VIDEO View footage of the CIO Forum County officials can no longer claim ignorance when it comes to cybersecurity.
That’s Robin Harlow’s position. As innovation and research manager for the Iowa State Association of Counties, he keeps track of a state that counts roughly three-quarters of its counties as rural, on par with counties across the United States. He feels there is enough familiarity in even those small counties to make any elected official functionally literate with keeping public data safe.
“I think we’ve had IT around long enough, and it’s all a part of our lives, at some point, the excuse that we don’t know anything about it, that it’s too complicated, it’s time to move past that,” he said.
That’s the kind of message he and other participants plan to bring to the Chief Information Officer Forum at the NACo Legislative Conference. County News spoke to Harlow and other panelists ahead of the forum to see what issues they thought were crucial in fortifying IT knowledge among county officials.
Harlow stressed a need to change strategy regarding awareness of cybersecurity issues.
“We have to stop trying to scare people into being cyber-vigilant and it’s not sustainable,” he said. “Our target is non-technical officers who don‘t have IT as a responsibility.”
The stretegy there, he said, is to focus on general policy and relate the narrative to something laymen do understand so they can make informed policy decisions. He feels IT personnel have plenty of information to offer, but need to find the right point of entry, for instance, comparing cybersecurity measures to insurance policies.
“You wouldn’t drive your car around without insurance, or maybe you’d just have liability insurance, but you would have protections in place,” he said. “You’d assess the value of your car, of your house, so you don’t over-insure them. You do the same thing with your data — don’t spend $100,000 protecting $15,000 in records, but don’t leave them vulnerable, either.”
He also insisted that proper information security is as much about policy as it is about technology, and as much an ingredient of success.
“Technology is not going to solve it because we’ve thrown a lot of technology at it and the problem hasn’t gone away,” he said.
On the way to aiding the effort with public policy, Mike Echols, director of the U.S. Department of Homeland Security’s Cyber Joint Program Management Office, will demystify the consequences of a recent presidential executive order promoting private sector cybersecurity information sharing.
“State and local government leaders see a great opportunity for information sharing and analysis with the private sector,” he said. “They just don’t understand yet how these policies are being developed.”
The executive order lays a framework for information clearinghouses where the private and public sector can pool information about cyber attacks, vulnerabilities and fixes. Existing organizations, such as the Multi-State Information Sharing and Analysis Center, cater to just government or private businesses.
Doug Robinson, executive director of the National Association of State Chief Information Officers, will focus on the issues his members identified as most important in his organization’s annual survey.
“Cybersecurity is number one, obviously,” he said.
He also plans to touch on the trend that sees governments moving away from the owner-operated IT systems toward a cloud-based service.
“Our services will be delivered differently than in the past,” he said. “That’s changing a little slower on the local level, but it’s hard to find some organization that doesn’t use some kind of third-party, off-premises service for its work. It’s a changing business model.”
As the amount of data about individuals becomes increasingly available, Robinson sees data analytics by governments as a huge growth market.
“We’re seeing a greater understanding and need for data at all levels to be used for decision making and also to effectively improve those types of services governments deliver,” he said. “Things like predictive analytics to see what people will be looking for and better ways to display that data.
Robinson also stressed preparing for the looming retirement of many government IT workers and illustrated the challenges governments would face in the process.
“Some states have 40 percent of their IT workforce ready to retire today, 50 percent by 2020,” he said. “And recruiting is hard, because we can’t pay as much as the private sector. State governments, similar to city and county governments, are not viewed as attractive places to work if you’re an IT professional.
“If you have a degree from a good program and you’re looking to start, you’re probably looking for a job at a Silicon Valley firm, some company that’s traded on the stock exchange and you can tell mom and dad you’re working for.”
Retaining talent is hard because of lack of opportunities and states are having trouble filling these jobs, particular in security and applications development.
“Recruiting reforms are necessary,” he said. “We’ve seen some states eliminate the civil service system so they can hire, and offer more money, something closer to a market salary for these jobs, but there’s a lot of pushback legislatively.”
The forum wasn’t planned to be all talk from the podium. Harlow planned to break participants into groups that included one IT manager for group exercises.
“We’ll give them a scenario — perhaps their payroll records were stolen—and ask them what they’ll do now,” he said. “It will get the IT people in a conversation with non-technical people and they can get comfortable working with each other. Hopefully that familiarity will be something they can take home and put to work in their counties.”