Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers

Forward by John Bruel and John Lainhart: On behalf of the IBM Center for The Business of Government, we are pleased to present this report, 'Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers,' by Marilu Goodyear, Holly T. Goerdel, Shannon Portillo, and Linda Williams. The importance of safeguarding information created and shared on computers and the internet has increased significantly in recent years, as society has become increasingly dependent on information technology in government, business, and in their personal lives. Both corporations and government have responded by creating a new role in their organizations to lead the safeguarding efforts - chief information security officers. The role of these officers is still under development. Do they safeguard best by using law enforcement techniques and technological tools? Or are they more effective if they serve as educators and try to influence the behaviors of technology users? This report is a significant contribution to the discussion of the roles and responsibilities of chief information security officers (CISOs) in state governments across the United States. It identifies both strategies and activities used by successful state CISOs, and thereby provides a good road map to success for all state CISOs.The report cites the Multi-State Information Sharing and Analysis Center (MS-ISAC), which has been championed since its inception by the New York state chief cybersecurity officer as one key cybersecurity collaboration success. The MS-ISAC initiative has yielded measurable results and provided a means of consistent communication across sectors in society. The report also emphasizes that while a technical education remains important for CISOs, state cybersecurity officials need to be proficient in nontechnical skills as well, including collaboration, communication, managerial, organizational, policy alignment, and political skills. Finally, the report emphasizes the need for state cybersecurity officials to devote increased attention to data management as the defined system/network perimeter has dissolved and the future success of cybersecurity relies on the CISOs, chief information officers, data owners, records managers and archivists to jointly focus on data management to achieve effective business processes. This report also emphasizes the importance of effective IT governance - We hope that you find this report both timely and informative. We believe its insights and recommendations are relevant to CISOs at all levels of government.