if the assessment would include suggestions on optimizing the department's time and efficiency. Gossett confirmed that the evaluation will cover the entire department, offering recommendations for enhancing various aspects such as the ticketing system and daily operations.

Gossett also revealed his company has conducted assessments for the counties of both Erath and Somervell.

“The fact that you showed up here today speaks volumes,” Massingill said.

Precinct 3 Commissioner Jack Wilson said the fact SLG Technologies is CJIS-certified is also a plus. The Criminal Justice Information Services certification is a requirement for organizations that use or access criminal justice information.

"I would just like to ease the tension, because like I said, it's not an attack,” Gossett added. “This is just an assessment and a collaboration effort. Then we come back and kind of review it as a team and make recommendations. That's all we're doing.”

Eagle also highlighted the one key factor in selecting a firm for the IT assessment is CJIS certification, which the firm in question has. He noted that among the five companies considered, only two are CJIS approved.

He also mentioned his own challenges with understanding IT terminology and procedures, emphasizing the importance of having an external party come in to clarify these aspects and provide a clearer picture of the IT operations.

Precinct 1 Commissioner Kevin Andrews echoed Gossett’s statement that the assessment is not adversarial toward the IT department. He explained that he is not in this for a “witch hunt.”

"This is more a question of, ‘What does the infrastructure look like?’ ‘What's going on behind the scenes and underneath?’ And ‘Is there something that we need to learn?’” Andrews said. “This is not adversarial. This is, ‘Is there a way to improve?’ to make sure that the next attack is stopped, like the last one was.”

IT Chief Information Officer Drew Wiederkehr explained he doesn’t mind going through the audit to see if the department has any vulnerabilities. However, he voiced concern about how the county will handle the findings once the assessment is completed.

Eagle responded that he doesn’t have the answer to that at this time as it is impossible to predict how the county will address the findings.

“We'll have to see what happens first,” Eagle said. “If it's something we can take action on immediately, yes. If it's something that's going to require a lot of money, we'll have to talk about it. But that's an unanswerable question at this stage, in my opinion, but it will be addressed."

Gossett confirmed that his company offers a risk matrix, which identifies the department’s highest risks and includes a detailed cost analysis for addressing those risks. He also added that an assessment often uncovers not just costs but potential savings as well.

“We come in and assess something and we say, ‘Hey, you can change this and save this much money per year.’ We've done that both in Somervell and Erath,” Gossett said. “We've probably saved Somervell $200,000 a year by changing things in their network and making improvements, so it's not always a cost. Sometimes there's savings. A lot of times there's savings.”

Gossett also mentioned that if his firm were selected for the assessment, it would likely take about three weeks to commence — with the entire process estimated to take between 30 to 60 days to complete.

During public comments, resident David Farris emphasized the importance of a collaborative approach to cybersecurity assessments, drawing from his extensive experience in the field.

Farris compared Hood County’s situation to his previous role in a company with a substantial cybersecurity budget, noting that while they faced constant attacks from numerous global hackers, Hood County's less prominent profile might make it less of a target. Despite this, Farris stressed that regular reviews are crucial because vulnerabilities can exist in unexpected places.

Farris also stated that he didn’t hear anything from Gossett’s presentation that he didn’t like, adding that he agreed with everything Gossett said.

"You need to do this analysis, because the risk is too big,” Farris added. “And trust me, the thing is, you may have stopped one hack, but there will be another.”

Eagle made a motion to accept the proposal from SLG Technologies to conduct an assessment of Hood County’s IT department at a cost of $38,500 out of Fund 55. Following a second from Wilson, the motion passed unanimously.

“You’re unanimously hired, sir,” Massingill said to Gossett.