Though chief informaiton security officers became a universal fixture in state government much later than CIOs, their importance has grown rapidly along with the expanding IT footprint of the public sector and the morphing threats against it.
To better understand who these people are and what factors shape their work, we gathered data on as many state CISOs as we could find — which turned out to be 158 CISO terms. Where appropriate, we compared this with similar data we've compiled on state CIOs in order to put the numbers in context.
To start off, here's a list of the most common names among state CISOs:
- Michael/Mike: 9
- Chris/Kris/Christopher: 8
- James/Jim: 7
- John/Jack: 6
[slideshow-break]
Staying Power
We know that a new governor usually means a new CIO, but what does it mean for the CISO?As it happens, CISOs are much more sheltered from the political winds — it's when there's a new CIO that a CISO is more likely to leave.
To get a better look at those dynamics, we calculated the "survival rates" when a new governor or CIO takes office — in other words, how often does a CISO stick around when there's a new leader?
We found that CISOs are about twice as likely as CIOs to stay put when there's a new governor, though that number does change depending on whether the governor's seat has changed parties. But whereas CISOs stay in the job 68 percent of the time when a new governor comes in, they only stay 57 percent of the time when a new CIO comes in.
We also found that the average tenure of a state CISO is three years and 10 months.
The longest-serving CISO we found was Agnes Kirk, who led cybersecurity for the state of Washington for 13 years, from 2005-2018. The shortest-serving CISO was Nicholas Andersen, who was in that role with the state of Vermont only nine months from December 2018 to August 2019.
Since this article was first published in the magazine, another state CISO has also left after about nine months: Ronald Buchanan of Washington.
[slideshow-break]
Career Paths
When we examined the jobs that state CIOs held just before and after leading the IT department, one thing stood out: The role, for many, is a path from the public sector to the private sector.For CISOs, the overall trend is the same, but the numbers are very different.
The most striking finding was that a full 70 percent of state CISOs come from the public sector — quite often, they work their way up through the IT department. That number is substantially higher than for CIOs.
CISOs are also most likely to wind up in the private sector when they leave, but only 48 percent go that route, compared with 52 percent for CIOs. Instead, the CISO is more likely than the CIO to head to a non-profit or to some other role in the public sector.
It's also worth noting that more CISOs came from the military than CIOs. It's not a big difference in the grand scheme of things, but it does reflect the increasing role cybersecurity has taken in the armed forces.
Once again, the data was collected from LinkedIn profiles and only captures the job a CISO held immediately before and immediately after serving as CISO.
[slideshow-break]
Declining Women
Just as with state CIOs, we found that the prevalence of women in state CISO roles has declined in recent years. Above is the data on female state CISOs as a percentage of all available information.Reasons for the downward trend are unclear, but the similar trend among CIOs suggests that the problem in gender diversity of IT leadership is likely wide; not limited to the very top levels.
Today, five state CISOs are women — Deborah Blyth of Colorado, Deborah Snyder of New York, Maria Thompson of North Carolina, Nancy Rainosek of Texas and Danielle Cox of West Virginia.
Overall, about 15 percent of state CISOs have been women.
Notes for all data included in this story: Data was collected from LinkedIn profiles, coverage from Government Technology and other publications, state government websites, the National Association of State Chief Information Officers' (NASCIO) State Cybersecurity Resource Guides, and a couple very helpful public officials. Only permanent CISOs and interim/acting CISOs who served for at least a year were included on the list. Kris Rowley, who served as CISO of Vermont from 2008 to 2015, transitioned from female to male after leaving the government. For purposes of gender statistics, Rowley was counted among the women for his time as CISO. Data is current as of Aug. 23, 2019.
