Top 5 takeaways from the 50th anniversary NASCIO conference.
The year 2019 has been a particularly challenging year for state chief information officers: They faced unprecedented turnover and tackled both ransomware attacks and emergency response to natural disasters.
Amid this uncertainty, protecting and improving the citizen experience across the country remained a high priority for these executives — something a group of CIOs at this year’s annual National Association of State Chief Information Officers conference in Nashville emphasized.
Despite being bombarded with never-before-seen hurdles, this year’s event proved that state CIOs are thinking ahead, collaborating and sharing best practices across state lines to then apply to their states’ own unique challenges. And the one thing constant for these executives? People are still the focal point of the CIO mission.
Read these takeaways from the 2019 NASCIO conference for more on the state and local priorities for low-risk innovation.
1. Elevate People and Processes at the Core
With government leaders starting to think more and more about innovation and with a technological boom on the horizon, IT managers and CIOs need to keep the central mission top of mind as they build out strategic technology adoption plans. “The most important asset is the people,” says Theresa Szczurek, CIO and executive director at the Colorado Governor’s Office of Information Technology. “Look at where your people’s passions are, and align that passion with a purpose. Our purpose is the [citizen].”
CIOs have always prioritized the end user in their strategic plans no matter the goal — whether it’s data-sharing across silos to address the opioid epidemic, maintaining connectivity during emergency management or preventing and responding to cybersecurity events. A key theme of NASCIO’s 2019 State of the CIO Survey, which gathered insights from state information technology leaders on updated priorities and responsibilities, was an elevated focus on customer needs and viewpoints of state CIO organizations. The vast majority of survey respondents listed customer relationship management as a priority — 36 of the 48 states have active CRM programs in place, while six have a formal program plan in the works. Human-centered design and tools that ride on networks provided from partners like CenturyLink help address state and local government challenges in a creative way and allow users to be involved from conception throughout implementation. “When we have conversations with the legislature, [it keeps going back to] human-centric design,” says Jim Weaver, CIO for the state of Washington. “When we can take human story and bring it home with examples that people can relate to, it totally changes the conversation.”
Utah has put that practice to the test by rolling out artificial intelligence website chatbots to facilitate resident access to information on the state’s websites or to navigate online forms, according to the state’s CIO Mike Hussey. These chatbots help residents and staff alike find the information they are looking for faster.
The growing use of chatbots to solve common technology problems has enabled citizens to get help faster, especially in understaffed or under-resourced areas, according to a 2019 report from NASCIO, the Center for Digital Government and IBM,
Now, these chatbots are the primary introduction of AI into citizen services and are seen as “low-hanging fruit” that can assist help desks, call centers and various other public-facing entities. “We know if we can personalize the service for the individual, we can make government much smaller, much easier to deal with and much more responsive to what a citizen needs,” says Mark Raymond, Connecticut CIO.
2. Establish Basic Cyber Hygiene to Mitigate Risk
Hackers constantly try to sneak past the defenses erected by state leaders, sometimes resulting in damages with multimillion-dollar price tags and lengthy recovery for cities across the country.
Texas was brought up at NASCIO as a success story among a large group of states and cities paralyzed by ransomware attacks. Over the summer, hackers targeted the computer systems in 23 Texas municipalities in a coordinated ransomware campaign. These local governments were vulnerable because of their poor cyber hygiene, Todd Kimbriel, the state’s CIO, said in a packed room for the first cybersecurity session of the conference.
Thwarting these types of attacks doesn’t require overly advanced technologies or methods, according to Kimbriel.
“Preparation is the key,” he says. “Basic cyber hygiene is the key. These are silly little things, but it’s not really more complex than that. There is no secret sauce.”
Other government entities associated with the breached provider remained unharmed as a result of key preparations and prevention steps such as patching by IT departments and strong system passwords, according to Kimbriel.
Within 24 hours of the attacks in Texas, IT teams were in touch with the affected entities. Shortly after, 25% of the attacks were contained and eradicated. Within a week, the response teams remediated all concerns and potential damage remaining from the attack — with minimal costs and no ransom paid.
