State

Maryland CISO John Evans leaves state government

Appointed the state's first statewide information security chief in July, Evans has stepped down after four years with the state government.

By Benjamin Freed

September 30, 2019

Former Maryland CISO John Evans, center, at a U.S. Department of Homeland Security conference Sept. 20, with New York City CISO Geoff Brown and Global Cyber Alliance CEO Philip Reitinger. (StateScoop)

Maryland’s first statewide chief information security officer, John Evans, resigned last week after more than four years with the state government.

Reached by phone last week, Evans said was leaving for a new job opportunity, though he declined to say more. The Maryland Department of Information Technology confirmed to StateScoop that Sept. 24 was Evans’ last day with the agency.

Evans, a former program manager for multiple military IT contractors, was hired by Maryland in June 2015 as a deputy chief technology officer and CISO for the technology department, though his responsibilities often extended to further corners of the state government. As deputy CTO, he oversaw several projects for other agencies, including the early development of a cloud-based application to manage Maryland’s public-benefit programs.

Evans’ role became more pronounced in July, when Gov. Larry Hogan issued an executive order overhauling Maryland’s cybersecurity policy and elevating the role of DoIT’s information security officer to a permanent statewide position. As Maryland’s inaugural CISO, Evans was put in charge of a new Office of Security Management and the Maryland Cybersecurity Coordinating Council, an advisory board made up of several other members of Hogan’s administration.

At a cybersecurity conference hosted by the U.S. Department of Homeland Security earlier this month, Evans said Hogan’s order did not change his duties significantly.

“It didn’t change my day-to-day activities,” he said. “I was already the CISO for the Department of Information Technology.”

During that appearance, Evans also talked about how he had used his time with the Maryland government to gradually implement a statewide cybersecurity strategy, with the goal of getting the state’s systems in compliance with the framework issued by the National Institute of Standards and Technology, considered to be the gold standard for information security.

“We’re using a ‘crawl, walk, run’ kind of approach,” he said. “We’re starting with the Center for Internet Security’s top 20 [Controls and Resources], or even top 6. But certainly we’re trying to get to the full NIST framework.”

Evans’ deputy, Chip Stewart, is serving as Maryland’s acting CISO, a DoIT spokesman told StateScoop.