Hoang works to protect the state’s massive computer networks

BRUCE ASATO / BASATO@STARADVERTISER.COM

Vincent Hoang, the state’s new chief information security officer.

Technology has become the love of his life — after his wife and their three sons, of course — but Vincent Hoang went off to college at the University of California at Riverside with a different plan altogether: getting an M.D.

“I think that would have been a fine profession to go into, except the technology had a stronger draw,” Hoang said. He added with a laugh: “Much to my parents’ dismay.”

Even so, he’s doing quite well. Hoang, 41, came out on top of a nationwide search for Hawaii’s first chief information security officer, said his boss, Todd Nacapuy, the state chief information officer.

Hoang is about a month into his job and was still scoping out the security vulnerabilities in need of improvement. This is in the midst of the state’s larger project of upgrading systems and moving them to a private cloud. And for those who don’t speak IT, the “cloud” means computing processes running on an external network of computers based on the mainland.

Cybersecurity is top of mind nationally, and it’s hardly a remote concern for Hawaii. Nacapuy added: Every day the state thwarts some 40 million “ransomware” cyberattacks, in which payment is demanded to regain access to data and systems. The current national concern about cybersecurity is good, Hoang said, but he’s not pushing the panic button.

“I’m concerned about all the theories being thrown about,” he said. “As a citizen, I would just sit back and wait for the facts.”

Don't miss out on what's happening!

Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

Question: What would you say is the biggest distinction between IT work here as opposed to your private-sector experience?

Answer: With what I’d worked with previously, the biggest difference is just the size. The size of the state and their responsibility is much larger than most businesses.

Q: And there’s a lot of infrastructure upgrading that’s going on here?

A: In every organization, there’s constant upgrades. … I think historically people try to drag the equipment out so that it lasts 10 years. But that’s not realistic.

And as technology moves faster and things evolve faster, the businesses have to accept that we need to react accordingly. So we go through these refreshes more quickly, both on the hardware side and the software side.

And the biggest challenge is to have the employees be able to react to the technology changes as well.

Q: There’s suddenly a lot of interest, globally and locally, in cybersecurity.

A: It’s a very hot field right now.

Q: Is the fact that it’s hot right now just kind of happenstance, or have there been really significant risks?

A: I think we’re reacting to how quickly technology is changing. That risk always existed in the past, but I don’t think businesses were able to evolve and react quickly enough to the changes in technology.

So as technology moves faster and faster, so do the inherent risks that come with it.

And I think we’re at this point right now where the talks of cybersecurity in the past was, “What could happen? What if something breaks?” Now we’re seeing news release after news release of infrastructure getting compromised, and there being disclosure laws. And we’re seeing more and more cybersecurity incidents being communicated.

Q: Is that because businesses have not been able to keep up with vulnerabilities?

A: Yes. I refer to that as “technical debt,” where you have to meet certain business goals, and you get by with what you can. And as you skip certain processes, the issues build and build and build, until there’s so much debt that you have to pay it back in some way. …

There have been some reports that worldwide I believe there are about a million cybersecurity jobs that are in demand right now. And right now that is very unrealistic to be able to fill all that.

You can look at the positions on-island that are available. It’s a very demanding field, even locally. …

Q: And there’s been a brain drain of people locally to fill them?

A: The term “brain drain” I’ve heard about for 15 or 20 years now. So part of my role is to slow it down, try to stop it.

Q: Given the state’s backlog of IT upgrades, is there system work that needs to happen at the same time as security improvements?

A: I’m looking at it as an opportunity. We have a “cloud first” initiative, and what we’ll be doing there is looking at all the infrastructure that we have that we need to be able to support today, and look at programs and how to get those systems retrofitted, migrating that into the cloud so that it’s easier to maintain and operate — and also be more secure, compared to what we have now. And those that we cannot, we will find alternatives for.

Q: What is your goal, in terms of public security? What do people need to be concerned about?

A: My mission is to help secure the state. One of the largest initiatives is to focus on getting the visibility that’s needed, so we can see what’s happening in different parts of the state. I’m doing an assessment to try to find out what areas need improvement to provide that visibility.

Q: Visibility … ?

A: Of the infrastructure itself. We’re thwarting threats every day now and improving the visibility so we can see different parts of the infrastructure.

Q: So visibility of the threats?

A: Yes. We have a pretty robust perimeter security right now, and I’ll be working with the departments to make improvements within the departments so we can better protect them. …

In a lot of organizations, IT is responsible for making sure the equipment is on, that it’s working. People only respond when there’s an outage, when the service is not available to the user.

What I mean by visibility is improving the monitoring, from the availability side, but also from the security side, so that we can be more predictive, be able to see potential issues and react faster, rather than waiting for when it’s too late.

Q: Where do our vulnerabilities lie? What sort of attacks would we need to be most worried about?

A: I still need to do an assessment to get a better idea of what we’re doing. I feel we have a strong perimeter … we’re still looking and investigating.

Q: This field is constantly morphing, isn’t it?

A: It’s a very exciting field. The fundamentals I don’t think change that much. But the actual tactics, what you actually do, yes, that piece is ever-evolving.

Q: How has the approach of hackers changed?

A: “Ransomware” is very buzzworthy. In the past, malware meant to just be obnoxious, to cause problems, for trickery. And then it evolved to the point where it was disabling systems and now it’s more for money, there’s a profit motive to it.

If someone gets infected with ransomware, they’re essentially locked out of their data, or from their machine. And the only way to recover that, if you don’t have proper backups, is to pay their said ransom, so that it would unlock …

The best approach there is to be proactive and perform the proper backups so you have something to fall back on and put in a lot of preventive controls to help catch the ransomware before they’re caught. …

Q: How did you end up in this field?

A: I love technology. Part of its rapid change is my draw to it. It’s ever-evolving. It’s something that piqued my interest early on, and it hasn’t slowed down. …

I was drawn to computers at an early age. Computers weren’t too advanced at the time. The most extreme thing I did was use my allowance to buy a book to teach myself programming when I was in fourth grade. …

But it wasn’t until the end of my college experience that I realized that technology was really what was set for me. …

I gave up sleep to read about technology rather than working on my papers.