It should come as no surprise, however, that the same
disruptive technologies affecting business and consumer behavior are also
compelling changes in state government. Doug Robinson, Executive Director of NASCIO, recently
spoke with TechRepublic both about the challenges of state IT, and also the
progress that IT leaders are making in collaboration, providing services to
local entities, addressing information security and also in resolving legal and
regulatory issues across jurisdictions.

NASCIO’s organizational site
states that its “mission is to foster government excellence through quality
business practices, information management, and technology policy.” The
National Association of State Chief Information Officers (NASCIO) is a
nonprofit association that represents “state chief information officers and
information technology executives and managers from the states, territories,
and the District of Columbia.” The primary members are state officials who have
“executive-level and statewide responsibility for IT leadership.”

Firms from the private sector can
join as corporate members and participate in NASCIO’s Corporate Leadership
Council. NASCIO corporate
members
include such household names as Amazon Web Services, Dell,
HP, Microsoft, J.P. Morgan Chase and Oracle.

Himself a veteran of state government, Doug
Robinson
served as Executive Director of the Kentucky governor’s
Office for Technology prior to joining NASCIO in 2004. He also led the Kentucky
Information Resources Commission and the Kentucky Office of Geographic
Information.

Key takeaways:

  • It’s harder to be a state CIO: the political
    landscape, governance issues and competing business units make the job more
    complicated than in the private sector
  • In state government IT for the most part is
    considered a cost center; it is not seen as transformational

  • Many state CIOs run “charge-back”
    organizations—they don’t receive direct tax dollars but rather charge other
    state business units for their services

  • State-level IT cross-jurisdictional
    collaboration is often at the local level: municipal governments, counties and
    school districts. Projects also include other states and also universities

  • States can negotiate master price agreements to
    benefit local institutions. They can also open up existing services, such as
    providing cloud solutions to cities

  • On the project side, governance in
    cross-jurisdictional collaboration is a challenge.

  • State to state example: Michigan is sharing its
    Medicaid management information system with Illinois

  • Change in state IT will not happen overnight:
    “their plumbing is tied up in knots,” current bureaucratic rules do not
    facilitate development

  • States are adopting cybersecurity frameworks
    based in large part on NIST, and also on SANS 20 Critical Security Controls

  • States have large, dispersed workforces.
    Creating a culture of information security is important

TechRepublic: How would you describe the difference between
being a state CIO and being a Fortune 500 CIO?

Doug Robinson: It’s much more difficult to be a state CIO. I
will tell you the majority of our state CIOs come from the private sector. And
I think they would probably concur with that, for a variety of reasons. One is
obviously the political landscape. But more importantly it is that you don’t
the governance and authority that’s available to you in the private sector
where IT governance is much more crystallized and clarified.

In a large private sector corporation, you have a CEO and a
clear bottom line. In state government there are multiple bottom lines. And it
can be very challenging to execute on an enterprise strategy when you have
competing interests. You certainly have competing interests in various state
business units, but one of the things you always have is a CEO, who in some
cases can be omnipotent in terms of direction and driving it. That’s very
challenging for a governor to do because of the various political dimensions,
and the fact that even though the governor is the CEO of the state, you don’t
always have the various lines of business marching to the same tune.

In a private company you have a focus on the customer, the
customers are your target. In state government you often don’t know who your
customers are. And it’s very difficult because you have such variety—you’re
juggling lots of balls in terms of the state CIO agenda. And even though we
have states that are a little more mature in the space of IT as a cost center,
for the most part in state government IT is still considered just a cost
center. It is not considered transformational, it is not considered part of the
entrepreneurial aspects of the business.

Half of our CIOs are cabinet officials. All of them are
appointed, by the way. That’s another difference. The average tenure right now
is 26.1 months, a very, very big difference with the private sector, where the
average tenure is 4.9 years. So the average in state government is just over
two years. That’s less than half of the tenure compared to the private sector.
They are often challenged to get a lot done, and the certainly don’t have the
spend.

