Both interviewees were featured in our recent guide, Understanding State and Local Government. To read the guide, click here.
It’s often true that throwing money at a problem won’t solve it, but sometimes it does help. At least, when you have a multiyear (expensive) strategy that you need to effectively implement. That was the case for the state of Colorado. Through determination, proper funding, and a plan, Colorado’s Office of Information Technology (OIT) made tremendous strides in upgrading its cybersecurity protocols.
Deborah Blyth, Chief Information Security Officer, and Tauna Lockhart, Chief Communications Officer, for the state of Colorado sat down with Emily Jarvis on GovLoop’s State and Local Spotlight to share their success story.
A Consolidated Effort
OIT wasn’t always a consolidated effort. Previously, IT security protocols and management were siloed among different agencies with different leadership. Some agencies had their own information security officers, as well as their own varying levels of security awareness, understanding, and usage of technologies.
However, OIT is now a consolidated IT services department that oversees seventeen executive branch agencies in Colorado. Through standardization on how the office approaches security and how it manages risk across the executive branch agencies, they now have “a team in place that’s able to assess risk consistently across these agencies, bubble it up to the right level of management and makes decisions on how to continually reduce the risk,” said Blyth.
Additionally, Colorado’s OIT created agency risk report cards that openly show agencies how they are performing from a risk management perspective against their peers and against the office’s enterprise goals. “It’s been a great tool for us to create open dialogue and to make effective risk based decisions. We’ve also been able to garner some partnership for risk reduction in a consistent manner,” Blyth said.
A cybersecurity framework is a must for all states. “A breach is not something that might happen or could happen. It is something that we will probably experience,” Blyth stated.
She explained Colorado’s push for improved security, which began with implementing the Center for Internet Security’s (CIS) CIS Controls for Effective Cyber Defense. “This gives us a framework to make sure that we are putting the right security controls in place to help us fend off the most common types of attacks and to be in a position to be able to fend off emerging types of attacks,” Blyth said.
In addition to textbook solutions, the state has also undergone several cybersecurity exercises in which they have tested the internal security incident response plan and their overall statewide emergency response plan with a cyber component. That way, Colorado’s OIT can use their “muscle memory” in the face of a real incident.
These efforts wouldn’t be possible without one other key ingredient, however. “One of our historic challenges has been funding,” Lockhart said.
From a budget of six thousand dollars in 2012 to a current annual budget of five million, Colorado has been able to follow through with their multiyear strategy and promised prevention exercises. By putting together the Colorado Information Security Advisory Board, who then helped create Secure Colorado (the state’s strategy plan for each fiscal period), they were able to strategically implement security improvements across the state.
That plan proved critical to acquiring funding for future security. To get such funding, Blyth suggested that other states similarly take the initiative to create a multiyear strategy, because leaders “want to know that they’re funding a program that is well thought out and strategic.”
Maintaining the Workforce for Success
Marketing the work undergone in OIT seems to be key in maintaining the workforce for success. “It’s really about recruiting and advertising the environment in a way that appeals to the newer generation of workforce. They want a job that means something. They want to have an impact that’s broader than just a paycheck,” Blyth said.
Blyth’s office also conducts cyber exercises with the Colorado National Guard, which offers employees chances to interact with military groups who are focused on cybersecurity. And if that isn’t enough to entice people to join government’s work on cybersecurity, they should know that the office has a “public facing immediate touch-point with people across the state-daily,” Lockhart highlighted.
The office manages the public safety communications network for the state, covering digital trunked radio systems for first responders to operability overall with two hundred and three towers for use by the state patrol and firefighters. “When you’re serving seventeen agencies with different public facing missions the breadth and depth of work that we do affords incredible opportunity for those coming into the workforce to actually make a difference with their work,” Lockhart said.
Consolidation brings a lot of responsibility under one rough. But, well thought out plans can lead to increased funding and more funding can help efficiently and effectively implement the proposed plans. Colorado’s OIT is proof of that.