Lessons Learned: Securing Technology on the Edge at Massive Scale

Question: The technology deployments for your NYC Cyber Command responsibilities were much larger and more complex than what most of the GSO 2025 attendees have to oversee. Are some of your lessons learned still applicable to the more narrowly focused enterprise security technology deployments?

Sumnicht: They definitely apply because although the scale of their security technology infrastructure is smaller and less complex than the totality of what we dealt with, many of the people, process and technology elements are very similar, including the technology risks. The practices and approaches we took – still in effect now – can be used to assure success across city agencies and enterprise organizations.

Question: Can you describe some of the practices and approaches that were critically important to your successes?

Sumnicht: Yes, there are three critical elements that we could not have been successful without. The first is governance. This is especially important for multi-city and multi-country deployments. You need to have some sort of governance established from a security perspective that gives you the ability to work in the realm of cybersecurity and be able to execute on that mission, which is securing technology. That’s number one. For example, when the former mayor established Cyber Command for the City of New York, he gave that agency governance in the cybersecurity realm over all other mayoral reporting agencies. If you are charged with assuring the functionality and availability of the technology systems, you need to be enabled to act on those responsibilities.

For enterprise business technology deployments, IT typically holds that responsibility. However, I am told that in the early days of locally networked physical security systems with no Internet connections and few if any system integrations, it was a practice to exempt Security departments from business computer and network requirements. And in some organizations that practice has carried forward into the present day.

However, security system AI-based analytics now can generate a wealth of data having both security and business operations value. Some of this data is classified as personally identifiable information (PII), and some is business confidential. The liabilities involved in failing to properly handle and safeguard the data can be substantial. This is part of why the governance aspect is so important. In an enterprise organization, this usually involves collaboration with the IT, Legal, Finance and Compliance functions.

Question: Aren’t many IoT, OT and ICS technologies installed and serviced by external service providers? How can you extend governance to them?

Sumnicht: The third key success pillar is legal agreements. It’s the legal agreements that bind the vendors to the review process. Of course, we clearly communicate to the vendors what the cybersecurity requirements are and what processes are involved. We want the process to be smooth for them and us, which overall means having clearly defined processes and evaluation points. There are 3 legal documents that a technology vendor entered with the City. These documents are presented to the vendor at the Department of Information Technology Cloud/IoT Review Process. The documents are; 1) Hosted Cloud Legal Agreement (Cloud Rider) 2) Service End User Level Agreement (SEULA) 3) Penetration Testing Agreement.

SIW: And the third critical requirement is?

The Cloud Rider was focused on securing the cloud environment and protected the City legally in a hosted cloud environment.

The Service End User Agreement protected the City by clearly defining service, support and upgrades for the technology.