With the midterm elections just days away, state government leaders in technology and cybersecurity assembled in San Diego, California, this past week for the National Association of State CIOs (NASCIO) Annual Conference. The presentations, survey results and hallway conversations were compelling - to say the least.
No doubt, many new governors will be elected soon who will appoint new Chief Information Officers (CIOs) and even some new Chief Information Security Officers (CISOs). Indeed, several current CIOs and CISOs are serving in an “acting” capacity to keep things running smoothly until January. There has also been a lot of state government CIO changes and CISO turnover in 2018.
Regular transitions to new administrations occur in states every four or eight years. This normal pattern is a part of the NASCIO DNA, and also why the non-profit organization is so unique and critically important. The list of government leaders in Nashville, Tennessee, in October 2019 to celebrate NASCIO’s 50th anniversary will certainly be very different.
Nevertheless, the participation, commentary and results surrounding these two major surveys is an important baseline and helpful snapshot for both the current public sector leadership, the corporate leaders who support government technology teams nationwide as well as new incoming administrations who will be setting 100-day, 1-year, 2-year and 4-year agendas.
The 2018 State CIO Survey
The National Association of State Chief Information Officers (NASCIO), Grant Thornton LLP and CompTIA have collaborated for a ninth consecutive year to survey state government information technology (IT) leaders on current issues, trends and perspectives.
All fifty NASCIO member states completed the survey. Primary respondents were the state chief information officers (CIOs), although deputy CIOs and other senior state IT leaders contributed. A version of the survey results report can be found here, State CIO as Communicator: The Evolving Nature of Technology and Leadership.
The table of contents include the following topics:
Here are a few excerpts from the executive summary:
“Critical Success Factors for the CIO: Gone are the days where state CIOs are primarily focused on IT infrastructure. When asked, CIOs consistently ranked communication, relationship-building and strategic thinking as the most critical leadership traits for a successful CIO. In contrast, technology expertise came in at number nine. When we asked CIOs for lessons learned that could be shared with new incoming CIOs, a consistent picture emerged. Key advice that many CIOs shared was the need to build strong relationships with key stakeholders at the governor’s office, agency and legislative level, and to develop a strong understanding of the budget process and relationships with the budget office. …”
Here are a few of the highlights offered by Government Technology Magazine coverage of the report.
As the document’s title suggests, the survey offers insights on the changing way CIOs view their role, with communication skills, easily outranking all other abilities needed for the job, signaling the end of the era which saw CIOs laser-focused on overseeing sound technology infrastructure. Other skills needed by successful CIOs include strategic thinking and relationship-building — traits underlined by many tech leaders GT interviewed over the course of the conference.
“Build those relationships. Get to know your fellow cabinet members,” said Vermont CIO John Quinn.
“It’s really important that the cabinet level understands security, understands where you’re headed from a technology perspective so when they talk about what they need, they know to come to you and to use you as a trusted adviser, rather than just the IT guy that fixes your phone.”
Grant Thornton’s website focused on this: “The timing of this year’s survey is particularly interesting, coming as it does immediately prior to an election cycle that will likely see a significant turnover in the ranks of many states’ most senior technology officials. Given this, the survey aims to provide the current cadre of state CIOs to offer advice to a new generation of technology leaders that may soon be taking office. Some key themes that emerged from this year’s survey were the continued evolution of the role of the state CIO, diversity of skills needed to succeed in that role, and the disruption that digital technologies are continuing to impose in the state technology landscape. …”
2018 Deloitte-NASCIO Cybersecurity Study - States at risk: Bold plays for change
Every two years, a survey of state CISOs reveals top trends and projects and problems within state government cybersecurity. This Deloitte-NASCIO report is often quoted by major organizations and publications around the world, including the White House budget planning documents.
There is so much that can be said about this report, but my top recommendation is to take the time to stop and truly read the report.
To start, here are two important quotes from a BizJournals.com press release:
"We've been surveying state CISOs every other year since 2010 and these top three issues have not changed," said Bo Reese, NASCIO president and chief information officer (CIO), state of Oklahoma. "The reality is that the magnitude of threats is rarely matched in attention and funding in state government. Simply put, the time is now to be bold in state cybersecurity."
"While CISOs and CIOs have done a tremendous job over the years developing much needed governance plans and building relationships with state leaders, the funding and talent needed to fully address cyber risk is not there," said Srini Subramanian, principal, Deloitte & Touche LLP, and state and local government risk advisory leader.
The outline of the document includes these topics:
From the report: “While a majority of CISOs have made advancements in establishing their cybersecurity programs, shortages in both funding and cyber talent continue to exist. Based on our 2018 study responses, CISOs overwhelmingly agree that, while they have obtained senior executive support, they continue to be challenged by inadequate funding, struggling to secure a sufficient, reliable budget to develop their statewide security program. In most states, the CISO’s only source of cybersecurity funding is derived from the state’s IT budget, and is not designated as a separate line item. And the percentage of state enterprise IT budgets allocated to enterprise cybersecurity enterprise cybersecurity is still 1–2 percent, and annual budget increases have not kept pace with the needs of today’s security landscape and tomorrow’s evolving challenges. …”
The report also urges three: “bold plays in cybersecurity.”
Government Technology Magazine offered this article on the NASCIO session that covered the cybersecurity survey report results.
“Since the release of NASCIO’s first cybersecurity report, lack of sufficient funding has remained the No. 1 hurdle state CISOs report. This year’s study found that while cybersecurity budgets are growing, it’s at a very slow rate — 27 percent of states report no increase since the 2016 report. More than that, most states allocate just 3 percent of their budget or less to cyber.
Lettman said CISOs must advocate for dedicated security funding, and communicate to state leadership why that is necessary. Be specific about “where you are, where you’re going, what metrics it will take to get there — how are we securing the state?” Lettman said. Those measurable aspects can include number of attacks prevented, cost avoidance for having protections in place and how many people are being protected.
Closing Thoughts on These CIO and CISO Reports
Again, I urge readers to take the time to read these two significant NASCIO reports. I think the quick quotes and executive summaries do not do justice to the excellent data and survey results on each question that are offered. I find value in the meat of the reports.
While the rolled-up summaries of “CIO as communicator” and the need for more cybersecurity funding or the need for CISOs to be enablers are not new (indeed identical themes were articulated more than a decade ago for leading states), the data contained in these reports is still eye-opening and very helpful. Also, states that are lagging behind need to take these steps in 2019.
No doubt, most security leaders will not see these security recommendations as particularly bold or offering cutting edge answers, but I believe that these two reports offer an excellent “as is” state of government IT today as it exists today in the 50 states and U.S. Territories.
You can also learn more details about each state’s technology by reviewing the Digital States Survey results from Government Technology Magazine.
Next year, we will meet more future leaders in state government IT and government cybersecurity.
But the future starts right here – and right after election night.