LITTLE ROCK, Ark. — States must factor in security from the start of any new information technology project, but for that to happen, agencies must prioritize communicating with each other, several government tech officials said.
“Hopefully [cybersecurity] comes in at the beginning of the discussion,” Frank Andrews, chief security officer for Arkansas, said on a panel moderated by StateScoop at the National Association of State Technology Directors Southern Region conference last week. “Unfortunately, that’s not the way it always happens.”
For large projects, it’s easier, Andrews said. The state already has established a security architecture — a set of plans to bake security into new programs led by the Department of Information Systems, where the CSO position resides.
However, it’s when the state embarks on small projects that sometimes security falls by the wayside. To avoid that, Andrews said he stays in touch the state’s customer relationship management office, which often guides other state agencies through the implementation of new projects.
Georgia Technology Services Officer Chris McClendon said his state’s security architecture applies at all levels of technology projects and is integrated from day one.
“Our customers have to submit a request for service for everything that they do,” McClendon said. “It goes through a formal design review process and the providers are incented to design it based on the security architecture.”
South Carolina, which experienced a massive data breach in 2012, is still working on establishing a formal security architecture and formal review process, said Charlie Zeberlein, the state’s manager of network design and planning.
“We’re looking to improve within our own organization,” Zeberlein said.
For a robust security architecture, executive buy-in and involvement is critical, Andrews and McClendon said.
“We’re pretty lucky that we’ve got a governor that’s security minded and we’ve got a director that’s security minded,” Andrews said. “Those obstacles are easier for us than they ever have been. I don’t know how you grow that without a time machine, but for now, just start where you’re at.”