Entitled "Born of Necessity: The CISO Evolution -- Bringing the Technical and the Policy Together," the research brief was developed by NASCIO's Information Security and Privacy Committee. The brief examines the role of the state CISO as it has evolved in response to the growing complexities of the IT threat environment, homeland security concerns, and the increasing demands for enhanced citizen services.
Specific points this brief addresses include: critical state CISO success factors, security governance and reporting structures, the breadth and depth of CISO authority, the range of CISO responsibilities, the importance of a CISO's relationships with internal and external stakeholders, the CISO and information privacy, typical CISO education, experience, certification, and compensation, what state CISOs really need to do their jobs, and a few predictions on the future evolution of the state CISO.
Today, threats abound for state IT systems and resources. State CIOs are faced with the challenge of protecting state IT infrastructure and the information held within state IT systems from compromise that can stem from sources both internal and external to state government. From employees who may be unaware that they are violating state IT security policy to purveyors of botnets and spyware -- the state IT threat environment is ever-mutating at an accelerated pace. With so many IT systems scattered across state government, the state CIO is tasked with taking measures to help secure the many doors and windows through which the entire state network could become compromised.
To properly identify (and even anticipate) these and other IT threats and then implement risk-based security protections to avert them, a state CIO typically relies on a CISO or an equivalent position to help ensure the security of state IT systems. Although state IT security used to be more of a technical position focusing on defending the state's IT perimeter, now, the position has evolved into that of IT security strategist. The state CISO typically creates and executes policies on an enterprise level and provides guidance to the state CIO and state agencies.
"As the role of the CISO has evolved, the state CISO must now focus on relationship-building across the state and even outside of the state," said Mary Carroll, co-chair of NASCIO's Security and Privacy Committee and CIO of the State of Ohio. "With IT as an enabler of so many critical government functions, the state CISO must be involved with a variety of other state officials, including those involved in homeland security, critical infrastructure protection, and emergency management."
"We are pleased that states at all levels of maturity regarding their IT security programs will benefit from this brief which discusses how the state CISO position has evolved from a provider of perimeter defense to IT security strategist and how that position is likely to evolve in the years to come," commented Brenda Decker, co-chair of NASCIO's Security and Privacy Committee and CIO of the State of Nebraska.
