• Should State CISO Stay in Department of Technology?

    May 26th, 2016 by admin Categories: Blogs Tags: , , , , , , , ,

    The intrepid Jimmy Baker hosted another Public Sector Technology Exchange’s (PSTE) innovative leadership forum this week on “Security and Visibility – Bringing Hidden Threats to Light”.

    Somewhat surprising surfacing on his panel was former State CIO Carlos Ramos who took the occasion to discuss his future plans and to opine on the controversy over the future disposition of his former Department of Technology’s (CDT) California Information Security Office.

    As to the former, not surprisingly, Carlos will remain in the dreaded private sector working as he said with innovative Silicon Valley firms to position them for opportunities in government.

    As to the latter Carlos offered his opinion on what seems to be from virtually all appearances an organizational transfer of the California Information Security Office from CDT to California’s Office of Emergency Services. He was strongly opposed to it citing his belief that while OES was effective as preparing for and responding to incidents, cybersecurity called for preventing security related incidents in the first place and that responsibility should be directed by his old Department of Technology.

    It’s only fair to point out that officially, as reported here at TLTV last week, CalOES Director Mark Ghilarducci categorically denies that there has been any formal organizational transfer.

    At TechLeader.TV’s Educational Seminar last week focusing on cybersecurity, Director Ghilarducci in his keynote stated, “The Office of the State CISO has not been consolidated, has not been merged, nor has it been acquired by OES. It is simply embedded at CalOES.”

    However, Carlos’ position is not unusual. In fact, according to a 2014 Deloitte-NASCIO cybersecurity study 90% of state CISO’s report to their state’s CIO.

    And while I tend to agree with Carlos at first blush, and the vast majority of states, that may just be my old CIO hat showing.

    However, here’s what I think is really important. It seems that significant, even dangerous, security issues in all areas of government and the private sector are finally reaching a critical mass whereby the security function is beginning to warrant and demand executives’, and program leaderships’ attention. As Clemenceau said, “War is too important to be left to the generals.” Likewise security is too important to be left up to the security officials alone.

    Perhaps the location of the enterprise security function and responsibilities on the organization chart are far less important than having an enterprise security strategy that starts with CEO or governor and other leadership who listen to, value and are champions for their security officers, ensuring a security mindset throughout all levels of the organization.

    Unfortunately, I took an unofficial survey of nearly 100 security officials at TechLeader.TV’s Educational Seminar last week focusing on cybersecurity, asking for a show of hands from those who had had a meeting with their department head regarding security.

    Less than 10 raised their hands. Deplorable, and a warning…

    My advice. Have their bosses go to Techleader.TV and watch this video about the potential consequences to their careers… Here’s the photo with the story…

    House oversight Committee Hearing

    OPM House Oversight Committee hearing

    Tell your leadership, that could be them in front of a legislative committee hearing.


    1. Anonymous says:

      The CISO/ISO of the state, or of an agency or department, should never report to the CIO or be part of the Information Technology group. Best practices show that the CISO/ISO should report to the Chief Legal Counsel or Chief of Operations or Administration and should be a separate office (i.e., Information Security Office) that collaborates with Internal Audits. This would enable both the position and the office to be independent and objective; and become more effective in their information security assurance, compliance and risk management efforts; while providing a more direct and unfettered reporting path to Directors and Executives (e.g., risk owners).

    Anonymous Commenting is Welcome. To have your name or website appear with your comment, fill out the form below. All Comments are moderated to prevent spam. Thanks for joining in the discussion!