NASCIO: States aim for robust IT security

A survey by the National Association of State Chief Information Officers shows that state governments are paying more attention to information security, hiring chief information security officers (CISOs) and giving them defined budgets and enforcement authority.

"Security is a hot topic in all the states; we're all dealing with it," said Nebraska CIO Brenda Decker in a conference call announcing the survey results.

NASCIO's report, which was released earlier this month, drew responses from 41 states, of which 83 percent had chief information security officers. Of the respondents, 60 percent had defined budgets, but even those are not getting the funding they need, said Larry Kettlewell, CISO for Kansas, who also spoke on the conference call.

Kettlewell said adequate funding for a CISO is 6.75 percent of a state's IT spending. He estimated his funding level is 3 percent of Kansas's IT spending. "Nobody has enough money, obviously," he said.

Kettlewell said CISOs with set budgets at least can measure their level of funding compared to their own benchmarks and those of private-sector CISOs.

CISOs responsibilities have changed from a technical role, overseeing day-to-day perimeter security operations, to those of statewide leaders with policy and strategy duties, the report said.

Among the main challenges CISOs will face in the coming years are the ever-changing nature of the threats facing state IT and the growing demand from citizens for more online services. Additionally, CISOs likely will become more active in homeland security and critical infrastructure protection, the report stated.

But getting funding for IT security can still be a challenge, Kettlewell said.

"You need dead bodies sometimes in order to get funding," he said. "The last thing that I want to do is say, 'The sky is falling.' You just have to temper that with, 'OK, here's the risk, and here's what we need to do about that risk to reduce it.' And then go from there."

On top of that, CISOs in the coming years will have to cope with a twofold staffing problem. First, much of the state government IT workforce is at or nearing retirement age. Second, state governments cannot pay IT workers as much as private-sector companies can, and thus have trouble attracting and keeping employees.

NASCIO's survey points to the need to find "innovative and creative ways to compensate and retain state CISOs and supporting IT security staff members."

To deal with staffing shortages, states may need to turn to outsourcing some of their IT security work, Kettlewell said.

"There will come a time, probably in the next year or two years, where it will be more cost-effective to outsource this. The issue is a lot of us are control freaks," he said. "I want to have my own people interface with them, so that we can run a 24/7 operation, but at least we've got our finger on the pulse of what's going on."