Mississippi lawmakers approve security operations center, centralizing IT services
If Mississippi Gov. Tate Reeves signs a bill that was sent to his desk on Friday, the state will form its first cybersecurity operations center, a response to an increasing number of digital threats targeting state governments, or what one Mississippi lawmaker this month referred to as “all this stuff going on around us.”
Both Mississippi houses this month approved the legislation to create a State Security Operations Center inside the state’s technology bureau, the Department Of Information Technology Services. The bill would create a cross-agency meeting point similar to those found in other states, “an operational arm of statewide cybersecurity,” according to a conference committee report, and an inlet for fresh cybersecurity talent.
Craig Orgeron, the state’s chief information officer and head of ITS, said in an emailed statement that the SOC’s creation “marks a significant step forward in our ability to protect the citizens and infrastructure of Mississippi from cyber threats.” He thanked the governor and legislature, noting that “together with our partners, we now have an operational foundation to detect, respond to, and recover from cyber threats more effectively than ever before. This is a shared responsibility, and we are ready to meet it.”
Rep. Bart Williams, a Republican who cosponsored the bill, explained in a hearing last month that cybersecurity “could be one of the biggest threats our state faces.” During legislative hearings, Williams said there was no question the state needed a SOC and that the only question was where to put it. He estimated the cost to the state would be roughly $3 million. Explaining the center’s placement under the state’s technology department, he noted that “we don’t need duplicity. We don’t need two or three SOCs. This would be a single one.”
Questions of how to organize IT in Mississippi have in recent months attracted greater attention from state leaders. A bill proposed this year by state Sen. Scott DeLano, a Republican, would have created a separate, new department dedicated to cybersecurity. When another senator asked DeLano whether such a department wouldn’t overlap with the work already being done by ITS, he replied that it was “an attempt to help on the law enforcement side.” That bill died in committee last month, but the SOC may be a workable answer to the same question: how best to coordinate many parties in response to quick-moving digital threats.
Mississippi’s governor this month approved another bill altering the role of Orgeron’s department — the Mississippi IT Optimization Act is the state’s latest stab at centralizing the administration of more of its services and reducing overlapping contracts across dozens of agencies. The legislation directs a council of agency CIOs to advise ITS on how to reduce duplicative services and to set standards that state technology systems must meet. Williams, who also co-sponsored this bill, estimated that a single consolidation — of 31 Microsoft email licenses — would save the state as much as $2 million.
Sen. Hob Bryan, a 73-year-old Democrat who has served longer in Mississippi’s upper chamber than any other member, last month said he was skeptical that the IT consolidation bill would succeed where other attempts have failed, pointing to the formation of ITS itself: “I think our procurement of computer services and technology is beyond dysfunctional.” Williams agreed that he had heard “horror stories” of Mississippi agencies struggling to procure new technology, but that “the ITS world is different than it was when a lot of statutes were put in place. … We have a federated model that we use in the State of Mississippi and IT is something that needs to be centralized.” In an email, Orgeron agreed: “We now have the authority and framework to eliminate duplication, modernize our systems, and deliver better services.”
If Mississippi is trying to centralize its cybersecurity operations and its technology services, it’s also trying to pool more of its data. A bill approved by the governor last year directed ITS to study how best to create a “statewide data exchange,” a task for which the technology bureau last September contracted the help of Gartner Consulting. In a presentation to a legislative committee this month, Usman Tareen, a managing partner for AI and technology strategy with Gartner, said that in interviewing 17 state agencies, he learned that while Mississippi was solid on data security, but that “because of that protectionism, it creates silos. … There is point-to-point data integration between agencies, but that’s basically replicating the same data from one agency to another agency. There is no fluidity of data movement between different agencies.”
Despite the keystone position that ITS will play in all three efforts — cybersecurity, centralizing services and enabling more data-sharing — Mississippi’s CIO is only the highest ranking official of ITS, not a Cabinet-level official who reports directly to the governor. A bill that would have elevated Mississippi’s CIO role died in committee this month, though it’s not clear why, based on the testimony given publicly during legislative hearings. (Orgeron declined to comment on this legislation.) DeLano, the bill’s sponsor, told members of the Senate’s government structure committee that he’d been working on the idea “for years,” inspired by widespread tales of frustration he’d heard from agencies dealing with cybersecurity and general IT issues. The “best way” to ensure technology is managed properly, he said, is to ensure the state’s top technology official is present “at the table at all agency head meetings.”
