West Virginia’s new chief technology officer says he’s taking a ‘risk approach’

Joshua Spence, previously the chief information security officer, wants the state to make cybersecurity a bigger consideration before making big IT decisions.
Getty Images

As West Virginia’s chief information security officer, Joshua Spence was responsible for overseeing the state’s cybersecurity postures and incident-response plans. He got a much bigger job Monday when Gov. Jim Justice appointed him chief technology officer — the top IT job in the state — but in an interview with StateScoop, Spence said cybersecurity and risk management will continue to be his primary areas of focus as he takes on a broader portfolio.

To Spence, the way government acquires technological assets can undervalue security in favor of cost and speed.

Joshua Spence

Joshua Spence (Joshua Spence)

“How did technology come about?” he said Thursday. “It came about as a business enabler, something you should get a return on investment from. To maximize return on investment, you need it as cheap as possible, you need to have it as fast as possible. Unfortunately, what’s happened around us is that the weakness inherent in these devices when you don’t practice strong cybersecurity is that the threat continually grew to where we are today.”


To mitigate that risk across a state government that employs about 36,000 people, Spence said he’s going to take a “risk approach” to his new CTO duties, evaluating the potential cybersecurity pitfalls before agencies make their big IT purchases.

“Let’s pretend I’m the fire marshal,” he said. “Ask me if the building is fireproof. So what do we do to prevent a fire? We put responsive measures in if there’s a fire. That’s exactly what cybersecurity needs to be. Of course it’s far more complicated than protecting a building from a fire, but the core principles of risk management still apply. That’s a very important lesson that can demystify cybersecurity within the state government.”

While cybersecurity is perhaps Spence’s biggest area of focus, he said he’s not pulling double duty. Danielle Cox, a manager in the information security office Spence ran for more than three years, will fill in as West Virginia’s acting CISO, he said.

Beyond security, Spence said he’ll also be working on modernizing West Virginia’s enterprise system to make the CTO’s office more of a broker of services, continuing a consolidation push that got underway during the tenure of his predecessor, John Dunlap, who retired this month after more than 30 years with the state government.

“One of the areas we’d love to look at is where we can make some changes in personnel management,” he said. “Or look at purchasing. How can we stay in line with procuring like government should but at the same time maintain an advantage so we get good deals.”


He said he’s also focused on public-facing projects, including an expansion of rural broadband connectivity, which he said is made tricky by West Virginia’s rugged terrain. The state last December offered $1.6 million to its counties to lay down new fiber, but West Virginia still ranks 43rd among states in terms of high-speed internet access, according to the Federal Communications Commission’s most recent broadband deployment report. That’s a ranking Spence would like to improve, both for the state’s residents and its economic profile.

“We want to figure out ways we can be creative to get that out there,” he said. “Whether it’s just for quality of life or to drive business, we need to get that connectivity out there.”

Similarly, Spence said he’d like to develop more digital government services.

“People want digital government services, and we’re finding more opportunity to provide those,” he said. “We want them to be consistent and predictable and have the same flavor so they’ll be more accepted. That way it resonates better with the citizens.”

Along with his previous job as CISO, Spence is a member of the West Virginia Air National Guard, in which he serves as a cyber operations officer, a role in which he continues to serve, he said.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts