State CIOs aren’t confident in locals’ cybersecurity, but it’s not personal

At the Michigan Cyber Summit, a group of state CIOs discussed how they're getting more acquainted with their local governments.
cyber panelists
NASCIO Executive Director Doug Robinson interviews Michigan CIO Laura Clark, West Virginia CIO Josh Spence, Indiana CIO Tracy Barnes, Ohio CIO Katrina Flory, Detroit CIO Art Thompson and Wayne County, Mich., CIO Hector Roman at the Michigan Cyber Summit in Novi, Mich. (Benjamin Freed / Scoop News Group)

A group of statewide chief information officers said Thursday that they aren’t confident in the cybersecurity capabilities of their states’ local governments, but helping them improve is a top priority.

Pressed by National Association of State Chief Information Officers Executive Director Doug Robinson during a panel discussion at the annual Michigan Cyber Summit if they believed their respective local partners are up to the challenge, the four CIOs — representing Indiana, Michigan, Ohio and West Virginia — offered a unanimous: “No.”

They all chalked that up to the still-limited interaction state-level IT agencies have with local governments, even as other relationships between states and localities grow stronger.

“Indiana had a very limited interaction between state and local levels,” Indiana CIO Tracy Barnes said. “When I came in, I said at a minimum we need to know who they are. We’re all citizens. Additionally, every one of them is connected to my backbone. They’re all getting services from the state.”


Barnes said he embarked on a 92-county tour of Indiana, drawing on his past as a political aide to the state’s lieutenant governor. With that tour wrapping up, the Indiana Office of Technology announced earlier this month it’s going to partner with Indiana University and Purdue University to conduct risk assessments of all 342 of Indiana’s municipal governments.

“If state of Indiana and IU and Purdue can come together, that’s the kind of story that gets the minds thinking,” he said. “It’s about the trust we have to build for them to see us as partners, not Big Brother, not as their boss so we don’t have to go through legislation and mandates.”

Ohio CIO Katrina Flory replied that she shared news about Barnes’ university partnerships with some of her colleagues, as her office also doesn’t have much contact with local authorities. The Ohio Department of Public Safety and Emergency Management Agency, though, are involved with cyber incident response, as is the Ohio Cyber Reserve, a volunteer group run out of the state National Guard. Flory also said upcoming federal funding could bring her closer to the locals.

“I think the cyber grants that came out is a great opportunity for us to re-evaluate what our relationship is,” she said.

Like the other state CIOs on stage, Michigan’s Laura Clark said she, too, does not provide direct services to local governments, though she said her office has been able to advance its outreach through tabletop exercises and bringing in outside expert to consult on major incidents, like the 2020 SolarWinds breach.


“It’s not the state just talking,” Clark said.

The Michigan Department of Technology, Management and Budget’s efforts were not unnoticed by the local CIOs on stage.

“The biggest thing I look for is that partner,” said Detroit CIO Art Thompson. “Not that the state comes in and rescues me, but they’re at least the sounding board. If I need to know who to call, Laura’s got their number. I think Michigan does a fantastic job of collaboration that we’re all in the loop.”

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts