State CIO, CISO Speak About National Survey

NASCIO's survey reveals diversity of issues important to CISOs

by / September 20, 2006
The National Association of State Chief Information Officers (NASCIO) has released the findings of summer survey of State Chief Information Security Officers (CISO). According to NASCIO, results of the survey -- A Current View of State CISO: A national Survey Assessment -- "indicate that the state CISO position has become highly prevalent and is evolving into a state IT security policy and strategy leader."

Forty-one states responded to the survey, with either State CISOs or equivalent positions responding. Questions ranged from budget concerns to staffing to levels of authority. Kansas State CISO Larry Kettlewell spoke about the findings today in a teleconference. "It was a fairly extensive survey, and we got a very good amount of participation from the states."

One interesting part of the survey came from the open-ended question "How do CISOs spend most of their time?" A significant portion of the time is spent dealing with staffing issues, which for some states included the creation of specific cyber-security offices. Other time consumers included coordinating and consulting with state agencies, maintaining ongoing IT security investment, strategic planning tasks, operational responsibilities and policy development.

On the issue of privacy in IT, the survey results concluded that not all CISOs deal with privacy issues and "as the privacy function emerges and takes shape within the states, so will the CISO's relationship with state privacy officers."

Of particular concern was budget. CIOs and CISOs find it difficult to ask a legislature for money to prevent problems. "It costs close to 15 times more" to clean up after a security breach then to prevent it, according to Brenda Decker, CIO of Nebraska and Co-Chair of NASCIO's Security and Privacy Committee. Kettlewell added that "you need dead bodies, sometimes, in order to get funded."

Other survey results:
  • 41 states respond
  • 69% said they have a mix of operational and policy duties
  • 60% have a defined security budget
      Scope of Authority/ Responsibility
    • 2 - IT Department/Agency Only
    • 24 - Executive Branch
    • 14 - All State Government (Executive, Legislative and Judicial)

Gina M. Scott Writer