The state's chief risk officer says efforts to promote more visibility across the enterprise are key to keeping citizen data protected.
After nearly three years of serving as North Carolina’s chief risk officer — effectively the state’s equivalent of a chief information security officer — Maria Thompson's focus has not changed.
“One of the key priorities that we’ve been looking at is how can we gain visibility into our environment. How can we enable our executive branch agencies to work together as a team, how can we share resources, how can we collaborate across our environment?” Thompson told StateScoop in April. “Visibility is key to ensuring that we are protecting our citizens' data.”
In those efforts to gain more visibility — and under the strict constraints of budget and workforce — the state has been working on taking a more “creative” approach to cybersecurity problem solving, as well, Thompson says.
“We try to be creative in our approach when it comes to budget requirements because we understand that we have a shortage of budget and funding,” Thompson says.
Communication is also a key part of their efforts, Thompson says. The chief risk officer sits within North Carolina’s Department of Information Technology, which is located in Raleigh, the state capital. Raleigh makes up one corner of North Carolina’s Research Triangle region, which also includes the cities of Durham and Chapel Hill, and is anchored by several major universities.
“We communicate across all the different branch agencies — public and private — leveraging our private sector companies that are out there,” Thompson says. “Being in the Research Triangle allows us to have a great opportunity to tap into the private sector companies and what they can bring to the game.”
The communication part of Thompson’s visibility strategy is especially important in an era of emerging technologies that can both help the state's IT strategy or hamper it if not conceived diligently.
“We approach things a little bit more methodically,” Thompson says. “It’s no longer necessarily that ‘there’s a new tool out there, let’s throw it on the network.’ It’s ‘let’s think about how we can work with the business to make sure that we are enabling them, but also make sure that they understand the risks that are associated with them.’”