NASCIO's organizational site states that its "mission is to foster government excellence through quality business practices, information management, and technology policy." The National Association of State Chief Information Officers (NASCIO) is a nonprofit association that represents "state chief information officers and information technology executives and managers from the states, territories, and the District of Columbia." The primary members are state officials who have "executive-level and statewide responsibility for IT leadership."
Firms from the private sector can join as corporate members and participate in NASCIO's Corporate Leadership Council. NASCIO corporate members include such household names as Amazon Web Services, Dell, HP, Microsoft, J.P. Morgan Chase and Oracle.
Himself a veteran of state government, Doug Robinson served as Executive Director of the Kentucky governor's Office for Technology prior to joining NASCIO in 2004. He also led the Kentucky Information Resources Commission and the Kentucky Office of Geographic Information.
- It's harder to be a state CIO: the political landscape, governance issues and competing business units make the job more complicated than in the private sector
- In state government IT for the most part is considered a cost center; it is not seen as transformational
- Many state CIOs run "charge-back" organizations—they don't receive direct tax dollars but rather charge other state business units for their services
- State-level IT cross-jurisdictional collaboration is often at the local level: municipal governments, counties and school districts. Projects also include other states and also universities
- States can negotiate master price agreements to benefit local institutions. They can also open up existing services, such as providing cloud solutions to cities
- On the project side, governance in cross-jurisdictional collaboration is a challenge.
- State to state example: Michigan is sharing its Medicaid management information system with Illinois
- Change in state IT will not happen overnight: "their plumbing is tied up in knots," current bureaucratic rules do not facilitate development
- States are adopting cybersecurity frameworks based in large part on NIST, and also on SANS 20 Critical Security Controls
- States have large, dispersed workforces. Creating a culture of information security is important
TechRepublic: How would you describe the difference between being a state CIO and being a Fortune 500 CIO?
Doug Robinson: It's much more difficult to be a state CIO. I will tell you the majority of our state CIOs come from the private sector. And I think they would probably concur with that, for a variety of reasons. One is obviously the political landscape. But more importantly it is that you don't the governance and authority that's available to you in the private sector where IT governance is much more crystallized and clarified.
In a large private sector corporation, you have a CEO and a clear bottom line. In state government there are multiple bottom lines. And it can be very challenging to execute on an enterprise strategy when you have competing interests. You certainly have competing interests in various state business units, but one of the things you always have is a CEO, who in some cases can be omnipotent in terms of direction and driving it. That's very challenging for a governor to do because of the various political dimensions, and the fact that even though the governor is the CEO of the state, you don't always have the various lines of business marching to the same tune.
In a private company you have a focus on the customer, the customers are your target. In state government you often don't know who your customers are. And it's very difficult because you have such variety—you're juggling lots of balls in terms of the state CIO agenda. And even though we have states that are a little more mature in the space of IT as a cost center, for the most part in state government IT is still considered just a cost center. It is not considered transformational, it is not considered part of the entrepreneurial aspects of the business.
Half of our CIOs are cabinet officials. All of them are appointed, by the way. That's another difference. The average tenure right now is 26.1 months, a very, very big difference with the private sector, where the average tenure is 4.9 years. So the average in state government is just over two years. That's less than half of the tenure compared to the private sector. They are often challenged to get a lot done, and the certainly don't have the spend.
There are a lot of differences, and there are similarities in terms of the leadership requirements and the ability to communicate effectively, negotiate, collaborate, and work with business units. State CIOs operate, and I'm going to generalize here, 100 percent charge-back organizations, meaning that they get they get no direct budget dollars. 100 percent of their budget comes from charging other business units in state government for their services. So they are operating an internal service bureau, they don't get direct tax dollars, they get dollars on the charge-back. That creates some tension as well, a lot of challenges, and a lot of great opportunities to transform state government.
You have a lot of various governance models, from highly centralized, to highly decentralized, and it can cause difficulties. Most states have what I would call a federated model, so you have joint governance, joint decision-making. But it's often difficult to have a true enterprise environment. All states aspire to that, but every state is different, and one size does not fit all. That's one of the challenges. CEOs are interested in the ROI, governors are often interested in the ROV, that is, return on votes. It's a different perspective.
TechRepublic: In the survey, it says that three quarters of CIOs include cross-jurisdictional collaboration on their strategic agenda, and another 20 percent are considering it. What are the jurisdictions that we ate talking about here, and then what are the barriers to collaboration?
Doug Robinson: Many of the jurisdictions would be considered local—local governments and institutions, cities, counties, and special districts. We have a lot of states that are providing services or are collaborating with local jurisdictions with their enterprise agenda. They can offer up services and can also provide contracts. As they negotiate for enterprise-wide contracts with suppliers and vendors, they often obtain master price contract provisions which allow local governments and school districts and others to procure off of those.
They essentially provide the opportunity through a master price agreement, so the state can leverage its buying power as the anchor tenant, so to speak, as a major buyer to reduce the cost. Then they can provide these same terms and provisions to local governments so they can more easily procure these services. And there are lots of examples of states doing that through a master price agreement on software from Microsoft or for GIS services and software. That's one simple part of the collaboration in terms of doing something like that.
The other is where they are actually providing services, like opening up a cloud server to local governments. There are lots of examples across the country where they have done that—Minnesota, Colorado, Michigan—many states where they are providing services. In Minnesota, they moved the entire executive branch of government to a cloud-based email environment. They opened it up, and now they have a number of cities in Minnesota that are already taking advantage of that. The city is essentially getting those services.
