Chief information officers aren’t the only statewide officials pegging cybersecurity as their most pressing concern for keeping government operations running. A survey released this week by the National Association of State Chief Administrators, the group representing cabinet-level officials in charge of managing government services, found that its members named cybersecurity as their top focus area when it comes to managing risk.
More than three-quarters of respondents to NASCA’s survey, which was compiled by the consulting firm McKinsey & Company, said cybersecurity was a leading priority for their risk-management strategies, far outpacing the next two most common responses, employee safety and security of physical security.
But NASCA’s deputy director, Jamie Rodgers, told StateScoop these findings belie the overall role risk management plays for states’ top administrative officials. In fact, she said, risk management doesn’t crack the top ten when NASCA’s members have been surveyed about their overall priorities. But as ensuring continuity of government operations has become increasingly dependent on protecting digital assets, Rodgers said it’s not surprising that cybersecurity is dominating the risk-management conversation.
“If you look at statewide of all the risk issues, cybersecurity was the biggest issue,” she said. “If we would’ve asked this survey 10 years ago, I would’ve hypothesized they would’ve said employee safety and facility security.”
Overall, NASCA’s members — who are largely responsible for overseeing their states’ shared services, from IT to workforce management and government buildings — cite driving “innovation and change” and facilities-portfolio planning as their top priorities, with technology and digital government rounding out the group’s top ten list.
That administrative officers name cybersecurity as their greatest risk dovetails with findings compiled by other organizations that represent state-government officials, like the National Association of State Chief Information Officers. For several years running, cybersecurity has topped NASCIO’s annual list of priorities, and the topic dominated the group’s annual survey published at its conference last month. The survey found that 92 percent of state CIOs lead or participate in their governments’ cybersecurity policy setting.
In many state-government organizations, especially those where information technology is not a cabinet-level department, IT divisions report to chief administrative officers. But the connection between cybersecurity and risk management duties varies from state to state. The NASCA survey found that nearly three-quarters of states have a centralized risk-management function. In most of those states, the chief administrative officer acts as the top risk-management official, though a handful of states have created dedicated chief risk officers.
Yet those positions are not necessarily pegged to IT or cybersecurity. In New York, for instance, the chief risk officer is tasked with monitoring compliance with the state’s ethics and public-integrity rules; the Texas Office of Risk Management acts as an insurer and fraud-prevention counsel for the state government.
A few states have made a more direct connection between cybersecurity and risk management. The North Carolina Department of Information Technology employs a chief risk officer, Maria Thompson, to oversee the state’s information security and data protection practices. Connecticut had a chief cybersecurity risk officer whose role extended to evaluating the protections around the state’s utilities and other critical infrastructure, though that job is being transformed into a more traditional chief information security officer role following the departure last month of the inaugural office-holder, Arthur House.
Rodgers, though, said she expects the chief risk officer title to become more popular in state governments as risk management — led by cybersecurity — grows in importance for chief administrators.
“We’re trying to elevate the role of risk management,” she said. “CAOs should consider broadening risk management portfolios or seeking the appointment of a chief risk officer.”