After a six-month search for a new chief information security officer, the State of Florida has hired from the inside, officials from the Agency for State Technology confirmed to StateScoop Thursday.
Thomas Vaughn, who most recently served as the CISO for the state’s Department of Corrections (DOC) and has spent more than 25 years working in IT security, has been Florida’s new statewide CISO since Dec. 1. Charged now with leading IT security operations across state government, Vaughn replaces former state CISO Danielle Alvarez as the current iteration of the state technology agency’s second-ever CISO.
Having led IT security in Florida DOC, an organization of approximately 25,000 employees, Vaughn told StateScoop his background in security in an organization of that size primed him for managing security at the larger state scale. A prison is kind of like a miniature city or state, he said, because it serves a population with its own set of critical services.
Coming into an organization that has now been without a full-time CISO for six months, Vaughn said Florida has some challenges to face, but nothing “out of the norm” or “extreme.”
Though familiar with government from having worked with school districts and city government through former IT and intelligence positions with the U.S. Coast Guard, he said one of his first tasks will be to better understand how state government operates. Florida state government has “a lot of good people,” Vaughn said, and the state’s IT security concerns will be addressed as a matter of routine.
In early 2017, a state auditor’s report showed that AST had incurred 12 violations, including several security violations, such as systems permissions for some state employees that the auditor deemed illegal. AST Executive Director and State Chief Information Officer Eric Larson told StateScoop shortly after the auditor’s report was released that his office was following the direction of the auditor’s office to fix the violations.
Larson, who will now have help managing IT security, told StateScoop in an email that Vaughn brings a unique perspective to the security role.
“He has over 25 years of experience in information security, cyber intelligence analysis, and systems/network engineering at various levels of government; including the military,” Larson noted. “He is focused on increasing collaborative efforts related to intelligence sharing and analysis which will assist the statewide IT security community.”
While Vaughn said he intends to continue the path established by the former CISO through the state’s strategic security plan, he said he also plans to put his own twist on the position, emphasizing “cybersecurity threat intelligence, collaboration, and information sharing.”
Centering security operations around people, Vaughn said, will also be central to his strategy.