California publishes ‘road map’ for next five years of cybersecurity

State CIO Amy Tong said the plan is a "fundamental effort" to improve and standardize cybersecurity across a sprawling government enterprise.
California CIO Amy Tong
Amy Tong (Scoop News Group)

Two of California’s top technology officials said Tuesday that a new, five-year cybersecurity “road map” will put the state government on track to a more consistent approach to securing its IT assets and critical infrastructure, including aligning cybersecurity more closely with homeland security.

The “Cal-Secure” plan, which Gov. Gavin Newsom announced Friday, aims to expand and improve security technologies and controls, conduct broader oversight and compliance operations and fill job vacancies across a statewide enterprise with more than 150 agencies and a highly federated IT governance structure. The plan is also an extension of “Vision 2020,” an IT agenda the state implemented in 2017. While the Cal-Secure framework has been in the works for some time, its goals were greatly influenced by the changes to government brought on by the pandemic, state Chief Information Officer Amy Tong said in a phone interview with StateScoop.

“The pandemic response put a finer point on how much reliance there is on digital service, and with that reliance comes much more responsibility to protect public assets and the services we provide to residents,” she said. “This is not an option, not a ‘nice-to-have.’ This is a fundamental effort.”

The Cal-Secure road map is broken into three agendas — people, processes and technology, and in the coming years, the document reads, the state plans to make investments in more modern security technologies and procedures. This starts with more fundamental components like multi-factor authentication and continuous vulnerability management in the first year, and building toward advanced practices like enterprisewide encryption and insider-threat detection in the fifth year. While these upgrades are important on their own, Tong and California Chief Information Security Officer Vitaliy Panych said the human and policy components are much more critical.


“The underlying theme is to embed cybersecurity controls and practices, not just from a tech perspective, but from a process perspective,” Panych said.

Among the strategy’s personnel-minded goals is training and recruiting more cybersecurity workers to fill the state government’s vacancies. Tong said that “pipeline development” will include K-12 lessons; expanded curriculum in the University of California, California State University and community college systems; and an apprenticeship program that places mid-career professionals in state agencies.

“We have more vacancies than what we can field,” she said. “It’s finding the people that’s a problem.”

The California Department of Technology developed the road map with its partners in the California Cybersecurity Integration Center, or Cal-CSIC, a security operations center created in 2015 that also includes the participation of the Office of Emergency Services, California Highway Patrol and state National Guard. The plan is also meant to run in concert with an ongoing homeland security strategy, reflecting an emerging trend of state governments more closely aligning cybersecurity strategies with their broader security missions.

“That joint effort — one team, one fight — is really important,” Tong said.


Still, California’s IT governance remains decentralized, with every department setting its own priorities. Tong said the Cal-Secure plan doesn’t change that, but it will give agencies common benchmarks and expectations as government only becomes more digitized. It’s also expected to save the state money when budgeting for cybersecurity.

“Through the pandemic response, people are becoming more accepting of the fact that there are things we can do in a more standardized manner that are more effective and cost-efficient,” Tong said. “Where people have autonomy is specific business needs. When it comes to cyber, why is everyone having to reinvent the wheel on their own? I don’t know if consolidation is the right word, but standardization.”

The governor’s office said that since Newsom took office in 2019, the state has spent $260 million on cybersecurity, including a $21 million boost to CDT’s Information Security in the current fiscal year.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts