Tessian Spotlight: Craig Hopkins, Chief Information Officer for the City of San Antonio

  • 25 September 2019

Craig Hopkins has been Chief Information Officer and IT Director for the City of San Antonio for over two years after spending more than 20 years in financial services. San Antonio is the seventh-most populous city in the United States, and as CIO Craig manages systems integration, user experience, cyber and physical security, and portfolio prioritization for the city. This includes aligning the City of San Antonio’s 42 departments and almost 13,000 employees and developing a business strategy to ensure that each department accomplishes their mission, takes care of their employees, and remains secure.

What are the greatest challenges that you’ve faced being in the role?

Originally when I came into role, my primary responsibility was to build new technology relationships across the 42 departments that make up the city. This included looking at different departments’ business strategies and helping them leverage technology to support it. The second area of focus was to set and strengthen the culture inside of the IT organization and to work with our municipal partners across San Antonio as well. I think we’ve done a great job over the past two years on these focus areas.

Now the team is integrating systems and processes across departments with a focus on common platforms and prioritizing the user experience. We’re utilizing design thinking techniques and are becoming more of a consultant to the departments rather than building individual technology silos. We’re also having the departments work together on a common set of platforms that help with user problems, not just individual problems that are department specific.

As the CIO of San Antonio, are there any core security principles that help guide your approach to security?

In the first year we were really focusing on the information security foundation and making sure that we were as strong as we could be with our policies and tools. However, we wanted to make sure that information security was not the only component. It’s really about understanding your overall security posture, which is a combination of physical, data and cyber. In the past year we’ve improved our principles based on the NIST framework with a focus on a comprehensive training programs for our employees, network hardening, updating obsolete systems, threat profiling and vulnerability analysis. This has helped with communicating our policies and procedures and raising the cultural awareness within our organization. Security is everyone’s responsibility.

What unique pressures and dynamics do you face when it comes to cybersecurity decisions in the public sector?

Typically, people that work in tech will tell you that technology is the most important factor when it comes to making decisions about cybersecurity. What I’ve learned is that in reality, it’s about people. The human factor is incredibly important because people can be great at detecting threats and abnormalities in the system– more so than any tool – but they can also be your greatest internal threat, either intentionally or unintentionally.

What we try to do here is to teach behaviors and have protocols that can minimize the risk of intentional and unintentional issues, such as only giving systems access to those who need it and constantly refreshing and validating the user rights. This sounds basic, but it’s the foundational practices and business processes that solidify your position. We also provide peer oversight, technical training, and teach how to combat social engineering. Ultimately, we want people to understand these threats to make sure that we are always leveraging our people first and our technology second.

What are the common misconceptions about the role of information security?

One of the common misconceptions that I hear is that an organization’s best defense is their technology tools. My response to that is actually that the best defense is a workplace culture that prioritizes cyber and physical security and creates aware and engaged employees and leaders. A second common misconception is that cybersecurity is for the IT team to solve. I believe that cybersecurity isn’t just an IT problem, it’s for leadership to solve for across the organization. It’s the job of all leaders to support and protect our employees on our teams.

Looking forward, what type of security culture do you want to create within the City of San Antonio a few years from now?

A security-conscious culture where cyber, data, and physical security is naturally integrated into everything we do and every design decision that we make. It can’t be the only thing that we think about, because you can’t run a business that way, but it must be embedded in our thinking and our architecture, as we seek to improve the lives of our citizens and our employees in San Antonio. That is the culture that we want to build into our organization.