North Carolina Gov. Pat McCrory just established the new Department of Information Technology as the single source of accountability and authority over state government technology projects. State CIO Chris Estes will lead the consolidation effort, along with executive support from his leadership team, including Chief Information Risk Officer Maria Thompson. So who are these leaders? What are their plans and priorities? Where are they heading regarding information security? These are just a few of the questions answered in this exclusive interview.
Credit N.C. Dept. of Information Technology
“Combining the state’s resources under a Department of Information Technology will make government more efficient, effective and user-friendly for the citizens we serve.”
This pronouncement from Gov. Pat McCrory is the first thing you see when you enter the North Carolina website OneIT. The new portal goes on to describe the scope of the new IT agency that now handles all government technology projects in North Carolina state government.
The online introduction continues with this message from State CIO Chris Estes:
On Friday, September 18, 2015, Governor Pat McCrory signed the state budget, which established the Department of Information Technology as a single source of accountability and authority for IT budgeting, personnel and oversight of Information Technology for participating agencies in the biennium budget period.
The new Department of Information Technology will succeed the Office of Information Technology Services and represents a priority for Governor McCrory’ s administration to use information technology to make government more efficient, effective and user-friendly for the citizens we serve. ...
The OneIT website goes on to explain the technology restructuring details and includes a welcome, news, background, vision, benefits, legislation, FAQs, contact information and more. I urge readers to visit this excellent resource to learn more about North Carolina’s new agency.
Meet the Technology and Security Leaders in North Carolina Government
But before we jump into the CIO and CIRO interviews, I want to provide some background on the excellent leadership team that McCrory has assembled to lead the new agency.
Chris Estes has an impressive professional profile. He has won numerous awards for his leadership and vision, and he currently serves as executive committee director for the National Association of State Chief Information Officers (NASCIO) and is chair of the National Innovation Committee, a coalition of states that share strategies for bringing innovation to government.
Estes first became CIO in North Carolina in January 2013, where he has served on the cabinet of Gov. McCrory and leads statewide IT planning and operations with an annual budget of more than $600 million and 2,200 employees.
Prior to becoming state CIO, Estes spent more than 25 years in the high-tech, manufacturing and financial services industries for leading brands PwC, BearingPoint and Booz Allen Hamilton where he was a principal in the Strategy, Technology and Innovation practice. He attended Yale University’s Strategic Leadership program and earned his bachelor’s degree from Mercer University.
Maria Thompson became the chief information risk officer (CIRO) in North Carolina government in January 2015, after an impressive career in the U.S. Marines and in the private sector.
Thompson was a senior security engineer for Imperatis (formerly Jorge Scientific Corp.) from 2011 to 2014, and she also served as a senior information security engineer for SecureInfo for about a year. She was the chief over Information Assurance in Iraq for many years while serving in the Marines.
On a personal level, I have been very impressed with the expertise and focused leadership demonstrated by Chris and Maria over the past few years. It is clear to me that North Carolina is ready to take their technology and information security programs to the next level, and they have assembled the right team to be successful.
Interview With North Carolina CIO Chris Estes
Dan Lohrmann: You have had a very successful career as a technology leader. What motivates your success?
Chris Estes: What motivates my success is being able to leverage technology to meet business needs. I strive to take an innovative and risk-based approach to new technology. I also focus on clearly understanding customer needs, and then finding the most effective and efficient ways to meet those needs.
Can you tell us about the new technology agency in North Carolina and what changes are coming? How will your role change as CIO?
The most evident change is the consolidation of information technology operations under a single, cabinet-level Department of Information Technology (DIT). This unified structure will provide clear accountability and authority for the governance and management of IT across the state. In addition, this model has been proven to increase efficiency and to realize benefits and savings more quickly. As far as my role as CIO goes, my priority is ensuring that this significant business transformation is executed in a careful, well planned way so that we ensure we maintain services to our citizens.
What are your top IT priorities over the next few years?
The IT restructuring is a major business transformation, so we will have our hands full over the next few years driving the consolidation effort for the state. I see this as a multi-year project, and we plan to ensure we take a thoughtful, sequenced approach. We are aiming for, “Do it right the first time.”
How important is cybersecurity in your daily role? How does cybersecurity interact with your priorities?
Cybersecurity is a critical aspect of my job, and I take my responsibility to protect the citizens of North Carolina’s data seriously. With the ever-increasing threat to government data, it is imperative that the Department take every measure to ensure that cybersecurity is foundational to our environment. We try to take a holistic approach to cybersecurity, ensuring our users receive the right level of training at the right time, while also implementing best practices throughout the state.
Our transition to a unified Department of IT will strengthen our cybersecurity efforts. Gaining more operational control of the network will allow us to implement best practices on a broader scale within the state and to obtain the level of visibility needed to drive compliance.
How has security changed throughout your career? Is it more important today with big data, mobile computing and the cloud security challenges?
Absolutely. As the landscape of cybersecurity grows to include cloud, Internet of Things (IoT), and bring your own devices, we, as IT professionals, have all had to adapt and look for unique ways to counter the threats to the environment. Big data is no exception. However, knowing that the “keys to the empire,” reside in a single repository can be tempting to any would-be hacker. It is critical to protecting data to only collect what is necessary. Today, IT professionals have to put more thought into the “why” than the “how.” We have to ask questions such as, “Why do we need this data? Why are these systems interconnected?” In the past, we focused mainly on how to make the systems connect and be interoperable, but the security challenges of today have definitely changed the way we think.
As we head into 2016, is cybersecurity given a high priority by your governor? How do you see cybersecurity changing over the next few years?
