West Virginia gives CISO greater authority to lead statewide cyber program
West Virginia Gov. Patrick Morrisey on Thursday approved legislation designed to strengthen the state’s cybersecurity and grow the authority of its chief information security officer, a role currently held by longtime state IT staffer Leroy Amos.
The bill directs the state’s Cybersecurity Office, led by Amos, within the state’s Office of Technology, to standardize the state’s approach to cybersecurity. Amos is tasked with developing statewide cybersecurity policies and standards comprising a “framework” that ensures uniform compliance with the industry’s best practices. While discussing the bill in Charleston in recent months, state lawmakers claimed that much of West Virginia’s cybersecurity activities are the product of disparate, ad-hoc efforts, not carefully managed by a central authority keeping an eye on compliance across agencies, though the IT office has partially disputed this criticism.
The bill’s enactment drew approval from the Alliance for Digital Innovation, a Washington nonprofit that advocates for laws and policies “that contribute to the development of a modern, 21st century digital government,” according to its website. In a letter to the governor urging his signature, Dan Wolf, the Alliance’s director of state programs, noted the legislation’s “thoughtful and forward-looking approach to managing cybersecurity risk” and its accommodation for “the shared and interdependent nature of cyber risk across agencies.”
Wolf noted that the bill “ensures that software licensing practices do not restrict the state’s ability to deploy solutions on the infrastructure of its choosing, helping to prevent vendor lock-in and promote flexibility, competition, and cost efficiency,” a nod to one of the bill’s amendments, after concerns arose that new cybersecurity standards, too rigidly administered, might hamper the state’s hardware or software options. “Effective cybersecurity requires centralized governance, clear standards, and sustained oversight,” Wolf wrote, “and this legislation delivers all three.”
The bill — sponsored by Daniel Linville, the Republican assistant majority whip in the state’s House of Delegates — was brought to the legislature at the request of the state’s Department of Administration following an audit last year of the state’s IT office. A report, entitled “The West Virginia Cybersecurity Office Has Not Fulfilled the Legislative Mandate of Developing a Statewide Cybersecurity Program,” informed the state’s legislative leaders that the state’s cybersecurity office had, in fact, not developed a statewide cybersecurity program to its specifications, despite having spent $1.3 million on contracts “to develop a Cyber Risk Program and obtain Governance, Risk, and Compliance (GRC) software.”
“Although the Cyber Risk Program was completed and approved, WVOT did not fulfill the statutory requirement to implement a statewide cybersecurity framework. The lack of rollout and reporting represents noncompliance with legislative intent and leaves the State without a coordinated cybersecurity structure,” read the report, drafted by the Performance Evaluation and Research Division of the West Virginia legislative auditor’s office.
In its response to the audit, the Office of Technology responded that the agency “always operated an effective statewide cybersecurity program that included risk assessments and reporting.” But the office, led by state Chief Information Officer Heather Abbott, also admitted that “incidents are occurring” and that the cybersecurity program it was administering “did not match the documented approach laid-out in statute,” with cybersecurity risk reporting standards as one of the most noticeable omissions.