There are a lot of differences, and there are similarities
in terms of the leadership requirements and the ability to communicate
effectively, negotiate, collaborate, and work with business units. State CIOs
operate, and I’m going to generalize here, 100 percent charge-back
organizations, meaning that they get they get no direct budget dollars. 100
percent of their budget comes from charging other business units in state
government for their services. So they are operating an internal service
bureau, they don’t get direct tax dollars, they get dollars on the charge-back.
That creates some tension as well, a lot of challenges, and a lot of great
opportunities to transform state government.

You have a lot of various governance models, from highly
centralized, to highly decentralized, and it can cause difficulties. Most
states have what I would call a federated model, so you have joint governance,
joint decision-making. But it’s often difficult to have a true enterprise
environment. All states aspire to that, but every state is different, and one
size does not fit all. That’s one of the challenges. CEOs are interested in the
ROI, governors are often interested in the ROV, that is, return on votes. It’s
a different perspective.

TechRepublic: In the survey, it says that three quarters of
CIOs include cross-jurisdictional collaboration on their strategic agenda, and
another 20 percent are considering it. What are the jurisdictions that we ate
talking about here, and then what are the barriers to collaboration?

Doug Robinson: Many of the jurisdictions would be considered
local—local governments and institutions, cities, counties, and special
districts. We have a lot of states that are providing services or are
collaborating with local jurisdictions with their enterprise agenda. They can
offer up services and can also provide contracts. As they negotiate for
enterprise-wide contracts with suppliers and vendors, they often obtain master
price contract provisions which allow local governments and school districts
and others to procure off of those.

They essentially provide the opportunity through a master
price agreement, so the state can leverage its buying power as the anchor
tenant, so to speak, as a major buyer to reduce the cost. Then they can provide
these same terms and provisions to local governments so they can more easily
procure these services. And there are lots of examples of states doing that
through a master price agreement on software from Microsoft or for GIS services
and software. That’s one simple part of the collaboration in terms of doing
something like that.

The other is where they are actually providing services,
like opening up a cloud server to local governments. There are lots of examples
across the country where they have done that—Minnesota, Colorado, Michigan—many
states where they are providing services. In Minnesota, they moved the entire
executive branch of government to a cloud-based email environment. They opened
it up, and now they have a number of cities in Minnesota that are already
taking advantage of that. The city is essentially getting those services.

Michigan has the Great Lakes Technology Center. They are
providing facilities for local governments. So things are certainly emerging
around cloud solutions, and hosting—like extending their networks and allowing
local governments and school districts to do that.

In Texas, they have master state price contracts. So they’ve
gone out for competitive solicitations for things like laptops and desktops and
they’ve put that on a commodity buying contract. Texas school districts buy
thousands of computers off of that, because it has already been competitively
bid. It’s streamlined and they can get a much lower price point by
collaborating with the state. There are lots of different versions of the
cross-jurisdictional collaboration.

When you get into the actual project side, certainly
governance is always a challenge around shared decision rights. And so if there
are multiple states acting as host—that’s the other side of cross-jurisdiction.
We see lots of states doing that, or working with other universities. That
always becomes an issue around who’s the project lead. What about
sustainability? Who is going to run the project? What about financing and cost
sharing?

State to state, legal issues always come up, as well as
questions about the data. If one state is working with another state, and one
state will be the backup site, the lawyers usually get involved. The discussion
is: “We’re going to have State of X data residing in State of Y data center for
backup, and we need to have a conversation about that.”

I am sure there are going to be a lot of discussions over
the next couple years around major projects. I don’t know whether you’ve seen
the news about Illinois and Michigan. Michigan has a relatively successful
MMIS, a Medicaid management information system. Illinois needed a new one.
Rather than buying a new system, Michigan actually is going to be a shared
service provider and deliver the MMIS
to Illinois
. It’s a huge collaboration, and the governance around
that is going to be important in terms of the legal side. It’s a hosted model
but it’s a very different solution from what we’ve seen in the past.

So this is a growth area. NASCIO has actually had for the
past three years a cross-jurisdictional working group. There are local
governments on it. NASCIO has written a number of issue briefs around collaboration.
Why should these groups join up? What are some of the challenges? Certainly,
what are some of the major opportunities?