Governor McCrory fully supports our need to strengthen our environment and bring cyberawareness to the state. As for changes, I have seen and expect to continue to see more focus being placed on tracking and monitoring of identities versus traditional endpoint management. Being able to tell that “John Smith” is who he says he is will be critical in ensuring access control to the network. This also closely ties into behavioral analysis. Not only must we validate identities, but we must also be able to get a good baseline of the network so that we know, without a doubt, that “John Smith’s” actions on the network are valid.
Interview With Maria Thompson, N.C. Chief Information Risk Officer (CIRO)
Dan: Tell us about your scope of responsibilities as CIRO in North Carolina? How will the organizational changes in North Carolina impact your role?
Thompson: The scope of my role is similar to that of most public- and private-sector CISOs. My responsibilities include maintaining situational awareness of the security landscape; developing security strategies; implementing a security plan and ensuring compliance through continuous monitoring. Most notably, the restructuring will allow for the ability to have an integrated governance structure versus the decentralized approach to managing security and risk that was used in the past. Being able to have a top-down and bottom-up approach that is not just on paper, but fully functional, will hopefully be a game-changer for the state.
How do you stay ahead of the ever-changing cyberthreat environment (personally and as a team)?
Technology allows us to have information at our fingertips, so being plugged into the various security blogs and using information sharing capabilities throughout the state, e.g., FBI, Infragard, MS-ISAC, National Guard and our public-private partnerships allow us to stay abreast of emerging threats. Having the ability to tie open source and other available methods of intelligence gives us a cyberecosystem that we can leverage and use to plan accordingly.
What’s hot right now regarding your role? Where are you spending your time and what keeps you up at night?
As you are aware, a single Department of IT was recently established in North Carolina. I am focusing on the planning of and transition to a statewide security department. Ensuring that the state agencies receive uninterrupted service will be a key factor in the success of this transition.
What keeps me up at night? I think a better way to phrase it would be, “What allows me to sleep?” which is knowing we have dedicated professionals who want to do the right thing. Ensuring development and success of those professionals will result in the overall success of DIT’s mission.
How has security evolved over the past decade? What’s different (and the same) today, as compared to say 2005?
Over the past decade, the most obvious change has been the attention given to and importance placed on security. Data breaches today occur with such frequency that it is imperative to take security and risk seriously. Depending on which statistics you follow, there are more than 230,000 new malware [threats] detected daily. While, it is virtually impossible to keep up with the sheer number of attack vectors out there, our security tools have evolved with the changing threat landscape, and focusing on the utilization of industry best practices, a layered security architecture, and continuous monitoring helps to bridge that gap.
I can recall from my U.S. Department of Defense days, the various terms used to describe what is now cyber. The first Iabel that I can remember was the use of the term "information security" (InfoSec). The next change was to "information assurance" (IA), then "cybersecurity" and now, in some venues, simply "cyber." As we try to grasp where the boundaries are for cyber, the landscape increases. It can be a daunting task at times to wrap your arms around your security boundary, while still allowing for agility, innovation and the need to leverage cloud providers, so it is important that we, as security professionals, try our best to stay abreast of emerging technology.
I think that it is necessary for business owners to take a more proactive approach to cybersecurity and to recognize the role that their individual systems and the risks associated with those systems play in the bigger picture. There needs to be a shift in mindset that recognizes and prioritizes the reality that “a risk assumed by one is assumed by all.” I aim to bring that level of awareness to the cybersecurity community.
As we move forward with the Internet of Things (IoT) and smart cities, how do you see security playing a role in innovative new technologies?
Internet of Things (IoT) has been around for some time; however, the concept of risk around IoT has just recently gained traction. From a state network perspective, we are working to ensure that IoT is managed appropriately through policy and technical controls. As the landscape of IoT continues to grow, the environment becomes more complex.
The state plans to bring awareness to that issue, with the hope that awareness, as well as security controls, can create a positive outcome. Regardless of the device, best practices — including secure coding, encryption (when supportable), access control, secure supply chain management, etc. — should ways be top of mind. If a device does not serve a business need and cannot be appropriately protected, connection to the state network is denied.
When thinking about smart cities, the potential for IoT use without governance is an area of concern, so when possible, it is important for the state to get involved to ensure that both security and privacy are considered. Data should only be collected as necessary, when required. The adage, “Just because we can, does not mean we should,” is applicable here. There is movement by various agencies and private-sector communities to focus on the security of these IoT devices, and it is my hope that with a private-public partnership we can develop a strategy to safely deliver this technology for use in the near future.
Is there anything else you’d like to share about your cybersecurity program and upcoming projects?
As I mentioned earlier, one of our agency’s main focus areas will be on the DIT transition. As part of that, there will be a need to assess the knowledge, skills and abilities of our cyberprofessionals within the state to help identify gaps within our structure and apply training and education resources as appropriate. Building the cyberworkforce has to be a priority. This will include outreach to academia. North Carolina is fortunate to have great schools in our education system, and several of our colleges and universities have been identified as Cyber Schools of Excellence. By working together with colleges and high schools, we can develop programs that can mutually benefit the state, schools and students.
I’d like to thank Chris Estes and Maria Thompson for taking the time to answer my questions and filling us in on their priorities and North Carolina's direction.
This is truly an exciting time for North Carolina government technology. And yet the challenges are certainly huge moving forward. As mentioned a few weeks ago in this article:
“McCrory railed against that inefficiency in his state of the state address in February, claiming that 74 percent of the state’s IT projects 'have come in over budget and behind schedule.' He proposed a restructuring of IT operations, and when he signed the budget bill on Sept. 18, that vision became a reality. ...”
Nevertheless, with great challenges come great opportunities. The technology consolidation efforts in Michigan yielded huge benefits and cost savings over a decade, and I am sure the same will happen in North Carolina.
My view is that North Carolina made a smart executive decision, and Chris Estes and Maria Thompson are the right leaders to effectively implement positive technology change.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.