Outgoing New York CISO: 'It's certainly been a challenge'

(Getty Images)


Written by

New York Chief Information Security Officer Karen Sorady told StateScoop on Thursday that while the past few years have been trying, she’s stepping down at a time when state government has responded successfully to a series of trials.

“It’s certainly been a challenge over the past few years,” said Sorady. “There’s been a lot going on. Not just the pandemic but also the huge increases in cyber threats and a changing landscape.”

But Sorady said New York’s Office of Information Technology Services has made strides, along with the other agencies it services across a 277,000-employee government organization. Along with adapting to the rapid digitization of public services at the start of the COVID-19 pandemic last year, Sorady said her team had to accelerate the pace at which it evaluates the security of the many technologies New York employs, which in turn sparked a culture shift.

New York State CISO Karen Sorady (New York State Office of Information Technology Services)

“Just changing the culture within the organization, within the state on cyber, helping the agencies understand why we’re here, why they need security,” she said. “The whole impetus is for us to help them do their business.”

It was a trend she said also changed cybersecurity professionals’ reputations.

“[Agencies are] starting to get the importance of cyber,” she said. “Ensuring the professionals are seen as partners, not impediments or something extra. Cyber has the reputation as the ones who say no to everything, and we have to change that.”

Sorady said that was achieved through constant collaboration and communication between her office at ITS and the information security officers embedded in individual state agencies, who stayed in regular communication with their departmental leaders.

“We’ve trained them to have regular touchpoints with business partners in their agencies, how to help them understand what we’re trying to do by explaining the impact it has on their business. It’s about having open lines of communications and being honest about things and collaborating,” she said.

Sorady’s retirement after more than three decades as a New York State employee was announced Wednesday by state Chief Information Officer Angelo “Tony” Riddick. She was named acting CISO in October 2019, upon the retirement of Deborah Snyder, and promoted to the role on a full-time basis a few months later. She got her start in Albany in 1989 as an information security officer for the New York State Banking Department. (The agency, once the nation’s oldest bank regulator, was shuttered in 2011, when it was folded into the new state Department of Financial Services.) She later held similar positions with the New York State Office of Cybersecurity and Division of Homeland Security before joining ITS in 2012 as director of security governance and compliance.

“It sometimes sounds trite but I’ll miss working with the people,” Sorady said. “One of the things I love about this job is the collaboration in cyber. It’s a big problem, no one of us is going to solve it alone.”

Sorady’s retirement is effective at the end of the month, and a successor has not yet been named, though ITS is “actively searching,” according to state officials.

“Our team is well-positioned to take over,” she said. “They have the experience and knowledge to do that.”

Sorady said she does not have a new position lined up for when she leaves government.

“I’ve been with New York State for 32 years, so it’s time for something new,” she said.

-In this Story-

Chief Information Security Officer (CISO), Karen Sorady, New York state