public sector network banner image


Government Innovator Q&A:
Chris Letterman, Chief Information Security Officer, State of Alaska, Department of Administration 

Meet Chris Letterman, Chief Information Security Officer, State of Alaska, Department of Administration 

Born and raised in Kentucky, I am the youngest of 6 and straight from college (@University of Louisville) I joined the U.S. Navy to serve as an Electronics Technician. While in, I was chosen to attend specialty school in crypto and communication security. The Navy is what brought me to Alaska back in 1994.

After the Navy, I relocated to Juneau and immediately fell into an opportunity to work for a national communications company building out a cellular network. I started my career in public service with the State of Alaska in 1998, and since then have worked for the Department of Education, the Department of Health and Social Services, and the Department of Administration in numerous technical and technical management positions.

In 2013, I was tapped to serve as the Chief Security Officer and manage the state security office in Enterprise Technology Services. I fulfilled that position until I departed state service in 2017 to join an Alaskan consulting company as their principal cyber security consultant. In 2021, I found my way back to state service as the Chief Information Security Officer.

In my personal life, my priorities are family & community service. I try to make every day count.

In work I’m driven by a singular question – “Did I make a difference?” This helps support the long view because the day to day can cloud the bigger picture at times; we are human after all. Setting and staying true to your goals is key.

I place value on communication and working smarter, rather than harder – mistakes are just learning opportunities in disguise! And INTEGRITY, I own my thoughts and decisions. If I make a mistake, I alone own it.

Q1:

What is your favorite part of your role as Chief Information Security Officer?

Answer: My favorite part is building relationships with policy and business leaders. There is a great satisfaction in educating leaders about the growing pervasive threats our systems and entrusted data face every single day. Through the transformation from an internal technical resource to a true advisor; I’m entrusted to take proactive steps to increase our security posture.   

Q2:

Your Panel Session – Your Data Has Been Kidnapped: Should You Pay the Ransom? will discuss the pros and cons of paying a ransom and get thoughts on it.  Is there one principal of this that is essential to your department? Can you explain why?

Answer: If the question on the table is “will you pay” – my answer would be No. Not simply because in public sector we are held to high fiduciary expectation; but personally, I would not appreciate learning my government diverted public monies meant to deliver a service to citizens. That said, from 2020-2021 Ransomware attacks have increased 180% and there is little to suggest that figure will diminish in the immediate future. In the face of that reality paying a ransom demand is an attractive “Easy Button” many organizations fall victim to smashing. However, doing so has a limited success rate, of ransoms paid, organizations recover only 65% or less of encrypted data. Only 8% of paying organizations successfully recover all data! Additionally, paying victims are opening themselves up for a recurrent cycle of additional ransomware attacks. Over 80% of paying victims experience a second and some a third ransomware attack from the same attacker! (Gartner & SecurityWeek)

Q3:

What is the #1 mistake that you’ve seen government leaders make while planning executing cybersecurity programs? How can those who have made this mistake begin to rectify it?

Answer: It is a common occurrence in victim organizations to see post-cyber incident investments in cyber security; meant to stop the bleeding and stabilize the patient enough to get them working again. Government operates in an inherited disadvantage of changing politics, changing leadership, and on average lags Private Sector technology trends by a decade or more. Given this, an inherent risk to Government is obsolete technology and having a capacity to manage technology lifecycle appropriately – this extends to cybersecurity and ratchets up the challenges for cyber defenders. These risks compound year over year and when a cybersecurity incident happens; funding will materialize, but it is rare it will be enough to mitigate legacy technology risk. To alleviate this, Government leaders need to establish recurrent funding commitments to ensure technology does not age into obsolescence leaving unsupportable platforms.

Q4:

Is there a future project you’re working on that you’re particularly excited about? What impact do you hope this will this project have on the agency & state at large?

Answer: I’m not at liberty to share detailed specifics; but I can generally share I am committed to a path of reducing complexity for my cyber defenders. When organizations make the mistake of investing in “best of breed” solutions; they are left with under resourced, partially deployed solutions that fall short of the sales literature. Instead, my focus, and others across the nation are on a path to consolidate solutions. Doing so offers a less complex and less complicated work environment for cyber first responders. That is incredibly important when seconds and minutes matter. 

Q5:

What advice would you give anyone who is considering a career in the public sector? 

Answer: Public sector service is an opportunity to be part of societal evolution. Government work is not glass walls, ultra modern offices, catered breakrooms, or bleeding edge technology; it is a chance to be of service to constituents and citizens depending on safe, secure, and reliable government services.

10