How states can improve cybersecurity on a budget
October 19, 2017
Commentary: Isaac Kohen, CEO of Teramind, says some of the biggest threats come from inside the organization and provide an accessible opportunity to tighten the perimeter.
New legislation would eliminate all but a handful of the Agency for State Technology's employees and reduce its role to that of an advisory board.
Colin Wood is the managing editor of StateScoop. Before that, he was a staff writer for Government Technology magazine. Before that, he taught Engl...
In what would be the fourth incarnation of the state's technology office in 12 years, the state House of Representatives pushed a new bill out of committee Tuesday that would decimate the Agency for State Technology, a body only formed in 2014.
The legislation, which follows the departure of state chief information officer Jason Allison in February, would introduce sweeping reforms to the state's IT structure, governance and staffing. Among the changes proposed are an elimination of more than 40 roles within AST and removal of any purchasing or policymaking power over the enterprise. The agency would be moved inside the Department of Management Services, which would assume control over the state's data center. The legislation, which contains many other changes to the state's approach to technology, would dissolve AST and create a new office called the Office of Technology and Data Solutions.
"It turns us into a symbolic office with seven people that are chartered with way more than they could possibly accomplish," interim state Chief Information Officer Eric Larson said.
Though similar power struggles can be found in state legislatures across the country, no state but Florida has experienced so much fluctuation in its management of state IT.
In what Larson characterized as "disturbing" and a "significant setback" for Florida IT, the new legislation — headed by state Republican chairman Rep. Blaise Ingoglia — would reduce a project management team that was once comprised of seven staff members to one.
"We [would] still provide project oversight, but there's no staff," Larson said. "It's just one lead project manager that's in charge of oversight of all the technology projects."
Rep. Ingoglia also oversaw a committee hearing in February in which he noted concern over an audit of the technology agency that found 12 violations of state law. Among the violations were agencies that had been discovered to hold "inappropriate" access to the state data center.
At the most recent hearing, Ingoglia noted a "shocking" trend of open positions in the state's data center — 21 percent — that represented technology spending that had grown "out of control."
"With no funding request related to the filling of positions or any other request by AST of the legislature for assistance, we must assume the agency does not need the positions to operate," Ingoglia said. "Therefore, AST should have offered those positions as a reduction in their budget request and in doing so could have reduced their … costs for their customer agencies."
Though committee members voted in favor Ingoglia's bill, several noted concerns with the legislation, including Republican Rep. James Grant.
"I'm going to do something that I don't do often, but I do have that much faith in this chairman and I am going to support a bill that, as written, violates every principle of open government and an open architecture and everything we've worked on for the last four years," Grant said.
Some security roles were expanded, but security staffing would take a similar cut. The state chief information security officer, for instance, would be chartered with participating in a new body called the Florida Cybersecurity Task Force, but most of the security staff would be eliminated or located in outside agencies. With data center operations placed in a different agency, managing tactical security operations would be very difficult in this configuration, Larson said.
"It's now just one warm body managing security for the entire state," he said.
Ingoglia said during the hearing that he spent a lot of time listening to different sides of the issue and concluded it would be in the "best interest" of the taxpayers and the state to pass the restructuring.
"The current IT structure was a good attempt, very noble, but it is just not working," he said.
The legislation would also repeal some policy changes already drafted by AST but not yet codified, including an identity management enterprise architecture rule that will become law at the end of the fiscal year if the IT restructuring fails.
"We worked with all the different agencies over the last six, eight months and got everybody to agree and move forward with it, which was really no small feat because all the agencies had to agree to a standard that they didn't comply with out of the gate," Larson said.
Many of the proposed changes run counter to the primary goal advertised by many state IT agencies, AST included, of creating a consolidated service platform that offers technology across the enterprise.
Yejin Cooke, director of affairs for the National Association of State Chief Information Officers said that while her organization does not comment on specific legislation, she noted that their "national surveys and research of states show a sustained effort toward more centralization, consolidation and optimization."
Draft legislation shows that many instances of the word "enterprise" have been removed. Deployment of cloud services would return to the discretion of individual state agencies.
"There is no concept of enterprise architecture, services or mindset anywhere. It completely walks it back to pre-central IT," Larson said.