Governance can certainly be a bear, but we’ve seen examples
where they’ve successfully developed a governance model to manage the initial
deployment. I think sustaining it over time is particularly important,
especially if the players change. And that often happens—a CIO leaves and you
want to make sure the collaboration continues.

TechRepublic: I live in Illinois, so anything that improves
the state’s delivery of services is a good thing!

Doug Robinson: Illinois is really trying to improve. They’ve
done a lot on data center consolidation at the state level, to try to minimize
the diversity and complexity of their environment. They’ve got some new
initiatives around cloud and open data. Illinois has a number of things to
really work on, but at least they have started to put some of the governance
structure and policy framework in place.

I’ve been very impressed by what they call their “Illinois Framework,” which
is engaging a large number of health and human services organizations to come
to a common approach on how to minimize the touch points for citizens to get
all these services.

But it’s not going to happen overnight. This is something
that’s been baked into the DNA of state government for 30 years. So you’ve got
to uncouple a lot of the status quo discussions around the agencies, the lines
of business and the stovepipes. Believe me, their plumbing is tied up in knots
in many cases. Bureaucratic rules, and statutes and limitations—that is not
going to be effective in the future.

TechRepublic: The report indicates that three quarters of
the states are adopting a cybersecurity framework. Among these states, what are
the commonalities that you see in this new framework?

Doug Robinson: Their framework is 80 percent or more based
on NIST. They’re
focused on NIST as the foundational framework, because it is so expansive and
provides so many touch points in terms of security. NIST is probably the most
predominant framework the states are using, and then secondarily using PCI
compliance on their sites for credit card data protection. They’re also using
the 20 Critical (Security) Controls from SANS.

Ultimately, that’s what we talk about in terms of our five
action items. Make sure you have governance and authority, make sure that you
have adopted a framework, that you have a go-forward path by design. Make sure
that you have articulated the vision, because you’ve got to accommodate a lot of
things in the technology space, like mobile, like cloud, things that have the
potential to cause harm. I think most states are not trying to reinvent the
wheel, they’re trying to appropriately adopt and refine what exists as a best
practice.

As those things evolve we are following the revisions of the
framework. We’re going to be commenting on those. But again I think the states
have to find the sweet spot in that. Part of that is implementing continuous
vulnerability monitoring and real-time monitoring of networks. DLP (data loss
prevention), some states are doing it more in that direction in a more
expansive, enterprise manner. It can be a challenge.

In some cases you have the various lines of business, large agencies
like health and human services that want to do their own thing. On the
governance side, you’ve got to get all of them to sit down at the table and
agree that they’re all going to hall under, let’s say, the same enterprise
monitoring umbrella.

All the states obviously have perimeter detection, inbound
threat detection. We have seen a five-fold increase in the past couple years in
the amount of threats directed at states. And a lot of these in the last year
have been very targeted spearfish attacks. They’re coming inbound via email
with embedded malware—they look very innocuous coming in. So that’s not
something that’s going to be tracked. You just have to rely on secondary
defenses, on cybersecurity training and a high degree of awareness on the part
of employees.

And that’s often difficult when you have 30, 40, 50 thousand
employees. California has over 220,000 employees. A small-size state might have
12 to 15 thousand employees spread out across it. It’s very difficult to make
sure that you’ve got that down 100 percent. Creating a training platform and a
culture of information security is really important.

One of the things you might want to look at—Dan Lohrmann,
who is the state Chief Security Officer in Michigan, wrote
a blog
that I thought was really good. He’s a real active member of
NASCIO. He wrote a blog in GovTech.com on why security is back on top as a
state IT priority. I think he identifies four or five really good reasons.

One of the things we’ve been talking about is the state IT
workforce issues. And Dan has some pretty good ideas about the challenges
there. Certainly, he’s on the ground dealing with it every day, and I’m not.

TechRepublic readers can get acquainted with NASCIO’s
publications and research briefs on this
page
of their organization site.