The theft of 26 million veteran records in May demonstrated how easily sensitive information can fall into unauthorized hands. Despite growing demand for online services, such incidents may cause citizens' trust to erode, and gradually turn them away from enhanced online government services, according to a July 2006 National Association of State Chief Information Officers (NASCIO) brief.

This brief, Born of Necessity: The CISO Evolution, states that this trend can only be reversed by capable chief information security officers (CISOs) who can align policy with technology -- which is no easy task in state government.


Changing With the Times
In the brief, NASCIO explained that increased concern for both personal protection and homeland security, along with the rising demand for citizen services, make protecting data more important.

The CISO position has evolved in response to these dynamics, the brief said, and become more relevant in today's world.

"We are pleased that states at all levels of maturity regarding their IT security programs will benefit from this brief, which discusses how the state CISO position has evolved from a provider of perimeter defense to IT security strategist, and how that position is likely to evolve in the years to come," said Brenda Decker, co-chair of NASCIO's security and privacy committee and CIO of Nebraska.

NASCIO's 2004-2005 Compendium of Digital Government in the States study, scheduled for release later this year, reported that 29 states had a CISO. What is the urgency about hiring CISOs? It's a jungle out there, according to NASCIO, and the remaining states need to step up.

Born of Necessity cites not just outside hackers, but threats from within state government, including large and multitentacled agencies; introduction of personal technology into office computers via PDAs; instant messaging and MP3 players; outside contractors; and unknowing carelessness of employees. And as citizen demand for more online services increases, the number of new applications and enhancements to existing ones grows, raising the security risk. More users access systems and enter personal information, and IT services grow to accommodate demand.


Leading People and Policy, Not IT
"In light of the current IT threat environment, states need the CISO or equivalent position to strategically address these threats by creating and executing policies on an enterprise level, and to provide guidance to the state CIO and state agencies," the brief states.

States are in different stages of IT security planning, and NASCIO has a blueprint for the CISO job description, with recommendations for training and qualifications, mandates and compensation.

At present, most CISOs report to the state CIO, but the brief recommends a partial separation of powers, and asks, "For a state's IT projects, does the fact that the state CIO has a responsibility to bring those projects in on time and within budget compromise security if the state CISO reports to the CIO?"

In other words, a conflict of interest is possible, and states should build authority and independence into the CISO's position for maximum effectiveness.

Building relationships inside and outside of government is a crucial component of the CISO's job, according to the NASCIO brief, which also states that IT will be most secure when the CISO can both articulate the need for security and work with stakeholders.

Mary Carroll, CIO of Ohio and co-chair of NASCIO's security and privacy committee, agreed. "As the role of the CISO has evolved, the state CISO must now focus on relationship building across the state, and even outside of the state."

NASCIO envisions the CISO as an educator with broad influence in the governor's office, legislature and all state agencies. "With IT as an enabler of so many critical government functions," Carroll said, "the state CISO must be