South Carolina Centralizes IT Oversight

Following a massive data breach in 2012, the state has taken steps to overhaul its decentralized IT governance model, giving the governor more control of technology policy.

by / September 15, 2014

The South Carolina Department of Revenue data breach in 2012 exposed 3.6 million Social Security numbers to hackers. While the rupture was disruptive and damaging to those whose data was compromised, the incident had a silver lining: It helped push forward a complete overhaul of South Carolina’s decentralized IT governance model.

Lawmakers passed the South Carolina Restructuring Act of 2014 earlier this year, giving the governor’s office more executive power. Legislators created a new cabinet agency – the Department of Administration and put state technology underneath the agency’s purview.

In addition, the South Carolina Legislature will have the power to evaluate the Department of Administration’s allocation and expenditure of funds, including the oversight of technology policy creation and implementation. The Department of Administration will officially come into existence on July 1, 2015.

In an interview with Government Technology, State Sen. A. Shane Massey, explained that historically, the governor’s office hasn’t had a lot of power in South Carolina. While he felt that separation of powers was “good government,” Massey also believes it led to the Legislature doing “very little to look under the hood” of what’s going on in agencies, including technology issues.

“The hope is that this oversight will allow us to catch problems before they’ve become real problems and avoid some of these things going forward,” Massey said, referring to the 2012 data breach. “My belief is that if we had been doing regular oversight, somebody, somewhere, at some point, would have asked the Department of Revenue about their security. And that would have had them focusing on it before we ever got hacked.”

Post-Breach Security Actions

The Restructuring Act of 2014 is one of several steps South Carolina has taken to improve its cybersecurity posture. Following the 2012 data breach, the state also ordered a complete security assessment for all agencies. The review was done by Deloitte & Touche, and completed on May 1, 2013. The company advised South Carolina to do the following:

  • Provide funding and support to establish and mature the state’s information security (INFOSEC) program;
  • Establish an over-arching information security organization and federated governance architecture;
  • Implement a security awareness program for employees and strengthen the state’s cybersecurity workforce;
  • Deploy security technology recommendations;
  • Adopt a federated governance model for IT.

South Carolina also opened a recruitment to hire a chief information security officer in July 2013. The closing date for applications was Dec. 31, 2013, but it is unclear whether the state has made any progress in the hiring process.

Government Technology reached out to Kyle Herron, chief operating officer of the South Carolina Budget and Control Board, Division of Technology; and state CIO Keith Osman multiple times for comment on the IT and governance changes, but the messages were not returned. 

Massey admitted that there have been some critics of South Carolina’s plan to put more power in the hands of the governor’s office and adopt a centralized approach for technology. He said the state has a long history of being leery over too much power in the hands of one person or branch of government.

But with more than nine months before the Department of Administration officially opens its doors, Massey thinks many concerns can be smoothed over.

“We’re going to have to spend some additional dollars to get it right. I think everybody recognizes this,” Massey said. “But everyone also wants our information as secure as we can make it. So that’s something that’s been pretty well accepted.”

Brian Heaton

Brian Heaton was a writer for Government Technology magazine from 2011 to mid-2015.