Michigan has the Great Lakes Technology Center. They are providing facilities for local governments. So things are certainly emerging around cloud solutions, and hosting—like extending their networks and allowing local governments and school districts to do that.
In Texas, they have master state price contracts. So they've gone out for competitive solicitations for things like laptops and desktops and they've put that on a commodity buying contract. Texas school districts buy thousands of computers off of that, because it has already been competitively bid. It's streamlined and they can get a much lower price point by collaborating with the state. There are lots of different versions of the cross-jurisdictional collaboration.
When you get into the actual project side, certainly governance is always a challenge around shared decision rights. And so if there are multiple states acting as host—that's the other side of cross-jurisdiction. We see lots of states doing that, or working with other universities. That always becomes an issue around who's the project lead. What about sustainability? Who is going to run the project? What about financing and cost sharing?
State to state, legal issues always come up, as well as questions about the data. If one state is working with another state, and one state will be the backup site, the lawyers usually get involved. The discussion is: "We're going to have State of X data residing in State of Y data center for backup, and we need to have a conversation about that."
I am sure there are going to be a lot of discussions over the next couple years around major projects. I don't know whether you've seen the news about Illinois and Michigan. Michigan has a relatively successful MMIS, a Medicaid management information system. Illinois needed a new one. Rather than buying a new system, Michigan actually is going to be a shared service provider and deliver the MMIS to Illinois. It's a huge collaboration, and the governance around that is going to be important in terms of the legal side. It's a hosted model but it's a very different solution from what we've seen in the past.
So this is a growth area. NASCIO has actually had for the past three years a cross-jurisdictional working group. There are local governments on it. NASCIO has written a number of issue briefs around collaboration. Why should these groups join up? What are some of the challenges? Certainly, what are some of the major opportunities?
Governance can certainly be a bear, but we've seen examples where they've successfully developed a governance model to manage the initial deployment. I think sustaining it over time is particularly important, especially if the players change. And that often happens—a CIO leaves and you want to make sure the collaboration continues.
TechRepublic: I live in Illinois, so anything that improves the state's delivery of services is a good thing!
Doug Robinson: Illinois is really trying to improve. They've done a lot on data center consolidation at the state level, to try to minimize the diversity and complexity of their environment. They've got some new initiatives around cloud and open data. Illinois has a number of things to really work on, but at least they have started to put some of the governance structure and policy framework in place.
I've been very impressed by what they call their "Illinois Framework," which is engaging a large number of health and human services organizations to come to a common approach on how to minimize the touch points for citizens to get all these services.
But it's not going to happen overnight. This is something that's been baked into the DNA of state government for 30 years. So you've got to uncouple a lot of the status quo discussions around the agencies, the lines of business and the stovepipes. Believe me, their plumbing is tied up in knots in many cases. Bureaucratic rules, and statutes and limitations—that is not going to be effective in the future.
TechRepublic: The report indicates that three quarters of the states are adopting a cybersecurity framework. Among these states, what are the commonalities that you see in this new framework?
Doug Robinson: Their framework is 80 percent or more based on NIST. They're focused on NIST as the foundational framework, because it is so expansive and provides so many touch points in terms of security. NIST is probably the most predominant framework the states are using, and then secondarily using PCI compliance on their sites for credit card data protection. They're also using the 20 Critical (Security) Controls from SANS.
Ultimately, that's what we talk about in terms of our five action items. Make sure you have governance and authority, make sure that you have adopted a framework, that you have a go-forward path by design. Make sure that you have articulated the vision, because you've got to accommodate a lot of things in the technology space, like mobile, like cloud, things that have the potential to cause harm. I think most states are not trying to reinvent the wheel, they're trying to appropriately adopt and refine what exists as a best practice.
As those things evolve we are following the revisions of the framework. We're going to be commenting on those. But again I think the states have to find the sweet spot in that. Part of that is implementing continuous vulnerability monitoring and real-time monitoring of networks. DLP (data loss prevention), some states are doing it more in that direction in a more expansive, enterprise manner. It can be a challenge.
In some cases you have the various lines of business, large agencies like health and human services that want to do their own thing. On the governance side, you've got to get all of them to sit down at the table and agree that they're all going to hall under, let's say, the same enterprise monitoring umbrella.
All the states obviously have perimeter detection, inbound threat detection. We have seen a five-fold increase in the past couple years in the amount of threats directed at states. And a lot of these in the last year have been very targeted spearfish attacks. They're coming inbound via email with embedded malware—they look very innocuous coming in. So that's not something that's going to be tracked. You just have to rely on secondary defenses, on cybersecurity training and a high degree of awareness on the part of employees.
And that's often difficult when you have 30, 40, 50 thousand employees. California has over 220,000 employees. A small-size state might have 12 to 15 thousand employees spread out across it. It's very difficult to make sure that you've got that down 100 percent. Creating a training platform and a culture of information security is really important.
One of the things you might want to look at—Dan Lohrmann, who is the state Chief Security Officer in Michigan, wrote a blog that I thought was really good. He's a real active member of NASCIO. He wrote a blog in GovTech.com on why security is back on top as a state IT priority. I think he identifies four or five really good reasons.
One of the things we've been talking about is the state IT workforce issues. And Dan has some pretty good ideas about the challenges there. Certainly, he's on the ground dealing with it every day, and I'm not.
TechRepublic readers can get acquainted with NASCIO's publications and research briefs on this page of their organization site.
Brian will do client work for AtTask.
Brian Taylor is a contributing writer for TechRepublic. He covers the tech trends, solutions, risks, and research that IT leaders need to know about, from startups to the enterprise. Technology is creating a new world, and he loves to report on it.