But what got his whole team, and the state government, through the incident was trust.
And that trust, Galluzi said at the National Association of State CIOs Midyear Conference this week, was established well before the incident. To achieve it, he relied on persistence and on demonstrating his willingness to listen and learn.
“It took time to build that trust, and thankfully that trust really came through for us when we had our cyber incident, because the mandates that we were putting out, the changes that we were asking agencies to do, we knew they were going to be painful,” Galluzi said during the conference. “But they trusted us, they trusted us to have their best interests at heart.”
Perhaps that was because he had demonstrated to them before the incident that when it comes to policy, he wanted input — he doesn’t simply tell agencies to “do it.” After stepping into the CIO role, he created a governance board he relies on to guide policies he writes that will affect other agencies.
“It’s a governance committee that I established under my authority, so no one forced that on me,” Galluzi said during the conference. “I established this committee that has representatives from all the executive branch agencies, and we talk about these things. And we keep on talking about the policies until we get it right, until we can get a level of consensus.”
In fact, he made a simple change that reflected that mindset shift as well: Changing how his office referred to its peers.
“We actually changed our vernacular of how we engage with our agencies. We changed the perception, ‘No, our agencies are not customers anymore, they’re partners,’” he said. “And so anyone that talks in my organization about agencies, it’s now our agency partners, because it absolutely needs to be that partnership. It cannot be transactional.”
Another part of building trust was positional. Under Galluzi, the IT division became part of the governor’s office and received a new name — the Governor’s Technology Office. That gave extra heft to his communication.
But Galluzi also did something not entirely common in the world of state CIOs: He stayed on as a new governor from a different party took office.
“There were folks [who were] like, ‘Well, he’s gonna last a year, if that.’ So they were just gonna wait me out, so they’ll just drag their feet and hold back on making significant changes, because hey, he’s gonna be gone in a year, we’ll get a new CIO, we’ll get a new [strategic] plan, we’ll have to go through all this over and over and over again. So why put in all that time, energy and effort, why go through all that painful process of change if the one that is leading the change isn’t gonna be around to see the end state?” he said. “I think that’s been one of the benefits of me being able to stick it out in this role for a little bit is we’ve been able to start things and we’ve been able to see it to fruition.”
Since the incident, Galluzi’s office and the state government have taken several actions to bolster security. They implemented new endpoint monitoring, are in the process of deploying a new security information and event management system, established a dedicated cyber office and brought in a new chief information security officer. He’s also in the early phases of the significant task of setting up an enterprise security operations center, which will offer services to local governments as well as state agencies.
