States called to action on security

Promoting information technology security as a "way of life," a new report is urging state governments to look at better governance and enterprise architecture models, deploy enhanced technologies to measure and prevent cyberattacks, and share data with other critical groups.

The report, "Public-Sector Information Security: A Call to Action for Public-Sector CIOs," was issued by the National Association of State Chief Information Officers ( and funded by the PricewaterhouseCoopers Endowment for the Business of Government.

John Lainhart, a PwC Consulting partner responsible for the group's information assurance practice, said the report should serve as a comprehensive roadmap to view IT governance not just as a technology issue, but also from a management perspective.

"It's a new topic. It's cutting edge if you will," said Lainhart, adding that governors and state legislatures have to come up to speed about the necessity for IT security. "It's clearly a huge problem for the states."

The report, written by former Kansas CIO Don Heiman and released July 23, spells out 10 recommendations to boost IT security:

* Develop an enterprise IT governance model including representatives from all branches of state government.

* Develop measures of success and best practices.

* Adopt IT control objects to manage, implement and maintain systems.

* Develop metrics to precisely measure intrusions, breaches, penetrations, and vulnerabilities and share such confidential information with appropriate groups.

* Develop an enterprisewide IT architecture that includes cybersecurity.

* Create a business case for security, including a full risk assessment of critical infrastructure vulnerabilities, inventory of critical systems and assets and gap analysis.

* Implement appropriate security technologies depending on the asset.

* Develop a state security portal for coordinating emergency response. The portal should integrate with emergency technologies.

* Establish an interstate information sharing and analysis center to help coordinate state responses to cyberattacks.

* Develop model legislation to all local, state and federal entities to share confidential security incident reports among themselves and private groups that support critical infrastructures.

With up to 45 states grappling with revenue shortfalls, the issue may have a difficult climb.

"This is a problem particularly for the states because of the budget crunches in the states and it's got to be put into a priority order," said Lainhart, who also sits on the nonprofit IT Governance Institute board, which is promoting the issue.

"They've got to look at this and identify their significant needs and put the funds there and certainly we've said in the report they need some help from the federal government. That's what Congress is considering right now in homeland security legislation," he said.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected