Herman Brown, Office of District Attorney City & County San Francisco
Herman Brown
CIO
Office of District Attorney City & County San Francisco

Been in tech for over 25, years, active duty in the navy the then he graduated from USF. He worked for a bunch of different jobs in the private sector before he became CIO of the DA office, the IT shop has grown from a single person to now active staff of 8 with two open positions. His role of CIO is responsibility for all tech issues, infrastructure, cybersecurity, he works with the city cyber security team, so they provide the baseline but the DA’s he falls under DOJ regulations. There’s a bunch of data segments that they do not allow outside of the four walls his role as prosecutors is public safety so they go after businesses that are stepping over the line. So they hold a whole manner of organisations accountable, so if someone from outside of the organisation were to gain access it could be catastrophic. He worked for the DOT (dept of tech) so he ran enterprise. So he was migrating to office 365, everyone said their data was too sensitive, then as he met them individually they didn’t have basic password policies. How to set an acceptable level of risk, he’s going to categorise everything as low, medium and high risk. His job is to get everything to low. His job is to manage the conflict between business operations and security. It’s up to the organisation to accept that risk level, nobody is interested in their data or what they do, if he’s a defendant, so what does it mean form a trial and dollar perspective as well as reputational risk? More and more ransomware and it’s not so much about can I access your content? They don’t care what the data is so long as. 16-17 units, so its change management across a huge organisation. Pride-accountability-communication, innovation and teamwork. That has really helped change the position of IT so the business see’s IT as the business partner, he’s at the table he’s talking with the attorneys and leadership and understanding. So it requires IT to understand the business, they introduced a new case-management system, so it’s the primary objective and a huge project. The vendor was already selected and he refused to sign the contract. Bespoke vs off the shelf – in terms of vendor selection. 5 year projects. The culture was change-resistant, how do you manage the culture and educate our staff and leadership as well as the business being a part of the overall effort.