"If we continue to develop technology without wisdom or prudence, our servant may prove to be our executioner." - General Omar N. Bradley
Earlier this month, the National Association of State Chief Information Officers (NASCIO) published its annual list of members' top priorities for the year ahead. Not surprisingly, cybersecurity and risk management have topped the list for several years running.
Many of the other reported priorities can be broadly categorized as digital transformation initiatives. They involve migrating to the cloud, overhauling legacy systems, and standardizing operations.
I can say from my time as a state CIO that many of my peers and I felt the NASCIO report was an accurate summary of the challenges we faced. However, the survey must be viewed within the context of the differences and cultures of each state. Governors, cabinets, and secretaries each have their respective agendas and priorities that change from administration to administration.
State CIO priorities in light of “the big surge”
As it became apparent how significant a disruption COVID-19 would be in our lives, state IT departments shifted their focus to pure enablement – keeping workers productive while remote. Coming off the pandemic, states are facing steeply rising demand for progress on technology projects they had put on hold. I call this scramble for results “the big surge.”
IT departments are suddenly once again pressing play on projects including cloud strategy, legacy modernization, identity and access management, enterprise architecture governance, data and information management, and optimizing their resources and services.
All this while keeping cybersecurity and risk management front and center in spite of a massive shortage of human capital. The difficulty finding qualified cybersecurity workers came up again and again at NASCIO’s recent conference, stressing the significance of the problem for state IT departments. Government workers also skew older than most other industries. In my case, nearly half of my staff of 400 were retirement eligible. This tells me that a tough problem is about to get tougher.
To close the skills gap, states need to pull out all of the stops in terms of recruiting IT and cybersecurity talent. This should include embracing remote work, which opens up prospective candidates from every corner of their respective states, including rural or underserved communities where salaries will go further (and hence make offers more attractive). They also need to market positions using the same modern terminology and sets of responsibilities they might find in the private sector. No more “post-and-pray.”
Whole-of-state, under the banner of zero trust
Today, most states operate according to one of a few models. Some states have what are called policy CIOs, who operate with a small staff and create rules for the rest of the state. Others, like Wisconsin where I served, operate on a federated model where a state appoints a CIO responsible for enterprise systems and data centers, but a CIO at each state agency runs their own internal operations
Another – I think preferable model – unites entire states under a single source of IT leadership. In this model, agencies collaborate with the private sector to learn best practices and advise smaller, local governments based on their learnings. So-called “whole-of-government” and “whole-of-state” approaches present enormous opportunities to standardize architectures for improved response capabilities, achieve cost savings, and bring consistency to skill development programs.
I mention these models to emphasize my point that a state’s overall IT priorities are subject to the day-to-day priorities of a number of different leaders. Bringing them all under the same umbrella would help solidify state-wide strategy and tactics while protecting public sector IT departments from the whims of a few local leaders. By aligning practices like patching schedules, training courses, and incident response plans, states achieve scale, continuity, and security. This approach has so far been best exemplified by North Dakota’s outgoing CIO Shawn Riley.
Politics and preconceived notions will inevitably be barriers to rallying behind any single, state-wide framework. But, luckily, states don’t have to create one from whole cloth. Many CIOs already report that drafting and implementing zero trust frameworks are key initiatives. States could follow the lead of the federal government in encouraging broad adoption of this approach.
Incidentally, all ten state CIO priorities would in some way be advanced by adopting zero trust architecture:
- Cybersecurity and risk management – By connecting users to apps directly, rather than to networks, organizations reduce their attack surfaces and prevent lateral movement. Adversaries can’t attack what they can’t see.
- Digital government/Digital services – Adopting a “framework for digital services” ranks high on state CIOs lists. I believe zero trust is that framework. Accessibility, identity management, privacy – all are covered under it.
- Broadband/wireless connectivity – If states are serious about being 5G-ready, they’ll need security that’s available at the edge.
- Cloud services – Cloud connectivity is a key enabler of remote work, a benefit for states looking to attract talent. But misconfigurations are the main contributor to data breaches, making some sort of posture control essential.
- Legacy modernization – Rather than replacing legacy boxes with more boxes, zero trust allows states to eliminate them altogether by moving traditional security appliances to the cloud.
- Identity and access management – A fundamental component of zero trust, no user can access any resource without verification and authorization.
- Workforce – “Reimagining the government workforce” should begin with preparing it for a new paradigm, and 97% of enterprises report having zero trust initiatives in the works.
- Enterprise architecture – With zero trust, cloud-hosted internal applications and third-party access are securely brokered without the need for breach-prone VPNs, so business processes are reliable and secure.
- Data and information management – After ensuring access to assets stored in the cloud, data loss prevention (DLP) tools protect against unwanted exfiltration of that data, alleviating many compliance concerns.
- Consolidation/optimization – Backhauling traffic through centralized data centers and guarding network perimeters with stacks of security devices is contrary to both consolidation and optimization. A core principle of zero trust is that networks are not points of policy enforcement.
State governments are among those with the most to gain by committing to digital transformation. But without smart planning and coordinated implementation, the technology they hope enables their operations could end up hobbling them.
What to read next
Public sector cybersecurity: We can't afford to leave SLED behind
Higher ed gets an 'F' for ransomware protection: how the industry must evolve