States called to action on security

Promoting information technology security as a "way of life," a new report is urging state governments to look at better governance and enterprise architecture models, deploy enhanced technologies to measure and prevent cyberattacks, and share data with other critical groups.

The report, "Public-Sector Information Security: A Call to Action for Public-Sector CIOs," was issued by the National Association of State Chief Information Officers ( and funded by the PricewaterhouseCoopers Endowment for the Business of Government.

John Lainhart, a PwC Consulting partner responsible for the group's information assurance practice, said the report should serve as a comprehensive roadmap to view IT governance not just as a technology issue, but also from a management perspective.

"It's a new topic. It's cutting edge if you will," said Lainhart, adding that governors and state legislatures have to come up to speed about the necessity for IT security. "It's clearly a huge problem for the states."

The report, written by former Kansas CIO Don Heiman and released July 23, spells out 10 recommendations to boost IT security:

* Develop an enterprise IT governance model including representatives from all branches of state government.

* Develop measures of success and best practices.

* Adopt IT control objects to manage, implement and maintain systems.

* Develop metrics to precisely measure intrusions, breaches, penetrations, and vulnerabilities and share such confidential information with appropriate groups.

* Develop an enterprisewide IT architecture that includes cybersecurity.

* Create a business case for security, including a full risk assessment of critical infrastructure vulnerabilities, inventory of critical systems and assets and gap analysis.

* Implement appropriate security technologies depending on the asset.

* Develop a state security portal for coordinating emergency response. The portal should integrate with emergency technologies.

* Establish an interstate information sharing and analysis center to help coordinate state responses to cyberattacks.

* Develop model legislation to all local, state and federal entities to share confidential security incident reports among themselves and private groups that support critical infrastructures.

With up to 45 states grappling with revenue shortfalls, the issue may have a difficult climb.

"This is a problem particularly for the states because of the budget crunches in the states and it's got to be put into a priority order," said Lainhart, who also sits on the nonprofit IT Governance Institute board, which is promoting the issue.

"They've got to look at this and identify their significant needs and put the funds there and certainly we've said in the report they need some help from the federal government. That's what Congress is considering right now in homeland security legislation," he said.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.