IT security keeps CIOs awake at night. The sheer number of threats and potential for damage can be overwhelming, and in many cases has overwhelmed organizations and governments. Denial of Service (DoS) attacks and subsequent closure of most of the electronic infrastructure in Estonia last year revealed just how reliant government has become on technology, and therefore more vulnerable.

The laundry list of security threats continues to grow, placing increasing pressure on CIOs to cover a multitude of bases. The use of portable devices, combined with DoS attacks, botnets, hackers, phishing, malware and Web application vulnerabilities, is enough to make an insomniac out of anyone in charge of IT security.

The latest Symantec Government Internet Security Threat Report found that government was the top sector for DoS attacks in 2007. The government sector also topped the list for the number of identities exposed and was second highest for the number of data breaches that could lead to identity theft. The United States was the top country of origin for attacks that targeted the government sector, accounting for 21 percent of the total worldwide, according to the report.

"Governments store a lot of citizen information, and the attacks have changed to become much more targeted toward finding personal information," said Gartner analyst John Pescatore. "They are targeting state government, in particular, since there is a lot of citizen and government employee information. These targeted attacks are a major trend change from three years ago, where there were more broad and random attacks that hit everyone differently."

Emergence of the CISO
The sheer number of sources that need coverage has brought to the forefront the importance of the chief information security officer (CISO) as an essential part of a CIO's security strategy. SecureState, a security-consulting company, believes it's essential in 2008 for organizations to shift security resources and decisions to higher-level decision-makers who can manage risk effectively. Several Fortune 500 companies hired their first CISO in 2007, and other organizations and governments are following suit, the company said.

Network security is the primary reason to have senior-level IT officials. However, another pressing reason is compliance with federal, state and private-sector IT security laws and regulations. Government IT security managers must comply with a host of federal IT security laws, including the Health Insurance Portability and Accountability Act (HIPAA), CAN-SPAM Act of 2003, Gramm-Leach-Bliley Act, the U.S.A. Patriot Act, Children's Online Privacy Protection Act (COPPA), the Identity Theft and Assumption Deterrence Act of 1998, and state-mandated laws.

In times of shrinking budgets, many smaller municipalities -- and even some larger organizations -- either don't have the resources or don't prioritize for proper IT security.

"Generally [smaller municipalities] are underfunded and understaffed; there's not a perceived need, and they may think they have it all down," said Steve Marchewitz, vice president of business development of SecureState. "It's true with any organization -- the smaller they are, the less likely they are to have proper security, from small banks to credit unions that have virtually nothing. When you get down to small municipalities, sometimes they can only afford one part-time IT guy who tries to keep everything up and running."

While many governments continue to push consolidation methods forward, many still function like a silo, making comprehensive IT security programs difficult to implement.

Arizona established a statewide, information security and privacy office last year within the Government Information Technology Agency, which created a CISO position for the state. While Arizona was behind other states that already had senior-level IT security positions, the state used lessons learned from other states to create a comprehensive, statewide security plan.

Arizona's new IT security office mandated that every agency have an IT security officer and a privacy officer. State officials believe the combination of professionals focused on security and