Over the last 18 months, my primary goal has been to improve our cyber security platform by promoting awareness and streamlining processes and budgets to reduce risk across state government. As a businessman turned Cabinet Secretary for the Maryland Department of Information Technology and the State’s CIO, I understood the technical and cultural challenges that lay a head in leading the State to a better alignment with the NIST Cyber Security Framework.
The size and scope of state government brings a complexity that includes multiple budgets, varying requirements and security risks, and sophisticated threats across dozens of state agencies and departments. For example, our state department of transportation encompasses several business units: Aviation, Motor Vehicle, Ports, Highways, Transit and Toll Facilities. In building their technology base over the decades, the individual units within the department did not fully leverage the benefits of collaborating with their peers. Several of our large state agencies utilize public safety radio nets, law enforcement and criminal justice records, and additional private data of citizens as they register cars, drivers, boats, fishing licenses and the list goes on. The agencies never conceived when building these networks that they were simultaneously creating an entangling web of application permissions, complex patching scenarios, undocumented network trusts, and many other vulnerable cyber security scenarios.
The accountability for the security of this condition, whether within the enterprise or the legacy, rests with agency heads. All too often, though, it is not clear that agency and department heads have the resources to address that responsibility. This inability to be nimble creates an inability to exercise direct authority, resulting in the operational condition described above.
Overcoming the Challenges
The primary focus when initiating our Enterprise Plan across 19 state agencies was to bring the network, desktop services and supporting infrastructure into a single, manageable baseline. Through a planned on boarding process, our teams attempted to provide value back to individual business units. While there was much success, the conversation was mostly one way. Typically, those struggling with old and outdated technology software and hardware did not necessarily value the entirety of benefits available through a centralized IT delivery, or acknowledge the need to provide comprehensive security solutions. Some resisted the cultural shift and preferred to be left to their own devices, only interested in incrementally improving the legacy services they normally provided. The challenge to my team became understanding and enabling the business unit’s operational technology, and gaining the agency or departments’ trust in providing valued services. In the business world, there’s a thirst for improving technological solutions and obtaining an operational edge over similar companies that isn’t typically endemic to the legacy culture of state IT operations.
"The agencies never conceived when building these networks that they were simultaneously creating an entangling web of application permissions, complex patching scenarios, undocumented network trusts, and many other vulnerable cyber security scenarios"
The state’s enterprise requires a secure backbone as well as professional security monitoring services. I find my teams are likely to inherit the sole responsibility for any security provided beyond the occasional compliance audit required by either an external data source (e.g. federally mandated requirements) or the state’s auditors. Problems arise when agencies have underfunded their IT infrastructure and most are not in a position to transfer funding to realize any new capability provided by the enterprise.
I am in agreement with many readers in this forum that security, compliance and auditing are in fact board or near board activities. To the extent those activities are an afterthought or poorly executed in an operational technology rollout, the enterprise absorbs the risk, increased technical complexity and higher maintenance costs. To assume an agency or department head truly understands the complexity of where the information undergirding the information stores originates and how it is shared would be irresponsible. Additionally, we cannot assume they have a full understanding of the risks their technical investments have created.
Road Map Ahead
We have expanded our enterprise portfolio faster than expected, and are very proud to be providing services to 26 state agencies and departments today. While there is much more to do in structurally codifying the budget to maintain Maryland’s prowess in network security; much of our future successes will be tied to our ability to unify together as a single IT enterprise and address operational imperatives.