Washington state Chief Information Officer Jim Weaver said Wednesday that the arrival of Ronald Buchanan as his office’s new top cybersecurity official was the final piece needed for an ongoing makeover that will allow the state’s technology office to regain the trust of the agencies it supports.
Ronald Buchanan, a former IT official with the Oregon Health Authority, was named Washington’s new chief information security officer earlier this month. With his appointment and Weaver’s as CIO last November, Washington Technology Solutions, or WaTech, has transformed its leadership after a few rocky years that left it with some “black eyes,” Weaver told StateScoop.
WaTech was audited in 2017 following complaints from some agencies that the technology office had not adequately sought feedback prior to new IT deployments. The CIO at the time, Michael Cockrill, disputed the auditor’s report, citing a months-long outreach campaign. The state auditor also critiqued the office for opaque financial practices, continued reliance on aging mainframe systems, among a host of other issues.
A review of WaTech’s budget published by the consulting firm Gartner last June concluded that “WaTech’s leadership and culture are laser-targeted on cost recovery which leaves little energy for focus or concern regarding customer needs or the quality of the services being delivered.”
Weaver told StateScoop in November that an IT organization should serve a subordinate role to the government’s businesses, and he repeated that notion in an interview on Wednesday.
“If the agencies aren’t able to do what they’re aiming to do, we’re failing in our mission and core values,” Weaver said. “Do we have our work cut out in front of us? Yes. But I think we’re taking the right steps and headed in the right direction.”
Weaver cited issues of transparency, cost-efficiency and his office’s ability to deliver on promises made to agencies as being among those right steps. He said WaTech is “chipping away” at those issues and others listed in Gartner’s report.
Changing the agency’s culture, as Gartner also suggested, will also be a key focus of Buchanan’s agenda, the new CISO said.
“At the end of the day, it’s all about people,” he said. “If people don’t understand why they’re doing information security, they will find ways to work around it.”
Buchanan said he began bringing a more managerial focus to security while working for the nonprofit technology development firm Battelle as a consultant to the FBI’s Criminal Justice Information Services Division. He said he worked with the division’s information security officer program, which works with law enforcement agencies around the country that rely on the FBI’s fingerprint database and other technological assets.
His time as the chief information risk officer and director of the Oregon Information Security and Privacy Office also reinforced that collaborative approach, he said. Reaching out to other agencies and then to other organizations across the state will be his first order of business in Washington, Buchanan said.
“My leadership approach I’ve set out is collaborate, communicate and innovate,” he said. “I want to foster that communication and understand the challenges and get a better feel for the gaps that are out there that folks are facing.”
Buchanan named three projects that he expects will occupy most of his time. The first is fostering a culture of security awareness. The second is monitoring security as the state moves more of its services and infrastructure to the cloud and mobile devices.
“Our journey to the cloud is commencing,” Weaver said. “It’s the next evolutionary step from a telecom perspective, from a compute perspective, and application modernization efforts will be underway. It’s a three-legged stool and security has its arms wrapped around all of it.”
Buchanan described his third project as “understanding what we don’t know.” He said his office will conduct a risk-based assessment to ensure the state is prioritizing security concerns to make the most of the state’s limited resources.
Weaver touted the state’s growing relationships with private businesses, military and universities to create more effective cybersecurity exercises.
“I think you’re going to start seeing some really good stuff emanating from the state of Washington and Ron’s going to be here to spearhead that and drive that forward,” he said.