South Carolina agencies are rapidly approaching a major deadline for implementing information security controls this summer, and state privacy and security leaders believe they’ve made the kind of culture changes necessary to meet that target.
At a panel discussion at the International Association of Privacy Professionals’ Global Privacy Summit, state officials detailed their work to educate staffers in South Carolina’s 70 different agencies about how to make data more secure ahead of the July 1 deadline mandated by the Division of Information Security.
Chief Information Security Officer Marcos Vieyra said those standards are aimed at encouraging agencies to consider privacy and security issues from the start of any project, making them crucial for the state’s security going forward.
“We set a bar, recognizing that there wasn’t a bar before,” Vieyra said. “We had to pick somewhere to start.”
Indeed, Vieyra noted that South Carolina has worked tirelessly to improve its information security since a massive data breach at the state’s Department of Revenue in 2012 exposed the Social Security numbers of 3.6 million people. Lawmakers created Vieyra’s Division of Information Security in 2013 specifically to help prevent similar breaches.
“The state was taken to the hospital via ambulance after the 2012 breach,” Vieyra said. “We realized collectively that we needed to make cultural changes.”
But Vieyra hasn’t been alone in these efforts. The state’s security overhauls included the creation of the Enterprise Privacy Office and installation of a chief privacy officer to lead the new group, and Theodora Wills has stepped into that role in recent months.
“To me, it’s all about helping agencies understand that this is a journey,” Wills said. “It doesn’t stop when you reach some compliance standard, it’s constantly evolving.”
Wills and Vieyra agreed that the most challenging part of this process has been changing how people think about privacy and information security. While both have begun running frequent training sessions for employees about how and when to collect and share data, they lamented that those sorts of lessons aren’t any good if people don’t take them to heart.
“I can’t be there when you press that button or agree to share that data,” Wills said. “There needs to be constant awareness, knowledge and accountability.”
[Read more: South Carolina recovers, learns from data breach]
However, Vieyra said he thinks his team has had the most success in getting people to think about privacy by developing tailored privacy and security standards for each agency.
“We’re not going to expect that every agency does things the same,” Vieyra said. “We’ve been trying to go in and understand individual requirements.”
Part of the evaluation process for each agency includes examining whether their processes for collecting data make sense, Vieyra noted.
“Often, I tell them, ‘You’re collecting more data than you need,’” Vieyra said. “Your first response may be, ‘We’ve always done it that way,’ but over time the initial pain of change will be replaced with the gratitude and satisfaction of appreciating you didn’t need to do it this way and realizing it’s less effort and more cost effective.”
He added that state lawmakers were “generous” in providing the division with a budget to not only buy and use their own privacy and security tools, but help other agencies do the same.
“We can give agencies some tools out of our budget, show them how to use them, which helps make the transition easier,” Vieyra said.
Those sorts of efforts have helped agencies make strides that Vieyra and Wills see as significant, particularly with the July deadline looming.
While Wills cautioned that the state is still just in the “infancy stages” of developing a robust privacy program, she’s still optimistic about the security of South Carolina’s data going forward.
“We’re coming to a better understanding of this as we mature as a privacy program,” Wills said. “The breach happened in 2012, it’s 2016 and we’re still thinking about it and how we can improve.”
Contact the reporter at firstname.lastname@example.org, and follow him on Twitter @AlexKomaSNG.