Letter to the editor
I have several thoughts in response to your editorial titled "From the ground up."
First, the National Association of State Chief Information Officers
is not composed of state security officers. In fact most states do not have
a designated security officer, they have designated security contacts that
do that job in addition to everything else. NASCIO, to its credit, has been
attempting to fill the gap, but security is an add-on, not a priority
and rightly so given the organization's mission.
Second, it is anticipated that the national cybersecurity strategy will
not address state and local government issues. This has been one of the
weakest links in the proposed strategy.
This past year, Colorado created an IT risk management division within
its Office of Innovation and Technology (www.oit.state.co.us).
This division houses the information security and privacy functions and
is dedicated to managing and mitigating IT risk. This is a model that all
levels of government should emulate, including the federal government.
In the meantime, the main issues holding up effective security/privacy
initiatives in this country are leadership, governance and dedicated resources.
To seriously address IT problems, security officers need enforcement and
compliance authority and dedicated resources.
To date I know of no state that has the proper tools to do the job.
And quite frankly, we must think outside of the box and be prepared to create
innovative governance structures if we are going to deal effectively with
cybersecurity and cyberwarfare.
No information security officer can successfully monitor his facilities,
man the stations, investigate intrusions and try to figure out who's on
first all at the same time.