States strive for robust IT security

A survey by the National Association of State Chief Information Officers shows that state governments are paying more attention to information security, hiring chief information security officers and giving them defined budgets and enforcement authority.

'Security is a hot topic in all the states, we're all dealing with it,' said Nebraska CIO Brenda Decker in a conference call announcing the survey results.

NASCIO's report drew responses from 41 states, of which 83 percent had chief information security officers. Of the respondents, 60 percent had defined budgets, but even those are not getting the funding they need, said Larry Kettlewell, CISO for Kansas, who also spoke on the conference call.

Kettlewell said adequate funding for a CISO is 6.75 percent of a state's IT spending. He estimated his funding level is 3 percent of Kansas's IT spending. 'Nobody has enough money, obviously,' he said.

Kettlewell said CISOs with set budgets at least can measure their level of funding compared to their own benchmarks and those of private sector CISOs.

CISOs responsibilities have changed from a technical role, overseeing day-to-day perimeter security operations, to that of statewide leader with policy and strategy duties, the report said.

Among the main challenges CISOs will face in the coming years are the ever-changing nature of the threats facing state IT, and the growing demand from citizens for more online services. Additionally, CISOs likely will become more active in homeland security and critical infrastructure protection, the report stated.

But getting funding for IT security can still be a challenge, Kettlewell said.

'You need dead bodies sometimes in order to get funding,' he said. 'The last thing that I want to do is say, 'The sky is falling.' You just have to temper that with, 'OK, here's the risk, and here's what we need to do about that risk to reduce it.' And then go from there.'

On top of that, CISOs in the coming years will have to cope with a two-fold staffing problem. First, much of the state government IT workforce is at or nearing retirement age. Second, state governments cannot pay IT workers as much as private sector companies can, and thus have trouble attracting and keeping employees.

NASCIO's survey points to the need to find 'innovative and creative ways to compensate and retain state CISOs and supporting IT security staff members.'

To deal with staffing shortages, states may need to turn to outsourcing some of their IT security work, Kettlewell said.

'There will come a time, probably in the next year or two years, where it will be more cost-effective to outsource this. The issue is a lot of us are control freaks,' he said. 'I want to have my own people interface with them, so that we can run a 24/7 operation, but at least we've got our finger on the pulse of what's going on.'

Ethan Butterfield is a staff writer for Government Computer News' sister publication, Washington Technology.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected