As CIO role evolves, cybersecurity policy becomes more important than ever
As states increasingly look to contract out IT services, Mississippi CIO Craig Orgeron said technology shops must institute strong cybersecurity policies to manage the risk that comes along with that.
At the National Association of State Chief Information Officers (NASCIO) Annual Conference in Austin, Texas, on Monday, Orgeron told StateScoop that his role as CIO is transforming from a traditional IT manager to that of an IT broker, in which more of the state’s digital services are coming from the cloud, are managed by outside vendors and require additional cybersecurity policies to safeguard the state’s data and systems.
“Most state IT shops are, from a procurement perspective, centralized and if you can procure those services, that’s one form of brokerage,” Orgeron said. “You’re not putting any space between an agency that needs services and getting those services, and I think that is just one part of what it is that we do now.”
To operate efficiently and protect the state from liabilities and risks that can come from outside providers, this year Mississippi legislators passed HB 999 to create the state’s first Enterprise Security Program. Orgeron said that the bill and cybersecurity best practices from the Mississippi Department of Information Technology Services (MDITS) are opening the door for the departments to investigate alternative solutions to in-house systems and digital infrastructure.
The bill hands MDITS the authority to create a broad set of cybersecurity standards across state agencies, and in turn, Orgeron said it has bolstered the state’s confidence when procuring more services with third-party tech companies where software isn’t managed internally.
“It’s called an Enterprise Cyber Security program, but the bill really just lays out roles and responsibilities between the central IT shop and individual agencies,” Orgeron said. “It’s really a framework and also has collaborative elements in the bill like the creation of a security and threat council that meets regularly to discuss cybersecurity issues.”
In Mississippi and in other states, Orgeron said he sees a growing number of IT departments realizing that in order to provide modern services, outsourcing is almost inevitable, and to manage risk and scale digital infrastructure, it requires a mixture of strong security policy and an openness to partner with the private sector.
“Anything can be a service — it’s this very simplistic idea that people aren’t just going to be buying, building and running things. You’re going to be consuming services just like people do in their daily lives,” Ogeron said. “I think CIOs are in a perfect place to do more of that.”