Changing IT Awareness in State Governments

By Kim Boatman

Tom Jarrett's message rumbles through the streets of Delaware and pops up on restroom walls in state government buildings.

Jarrett, the CIO for the state of Delaware, is determined to spread awareness about the importance of IT security. His office has even launched a marketing campaign, wrapping public buses in advertising and hanging posters in restrooms.

"The key is to educate, educate, educate,'' says Jarrett.

As more and more personal information is submitted online and maintained in digital records, Jarrett and other state CIOs find themselves confronted with the sorts of data breaches and security threats faced in the private sector. However, according to Nebraska CIO Brenda Decker, the threat can be even more perilous because of the range of personal information states collect.

"One of the things I always tell people when I am talking to them about security and state government is that we are one of the few entities that knows everything about you,'' she says. "We know where you live. We know who your family members are. In some cases, we know what your health problems are. We have a special responsibility to protect that information.''

State CIOs are charged with a gargantuan task: educating state employees so that everyone understands IT security is part of their job description and changing the culture of state government so that security awareness is part of everyday business. If the task isn't undertaken or done well, the costs can be high.

A single laptop carelessly left unattended can result in a data breach compromising the information of millions of taxpayers. A recent brief from the National Association of State Chief Information Officers (NASCIO) outlines the consequences of such a crisis: unfavorable publicity; tax-dollar expenditures for items such as credit monitoring for the victims; a loss of public trust; an unwillingness of citizens to utilize e-government services; and lower approval ratings for elected officials because of poorly managed security and/or poor crisis management.

It's an ongoing battle, but there are a number of steps public sector CIOs can take to improve IT security.

• Get elected officials on board   It's critical to engage state officials across all branches of government. First, if they're engaged, they're more likely to require employees under their direction to follow through with training. Second, it helps ensure a source of funding for programs. Jarrett began with a cabinet-level presentation that garnered such support that the governor requested all state employees receive the training. Support at high levels of state government sends a signal to both employees and citizens, says NASCIO, about the significance of IT security.

A presentation to employees that outlines the consequences of a data breach can underline the importance of a proactive approach.

• Raise awareness and conduct training   This is probably the single most important undertaking for state CIOs. NASCIO reports that a recent study found that the number of incidents of compromised records resulting from internal breaches outnumbers incidents from external threats by a four to one margin.  "We've been so concentrated on the hackers and the outside threat, we forget about the internal threat,'' Decker says.

Awareness and training must be pervasive and ongoing, says Jarrett. His agency just spent a year ensuring that state employees were trained in IT security. Employee turnover means the job is never done. And in some cases, it's also important to make sure private entities contracting with the state receive training as well. CIOs must also determine the form of the training -- states such as Utah offer online courses -- and the very language used. If the tone of the presentation is too technical, it can turn employees off. Some states, such as Delaware, approach the job as a marketing campaign. Jarrett believes it's important to educate the public, as well as employees, about the importance of security, which is why the state has started an advertising campaign on buses.

• Collaborate across agencies   State CIOs might need to partner with other state agencies, such as human resources officials, as they prepare and implement training programs. In the state of North Carolina, the CIO's office collaborates with the personnel department, offering aspects of IT security training in conjunction with an executive assistant training course, according to NASCIO.

It's important to involve IT officers and staff in all agencies, says Jarrett. Typically, state governments will have multiple network administrators. "The network administrator has the keys to the kingdom," Jarrett says. In Delaware, network administrators must complete a class and pass a test.

• Change the culture  The thinking of employees must change, so that if they lose a piece of equipment, they ask themselves what the security implications will be. The message of IT security must be repeated -- and adjusted to the latest threats -- so that it becomes ingrained. Accountability through employees' performance evaluations is one method suggested by the NASCIO brief.
• Inventory and audit Knowing what sensitive information state agencies possess and just where and how the information is stored is basic to good security. An inventory can also identify users who need to receive training. Auditing compliance with IT security policies is also useful.

For CIOs, increasing awareness and preventing the loss of sensitive data are ceaseless responsibilities. Most important, says Jarrett, is passing along the message that it's not just their job.

"I -- as a CIO -- may be able to put tools in to stop a lot of it, but I can't do it alone,'' he says. "Most employees don't realize they're an integral part of the first line of defense."

Kim Boatman is a freelance business journalist in Silicon Valley, Calif. She spent more than 15 years reporting for the San Jose Mercury News.