Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

Cal-Secure: How California is Charting a Course for Whole of State Cybersecurity


Zscaler recently hosted a webinar on Cal-Secure, the State of California’s first multi-year cybersecurity roadmap. The webinar featured several distinguished speakers including Vitaliy Panych, State CISO at the California Department of Technology, Dylan Pletcher, CISO at the State of California Department of State Hospitals, Angelo Di Carlo, Senior Systems Engineer at Zscaler, and moderated by Carlos Ramos, Principal Consultant at Maestro Public Sector and former State of California CIO. The complete webinar can be watched on-demand here.

Cal-Secure program overview

Vitaliy Panych, State CISO at the California Department of Technology, provided an excellent overview of the Cal-Secure program, a cybersecurity roadmap developed by the state of California to address the increasing threats posed by cyber attackers. 

With the growing sophistication of attacks and the ease with which they can be carried out, it has become increasingly important to have a clear and well-defined cybersecurity strategy in place. Cal-Secure was developed in collaboration with state agencies, military departments, vendors, local entities, and former CISOs, with more than 450 hours of workshops dedicated to its creation. The Cal-Secure roadmap has three pillars: people, process, and technology.

Cal-Secure roadmap has three pillars: people, process and technology.

The first pillar, people, focuses on building a world-class cybersecurity workforce, as well as addressing the talent gap that is currently being faced in the cybersecurity field. In California alone, there are 80,000 open job vacancies in both the public and private sectors, and that number is likely to be even higher. Building a confident and empowered multidisciplinary team is essential to ensuring the success of Cal-Secure.

The second pillar, process, focuses on building a federated cybersecurity oversight program that will allow the state to keep itself accountable, track maturity, and work with partners at the state, federal, public, and private sector levels.

The third pillar, technology, focuses on delivering clear, fast, secure, and dependable public services, making technology access easy and repeatable across the state, building security and privacy controls into everything that the state does, and centralizing security control services.

A key aspect to the program is how to measure and govern state agencies so that they're moving and solving the right priorities at the right time. Cal-Secure includes a four-year and a two-year risk oversight cycle. There are multiple engagements that are applied to state agencies to measure what their policy procedure and policy framework is within a department. The California Maturity Metric Model is then applied to measure the effectiveness of how security controls are implemented and test the various security controls applied within the framework. 

Cal-Secure Oversight Model


The Cal-Secure roadmap is not just about technology, but also about the people and processes that support it. By adopting Cal-Secure, state agencies can leverage it as an overarching framework and adopt security control categories that are most important to their specific business objectives and mission. The goal is to integrate all the strategies and objectives into a cohesive whole, with a focus on building a diverse and cybersecurity-minded workforce, making technology easy to access, building a confident and empowered multidisciplinary team, and building security and privacy controls into everything the state does.

Vitaliy’s complete presentation and slides are available on demand here.

The agency perspective on Cal-Secure

Dylan Pletcher, CISO, State of California Department of Hospitals, provided his perspective on Cal-Secure as a powerful tool that has been leveraged in three different ways by organizations looking to improve their security posture. First, Cal-Secure serves as a justification for spending, providing a validation that the investment is critical and has the support of state CISO and the governor. Second, Cal-Secure helps organizations strategize and plan their next steps, providing guidance and aligning their strategy and roadmap with industry best practices. Lastly, Cal-Secure helps tell a story to non-IT personnel, making it easier for organizations to communicate the importance of security and the steps they are taking to improve it.

However, Cal-Secure should not be seen as a panacea for all security problems. IT professionals often focus too much on the technology side of security and not enough on the people and process. Cal-Secure provides advice on reaching out to different people, including visiting job fairs and talking about security as a profession. Good security analysts are more important than good technicians, as security is about thinking things through and being able to analyze and assess threats. Organizations should look for employees with strong analytical skills and not just focus on those with a background in IT security. This includes individuals from different fields, such as physics, who can bring unique perspectives and strengths to the security team.

Cal-Secure provides valuable guidance and support for organizations looking to improve their security posture. By leveraging Cal-Secure, organizations can justify their investments, strategize and plan their next steps, and communicate the importance of security to their personnel. However, organizations must also focus on the people and process side of security and look for employees with strong analytical skills, not just those with a background in IT security.

The full Q&A with Dylan Pletcher is the focus of our next blog.

The technical roadmap

To complete the presentation, Angelo Di Carlo, senior systems engineer at Zscaler, reviewed a Zscaler Cal-Secure Alignment white paper on how Zscaler can help agencies to comply. Zscaler has a product portfolio focused on three pillars: Zscaler for users, Zscaler for workloads, and Zscaler for IoT. 

Zscaler solutions for Cal-Secure


Zscaler for Users provides secure internet and SaaS access and secure private application access to deliver zero trust security around remote workforce, remote users, data centers and branch offices. Zscaler for workloads addresses cloud security, secure internet SaaS access, secure workloads, workload communication, and posture control for cloud environments. Zscaler for IoT/OT delivers secure IoT device connectivity and privileged remote access for OT devices.

The white paper includes a detailed technology alignment component and a visual representation of Zscalar's level of alignment with the Cal-Secure framework. 

Cal-Secure/Zscaler capabilities alignment


Next steps

Cal-Secure is a ground-breaking program for a whole of state approach to collaboratively tackling cybersecurity threats across state, local, county, education and the private sector. The full webinar can be found on-demand here. For more information on the program, view the Cal-Secure Multi-Year Information Security Maturity Roadmap. 

We encourage anyone interested in more information to reach out to their account team for a deeper engagement and to request a workshop with Zscalar's architecture specialists and consulting engineers. We are also happy to provide a copy of the Zscaler Cal-Secure Alignment white paper or webinar slides for those interested. Simply contact us with your request.

For more information about Zscaler’s full suite of public sector solutions, visit our State and Local government page.


form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.