When the law goes into effect in July, CISO Raja Sambandam will shift over to a newly established Cybersecurity Office and will no longer report to the CIO. Instead, he’ll report to a to-be-launched Cybersecurity Advisory Committee, made up of members who reflect state judicial, legislative and executive branches as well as local, county and tribal government perspectives.
SEPARATING CISO FROM CIO?
“Cybersecurity is a layer to our oversight function,” Sambandam said. “[This structural change] provides some independence and removes me [as CISO] from any potential or perceived undue influences, because at the end of the day, the IT operations reside with the CIO. And if oversight identified some vulnerabilities or some cybersecurity-related issues, and if it is not appropriately addressed, then it presents a situation for us to deal with.”
New Mexico isn’t the only state whose CISO does not report to the CIO.
New Jersey previously moved the CISO role out of the Office of Information Technology and into the Office of Homeland Security and Preparedness (OHSP). Michael Geraghty became director of the OHSP’s New Jersey Cybersecurity and Communications Integration Cell in 2016 before adding the CISO title the following year. In a 2018 discussion with GovTech, Geraghty said he saw the state’s choice to house its “CISO function” under OHSP as a green flag when he considered joining the state: “That alignment told me that New Jersey was serious about cybersecurity and had positioned it to maximize its potential for success.”
Arizona also locates its CISO in the state Department of Homeland Security. Last month, interim CISO Ryan Murray told GovTech that putting the CIO and CISO on equal footing lets both officials present their at-times-competing perspectives to business leadership. That can ultimately enable leaders to make more informed decision-making.
“A lot of times, we’ll find that IT operations and cyber — there may be a conflict,” Murray said at the time. “… CISOs are trying to drive that security mission, drive that risk-based mission. CIOs are focused on technology, pushing business processes or innovating the technology platforms themselves.”
National Association of State Chief Information Officers (NASCIO) Deputy Executive Director Meredith Ward suggested that no one reporting structure is the key to success.
“While NASCIO does not take a formal position on reporting structure in states, we have seen success in states of all different kinds,” Ward told GovTech. “The important thing to keep in mind is not where people are located or who they report to, but authority and support given to the CIO and CISO to strengthen the cybersecurity posture of their respective states.“
EXPANDED REACH AND NEW OVERSIGHT
New Mexico’s Cybersecurity Act will widen the scope of Sambandam’s work. The CISO role within the DoIT has been focused on the state’s executive branch, but the restructuring will see more engagement with other entities like local government and education.
“The existing statutory authority is somewhat focused and limited because it was done a while ago,” Sambandam said. Creating the Cybersecurity Office “provides me the scope currently that the Department of Information Technology does not have, to interact with the other political subdivisions.”
The Cybersecurity Act outlines various ways the Cybersecurity Office can support other levels of government. Those include acting as a “resource” for local government cybersecurity, creating a catalog of cybersecurity services available to agencies and political subdivisions, and establishing a cybersecurity and breach reporting process for all government entities in the state.
After Sambandam moves out of the DoIT, he’ll report to a Cybersecurity Advisory Committee that will soon be created. That committee will convene by Aug. 16, 2023, and be made up of a variety of stakeholders, including representatives from different levels of government and the three state branches.
This kind of reporting structure “is more common on the private side,” Sambandam said.
The committee will include cybersecurity experts chosen by the New Mexico Association of Counties, the New Mexico Municipal League and the secretary of Indian affairs. Other members will be chosen by the governor, Administrative Office of the Courts and Legislative Council Services.
The CIO and CISO will both serve on the board, too, though the CISO will be a nonvoting member and recused from any discussions over their own compensation, supervision or discipline.
The committee’s purview isn’t limited to overseeing the CISO, either. The body is also charged with helping the Cybersecurity Office create a statewide cybersecurity plan, cybersecurity best practices guidelines for agencies and recommendations for responding to specific cyber attacks and threats. Additionally, it’s required to provide annual reports about the state’s cybersecurity preparedness to the governor and certain legislative committees.
STATE AND LOCAL CYBERSECURITY GRANT
In some ways, the Cybersecurity Advisory Committee may carry forward and build on the cross-government collaborations initiated under the State and Local Cybersecurity Grant Program (SLCGP).
New Mexico expects to receive $13 million over four years under that grant. The program stipulates that at least 80 percent of funds go to local governments. Sambandam said directly disbursing and divvying up the monies among hundreds of local government entities could mean each one ends up with between $10,000 and $20,000 — too little to use effectively. Instead, New Mexico is looking to achieve economies of scale, such as by creating statewide procurement vehicles that schools and local governments could use to get better pricing on cybersecurity services.
That grant program required participating states to create cybersecurity planning committees with members from various stakeholder groups, like local governments, public education and rural communities. New Mexico’s planning committee is still working to finalize and submit a statewide cybersecurity plan — the last piece needed before it can receive the SLCGP funds.
That planning committee must submit its statewide plan by September, then it will disband. By that time, the Cybersecurity Advisory Committee will already be established and ready to take over.
“We would have this office and have the advisory committee stood up, so the transition would be seamless,” Sambandam said.
