Maryland Gov. Larry Hogan on Tuesday made appointments for two new positions developing cybersecurity policy across state and local governments.
The new directors of state and local cybersecurity will be responsible for building out policies to secure IT systems and data across their respective purviews. Both roles were created in a package of cybersecurity legislation Hogan signed in May.
Hogan named John A. Bruns, a former chief information security officer in Howard County, a suburban area between Washington and Baltimore, as director of state cybersecurity. In that position, Bruns will work with statewide agencies to “solidify and secure” state IT. He’ll also work with the state chief information security officer, Chip Stewart, on developing and standardizing information security policy across the executive branch in Annapolis, according to a press release from Hogan’s office.
Bruns was named Howard County’s CISO in early 2020 after several years as an IT project manager for the county government. He’s also been a consultant to the Maryland State Department of Education.
Hogan named Netta Squires, an emergency management specialist, as the director of local cybersecurity. Squires is tasked with working closely with the Maryland Department of Emergency Management on assisting county and municipal governments with their cybersecurity incident planning. She’ll also have a key role in overseeing the funds Maryland receives from the U.S. Department of Homeland Security’s new cyber grant program, Hogan’s office said.
Both Bruns and Squires will report to Stewart, who told StateScoop Thursday that “if I could pick anyone in the world” for the new positions, “these are the folks I’d have picked.”
Stewart also described their new jobs as “different and similar at the same time.” Bruns, he said, will largely focus on implementation of the state government’s cybersecurity strategy.
“His role is as we establish governance and best practices, how do we take those and cascade them across the entirety of the executive branch,” Stewart said. “He’s got a massive charge which is to take the vision and make it real.”
Stewart praised Bruns’ experience in risk management, particularly during his past work with the state education department. But he also said Bruns has the ability to translate highly technical subjects for agency leaders and others who might not be well-versed in cybersecurity. (Maryland CIO Michael Leahy has in the past stressed the need for IT officials to communicate “in plain English.”)
“These are roles where your primary mission is to win hearts and minds,” Stewart said of Bruns and Squires’ new positions.
Squires, Stewart said, brings “communication combined with depth in cybersecurity and tremendous depth in emergency management.” She’ll be working closely with MDEM, which is the state’s lead agency in facilitating the cyber grant program.
“Netta will be absolutely pivotal to help that get stood up and make sure the investments we’re doing are effective,” he said.
Like many other states intending to pursue a piece of the four-year, $1 billion grant program, Maryland is in the throes of establishing its required cybersecurity planning committee, writing a charter and preparing to submit its formal application to the DHS as a Nov. 15 deadline approaches.
Lingering over the grant planning is the program’s requirement that 80% of all funds states receive be passed on to their local governments, potentially meaning every recipient will not get much money overall — in Maryland’s case, about $11,000 per municipality, Stewart estimated.
Like many of his fellow state CISOs around the country, Stewart said he’s hopeful the grant program will allow states to redistribute that 80% in the form of shared services and purchasing agreements.
“There are a lot of tremendous opportunities for us to do things collectively,” he said.