Securing the Enterprise
Govciooutlook

Securing the Enterprise

David Garcia, CIO, State of Maryland

David Garcia, CIO, State of Maryland

Over the last 18 months, my primary goal has been to improve our cyber security platform by promoting awareness and streamlining processes and budgets to reduce risk across state government. As a businessman turned Cabinet Secretary for the Maryland Department of Information Technology and the State’s CIO, I understood the technical and cultural challenges that lay a head in leading the State to a better alignment with the NIST Cyber Security Framework.

The size and scope of state government brings a complexity that includes multiple budgets, varying requirements and security risks, and sophisticated threats across dozens of state agencies and departments. For example, our state department of transportation encompasses several business units: Aviation, Motor Vehicle, Ports, Highways, Transit and Toll Facilities. In building their technology base over the decades, the individual units within the department did not fully leverage the benefits of collaborating with their peers. Several of our large state agencies utilize public safety radio nets, law enforcement and criminal justice records, and additional private data of citizens as they register cars, drivers, boats, fishing licenses and the list goes on. The agencies never conceived when building these networks that they were simultaneously creating an entangling web of application permissions, complex patching scenarios, undocumented network trusts, and many other vulnerable cyber security scenarios.

The accountability for the security of this condition, whether within the enterprise or the legacy, rests with agency heads. All too often, though, it is not clear that agency and department heads have the resources to address that responsibility. This inability to be nimble creates an inability to exercise direct authority, resulting in the operational condition described above.

Overcoming the Challenges

The primary focus when initiating our Enterprise Plan across 19 state agencies was to bring the network, desktop services and supporting infrastructure into a single, manageable baseline. Through a planned on boarding process, our teams attempted to provide value back to individual business units. While there was much success, the conversation was mostly one way. Typically, those struggling with old and outdated technology software and hardware did not necessarily value the entirety of benefits available through a centralized IT delivery, or acknowledge the need to provide comprehensive security solutions. Some resisted the cultural shift and preferred to be left to their own devices, only interested in incrementally improving the legacy services they normally provided. The challenge to my team became understanding and enabling the business unit’s operational technology, and gaining the agency or departments’ trust in providing valued services. In the business world, there’s a thirst for improving technological solutions and obtaining an operational edge over similar companies that isn’t typically endemic to the legacy culture of state IT operations.

"The agencies never conceived when building these networks that they were simultaneously creating an entangling web of application permissions, complex patching scenarios, undocumented network trusts, and many other vulnerable cyber security scenarios"

The state’s enterprise requires a secure backbone as well as professional security monitoring services. I find my teams are likely to inherit the sole responsibility for any security provided beyond the occasional compliance audit required by either an external data source (e.g. federally mandated requirements) or the state’s auditors. Problems arise when agencies have underfunded their IT infrastructure and most are not in a position to transfer funding to realize any new capability provided by the enterprise.

I am in agreement with many readers in this forum that security, compliance and auditing are in fact board or near board activities. To the extent those activities are an afterthought or poorly executed in an operational technology rollout, the enterprise absorbs the risk, increased technical complexity and higher maintenance costs. To assume an agency or department head truly understands the complexity of where the information undergirding the information stores originates and how it is shared would be irresponsible. Additionally, we cannot assume they have a full understanding of the risks their technical investments have created.

Road Map Ahead

We have expanded our enterprise portfolio faster than expected, and are very proud to be providing services to 26 state agencies and departments today. While there is much more to do in structurally codifying the budget to maintain Maryland’s prowess in network security; much of our future successes will be tied to our ability to unify together as a single IT enterprise and address operational imperatives.

Weekly Brief

Top 10 Security Companies in Europe - 2020
Top 5 Security Consulting/Services Companies in UK - 2020

Read Also

San Francisco's Digital Equity PlanAdapts with Coronavirus

San Francisco's Digital Equity PlanAdapts with Coronavirus

Linda Gerull, CIO and Executive Director of the Department of Technology for the City and County of San Francisco
Building A

Building A "New Better" - Not A "New Normal" - With Government Digital Services

Ted Ross, Chief Information Officer, City of Los Angeles
Smart Community Innovation For The Post Pandemic

Smart Community Innovation For The Post Pandemic

Harry Meier, Deputy CIO for Innovation, Department of Innovation and Technology, City of Mesa
The Road to Modern Governance

The Road to Modern Governance

David J. Elges, Chief Information Officer (CIO), City of Boston
The Evolving Face of the Corrections Industry

The Evolving Face of the Corrections Industry

Harold Sass, Chief Information Officer, Kansas Department of Corrections
Covid-19 Is Accelerating Digital Transformation in The Public Sector

Covid-19 Is Accelerating Digital Transformation in The Public Sector

Jonathan Behnke, Chief Information Officer, City of San Diego