Cybersecurity veteran Agnes Kirk retires as Washington state CISO
After 23 years with Washington state government, state Chief Information Security Officer Agnes Kirk has retired.
Officials with the state Office of CyberSecurity told StateScoop on Tuesday that Kirk officially retired on June 2 to spend more time with her family, children and grandchildren. Kirk’s departure marks the end of an unusually long stretch in state government IT — she began with the state in 1995 before being named state CISO in 2005. Her responsibilities gradually grew and the legislature expanded her role further in 2015 by creating an enterprise Office of CyberSecurity (OCS) and putting it under her command.
Kirk is replaced temporarily by Phil Davis, another Washington state government veteran who told StateScoop he began working in the state’s IT operations in 1990 and has most recently serving as the deputy CISO of operations. Davis now assumes the role of acting state CISO, but he too will leave the office next month when he takes a role as chief information officer for the Washington State Department of Financial Institutions.
“I worked for her for a very long time and it was all positive,” Davis said. “She definitely was on-top-of-it and sharp. Agnes is a person that would see things through to completion. While it’s good for her to have the opportunity to retire, she was a great leader here at the state.”
As CISO, Kirk saw her responsibilities grow along with the field of cybersecurity itself. She provided strategic oversight for the state and was responsible for protecting its network infrastructure while advising the governor, elected officials and Cabinet directors on security strategy, policy and incident management. OCS reports to the state Office of the Chief Information Officer.
Kirk headed cybersecurity training, managed the state’s security operations center and pushed hard for collaboration between government, academia and businesses to bolster the cybersecurity workforce in the face of 6,500 vacant cybersecurity positions across Washington.
She was also an active adviser on many boards and committees, including national homeland security committees, the Federal CISO Advisory Board, the National Association of State Chief Information Officers Cyber Advisory Board, and the executive committee for the Multi-State Information Sharing & Analysis Center.
Kirk helped drive cybersecurity as a policy issue among other government leaders and helped to launch Gov. Jay Inslee’s first cybersecurity and privacy summit in 2016. She advocated for CISOs and CIOs as key operators in state government who can ensure “continuity of commerce,” even in emergencies.
“Because we’re so interconnected, everything is tied to everything and every computer is connected. It’s no longer something that we can ignore,” Kirk said last year while being recognized as one of StateScoop’s top Women in Tech for 2017.
Despite all Kirk did, and the fact that the state is currently without a CIO — ( acting CIO Rob St. John will officially retire on June 30 and the state is still searching for a replacement) — Davis says the state’s cybersecurity organization is mature enough to continue on regardless.
“Our mission has not changed,” Davis said. “We still have the same teams here. We still provide the same services to Washington state government. It’s just carrying on with the same intentions.”
Those same teams that will allow cybersecurity operations to continue in her absence are the centerpiece of her legacy. When asked in a past interview what her “best cybersecurity decision” was, Kirk named two things: creating the security operations center and a statewide cyber-incident response team, and the second thing was “hiring a great team.”
“Every time I hire a great person on my team it is a key decision,” Kirk said. “Because the best decisions in cybersecurity are ones that help you create a team of cyber professionals who not only have excellent technical chops but also want to be part of a common cause bigger than any one of us and bigger than all of us — protecting citizen and business data from the bad guys. Easy to say, incredibly difficult to do, and it can’t be done alone.”