, ,

New Colorado CIO Talks Cyber Challenges, Cloud Adoption

This Q&A is part of a GovLoop series called “CIO Conversations.” Here, we’ll feature conversational interviews twice a month with current and former federal, state and local chief information officers to get to know the people behind the titles. You’ll learn about the perks and challenges of their job, how they ended up in their current position, what’s top of mind for them, how they’ve rebounded from setbacks and more.

State and local governments need to keep up with an ever-evolving technological landscape to meet citizen expectations. Cybersecurity issues, hiring and retaining top IT talent, and data governance are some of the challenges they face.

Theresa Szczurek, Colorado’s new Chief Information Officer (CIO), spoke with GovLoop about how her state tackles these concerns. After a career in management and technological entrepreneurship, Szczurek assumed the role of CIO on Jan. 9 as part of Gov. Jared Polis’s new cabinet. She now oversees more than 900 employees who handle a wide range of work from 70 different locations across the state.

The interview below was lightly edited for length and clarity.

GOVLOOP: What are your top priorities as state CIO?

SZCZUREK: My first priority is to support the vision of Gov. Jared Polis and the new administration. Jared Polis is an interesting governor. He has quite a high-tech entrepreneurial background, and he’s also served in the U.S. Congress as a representative for a certain district here in Colorado. So, he came in with an agenda. He’s focused on cost reduction, consistency, reducing errors, and being joyful in our work, which I love. And so he’s doing some things which tie in with our Office of Information Technology.

During his State of the State address, for example, he talked about broadband and his priority to make sure that all people in the state, regardless of location, will have broadband access. And so the office was created a few years ago to really expand broadband coverage. Our goal is 100 percent rural access to broadband by December 31, 2020. This is really important work because it’s really advancing Colorado’s economic growth and competitiveness.

We also see it as allowing schools, which is one of our channels, to have access and provide better educational opportunities. We’ve been doing pretty well. Currently, 98 percent of Colorado schools are meeting the Federal Communications Commission’s minimum bandwidth goal of 100 kilobits per second, and that’s been upped since 4 percent from last year. One of the crucial things that is making this happen is having funding to allow these rural communities to implement broadband.

GOVLOOP: I’d like to know how those initiatives address some of the biggest cybersecurity challenges that you face in Colorado, as well as address local needs.

SZCZUREK: Well, cybersecurity is on everybody’s mind and is a top priority to keep our state systems secure. We have a Chief Information Security Officer and a staff that is working to ensure that the 8.4 million security events the state of Colorado gets per day are deflected.

We have a whole program that is working constantly to respond to this but also be very proactive. We have something called the Backup Colorado initiative, which we used last year in a cyber crisis. It turns out in February of 2018, the Colorado Department of Transportation was attacked by SamSam ransomware. Because of the platform we have in place, we were able to recover up to 80 percent of data within just four weeks. No data was lost, no ransom was paid.

We take this very seriously. We’re inserting two-factor authentication as an added extra layer of security. We are educating state employees. Believe it or not, one of the biggest risks when it comes to cybersecurity is employee negligence and bad habits. We have quarterly cybersecurity trainings to promote good cyber habits, like just putting your machine into sleep mode when you’re not at your desk.

GOVLOOP: So what impact does cybersecurity have on Colorado’s workforce? In terms of cyber hygiene, training and recruitment. 

SZCZUREK: Colorado is respected nationally for our cybersecurity work. We have been going around the state, to NASCIO [National Association of State Chief Information Officers] and other organizations, and were invited to share what we’ve learned. This is attracting people who are really talented to think, wow if I’m going to pursue a career in cybersecurity, I want to consider working for the state of Colorado.

We’re also educating the next generation of college students. We actually have a whole group of them on site today, and we’re teaching them about the importance of careers in cybersecurity and how this is a job that gives you great security in the sense that you’re always going to be in demand.

We’re always looking at our policies, we’re training our people, we’re going into the broader community. Our employee performance plans, for example, include cyber training requirements, because it’s important that everyone understands how they can take little and big steps to protect this most critical resource.

There are not only the computers, the hardware, but there are also the databases and all of the data. We actually have a Chief Data Officer in our organization who is looking at the data that we have. Some of it is posted publicly on a website that people can get access to because this is an asset of the people of Colorado. It is our responsibility to protect it. Now there’s certain proprietary information like HIPAA and personal information that is not public, but we’re also protecting that so that you don’t get a disaster like any of the increasing number of companies that have been attacked.

GOVLOOP: What are some best practices in cybersecurity that you’d recommend to other government officials?

SZCZUREK: I think you should have the 20 Center for Internet Security (CIS) controls in place, and then figure out what programs are best to implement considering the individual needs of your government. We have programs in place that protect our inventory of equipment both actively and passively, and we’re actually doing continuous vulnerability management so that we risk rate certain vulnerabilities, and then we prioritize based on the potential impact, for remediation. We have certain scanning tools that allow us to keep our pulse on what’s happening.

At a very practical level for our employees, we have a policy protecting from phishing. We say don’t click. If you receive an email that’s suspicious, just delete it. Do not click on anything in the email. You know some emails are created to grab information or install malware, regardless of where you click in the email. Some scams even come by phone call. We make our employees aware that if you receive a suspicious phone call, hang up immediately. You would be surprised to know the information that an attacker could gain through something like that.

We use extreme caution when connecting a USB drive to a state computer. Malware and viruses are often transferred easily through USB drives. We’re also very careful about what software is added to our state computers, and we have a whole approach. We want people to just think about security in everything they do. A minor mistake can have really far-reaching security impacts.

GOVLOOP: How would you see new technologies, like cloud computing and analytics, improving the way employees work and also benefiting citizens? 

SZCZUREK: Advanced technology is very important. We are working to modernize our systems and lead technology innovation. We have developed this Cloud First strategy now, where we have multiple cloud migrations underway. The biggest and first one is the Colorado Benefits Management System, which is a huge system that has been moved over to a third-party cloud, Amazon Web Services, so that we can improve the user interface, use more efficiencies, and provide eligibility for medical, food and cash assistance benefits.

This has been really important with the government shutdown, especially when Gov. Polis announced that he was going to deem federal workers who were forced to work without pay as unemployed. We were able to aggressively move in an interagency project to get over 200,000 SNAP [Supplemental Nutrition Assistance Program] applications processed by the January deadline, so these people could qualify for food assistance.

GOVLOOP: What would you say is the state strategy for hiring and retaining talent, and how are you incorporating social media into that? 

SZCZUREK: We definitely know that we need to have top talent and keep them trained. One of the things we’re doing is providing an internship program, which is available now for students, or even people out in the industry who might be looking for a change. But we also have a veteran’s program where we’re working to bring in vets and hire them to get involved in information technology.

Another thing we do is communicate the kind of good work we’re doing. We go out and speak, we bring students on site, we post on social media. We post on our website. We have a multifaceted strategy, which includes everything from word of mouth through the use of advanced technologies.

How is your state dealing with technological challenges? Let us know in the comments below.

Photo Credit: OIT Colorado Twitter

Leave a Comment

Leave a comment

Leave a Reply