Idaho created a new role and is searching for someone to fill it — a “director of information security.”
Idaho Gov. “Butch” Otter made the announcement on Monday, saying the new position would report directly to his office and oversee the state’s cybersecurity strategies, staff training program and policy measures. The Republican governor approved the position, which will be the first of its kind in the state, in implementing a series of recommendations from the Cybersecurity Task Force formed in 2015 by Lt. Gov. Brad Little. That group comprises state agency directors and private sector specialists.
The director will serve the governor both as a technology adviser and as an IT risk manager. Job requirements: an understanding of the fundamentals of cybersecurity; negotiating skills to work with the legislature; technical ability to review potentially unsafe procurements; and and the ability to receive a high-level security clearance to work with federal entities such as the Department of Homeland Security.
“This person will never talk to an agency that’s doing the right thing. … If an agency is doing the right thing through the chief information security officer or through their own department, this person may never ever talk to those agencies,” Little told StateScoop. “It’s the ones that are having trouble, the ones that don’t think it’s a priority, it’s the ones that let some third-party vendor sell them something that we see as not secure that this person will speak to.”
Last summer, a successful cyberattack on the state’s Department of Fish and Game left the personal information of hundreds of Idaho residents open for hackers. The multi-state attack forced officials to temporarily shut down online purchases for hunting and fishing licenses. Little said the event was an eye-opener that compelled the state to restructure and rethink how Idaho protects its data. He said he hoped the new director and Task Force recommendations would lay a foundation for better security.
“I appreciate the diligence and hard work of the members of the Task Force in addressing this critical and urgent issue,” Otter said in a release. “We learned this past year, firsthand, just how real the threat of cyberattacks is when the [Idaho] Department of Fish and Game’s licensing vendor was hacked. Having a comprehensive plan to protect the personal information of our citizens must be a top priority.”
State agencies are also ordered to implement a new framework that will detect and halt future attacks. State leaders will be required to submit employee training plans for review by the director while the Administration Department and its Office of the CIO are planning to conduct yearly security tests on state systems and develop a cybersecurity website to share best practices for agencies and local businesses.
After the legislature decides on a salary for the new position — something Little said will happen soon — Idaho will begin its search. A spokesperson in the Office of the CIO said that the new director would not be managed or funded out of the office but would collaborate with state CIO Greg Zickau and his Acting Chief Information Security Officer Lance Wyatt, who replaced former CISO Thomas Olmstead on Jan. 13.
Little said these positions will be unaffected by the new role, which will serve as a risk manager for a broad array of departments and agencies.
“We have a lot of departments in Idaho where, in essence, there is an independent board as in the Department of Fish & Game, the Department of Transportation, Parks, and others, where by code and by initiative we’ve made them independent.” Little said. “And so collectively we’ve agreed that particularly — with advice from industry cyber experts — that this issue is so important that we needed somebody from the Governor’s Office to make sure we’re advancing and implementing the National Institute of Standards and Technology [security] standards — in purchasing, in negotiating with third-party vendors, in all those areas we need somebody from the governor’s office.”
State press secretary Jon Haines said the objective will be the same however the new director decides to collaborate with current IT leaders. The goal will be to improve cybersecurity defense for the state and stop would-be attackers.
“The threats are evolving and they’re multiple. It’s not just state actors that we’re dealing with, but it’s individuals, it’s people who are looking to make a name for themselves out there on the dark Web, and so the treats are many and they’re not diminishing and if anything they’re growing,” Haines said. “We’re trying to stay ahead of that curve, because in this business what you don’t want to be is the path of least resistance.”