It’s crucial to have the tools and equipment that can manage incident assessment and response when the need arises; however, a significant portion of the heavy work comes before hackers sneak into government systems targeting vulnerable data, Mississippi Chief Information Security Officer Bill Nash says.
Nash and Kimbriel both emphasized a mature cyber hygiene package not only includes the tools agencies need but ensures agencies, boards and commissions adhere to state cybersecurity laws, execute third-party risk assessments from partners and run routine tests to identify weaknesses. States such as Mississippi have started to audit the cybersecurity practices and hygiene of agencies, pinpointing potential areas of weakness and where states can shore up their practices.
As states increasingly provide cybersecurity services to local government, sharing good cyber hygiene practices and lessons learned from incidents across states can help CIOs prepare their organizations for “not if, but when” these attacks occur, Kimbriel says. Cyber hygiene and a deep understanding of cyberthreats can prevent initial impact. CenturyLink’s annual analysis of its global network provides best practices that are transferrable to state and local agencies and can provide additional intelligence and insight to help secure government networks.
3. Preparation and Assessment for a Strong Foundation
Assessment is the jumping-off point for defining the future purposeful action of an organization, says Szczurek, the Colorado CIO. With proper assessment, organization leaders can pinpoint the status of critical elements, such as cybersecurity posture structure or workforce development, and launch pursuit of actionable goals.
This year, 86% of state CIOs polled in NASCIO’s 2019 survey reported acquiring and implementing continuous vulnerability monitoring capabilities, up 5% from 2018. More CIOs also reported using analytical tools, AI, and machine learning to manage cybersecurity programs across their organizations. This survey, along with data points from the 2018 Deloitte-NASCIO cybersecurity study, shows CIO assessment, planning and cybersecurity strategy efforts are extending beyond their own agency and aligning tightly with all executive-state agencies to ensure government leaders have an up-to-date status on their organizations’ cybersecurity posture.
Fortunately, a little over a year before the attack in Texas, the state ran a cybersecurity tabletop exercise. IT leaders planned the exercise for a year, resulting in a three-day simulated attack to test the state’s response to cyber incidents and to evaluate procedural efficiency. With this plan tested and in place, the state operations center knew exactly what to do and whom to call immediately at the first sign of attack.
“So much focus goes on response when something occurs or prevention activities, but people are not paying enough attention to how you handle readiness and how to practice [readiness for incidents],” says Raymond, the Connecticut CIO. “If you look at the coverage of events, how people handle them makes a difference between a disaster and something that’s effectively managed. I think we can all do better work in how to respond when something occurs because something will occur.”
4. Communicating with Data for Citizen Protection
Communicating goals, risks and necessary investments to citizens and stakeholder is a major component of the CIO job, and new strategies and tools help CIOs do that. According to Kimbriel, the governor’s understanding and authority to declare a disaster in response to a cyber incident, in tandem with the incident plan, made all the difference in the Texas case. The disaster declaration was crucial to communicate with those who both were and weren’t impacted in the cyber incident.
However, there are other ways to communicate effectively, and the CIOs at the NASCIO conference discussed how to do that through data sharing and management, using comprehensive data dashboards and tools to store and easily extrapolate data based on different scenarios. In this year’s NASCIO survey, CIOs’ responses indicated a growing interest in increasing collaboration with local governments. Over 55% of respondents said they provide data center hosting, network services and security infrastructure for local governments, opening up the conversation for more frequent and improved conversations between state and local governments.
One example is the vast dataset collection used by New Jersey law enforcement to create the New Jersey Integrated Drug Awareness Dashboard, a platform that integrates data from toxicology reports, prescription monitoring data, Department of Health data, criminal data and more to help states fight addiction. Not only does New Jersey work with local governments and counties, but it uses the vast data management system to collaborate with nearby states such as Pennsylvania and New York, according to Lt. Jason Piotrowski. At the NASCIO event, Piotrowski highlighted the power of effective and efficient data management that securely protects the privacy of citizens. IT partners like CenturyLink can provide the foundation that is required for managing data. This foundation is based on adaptive networking, which provides a flexible infrastructure to manage and analyze data in order to pull actionable insights that address specific state challenges.
Improved communications and collaboration can mean something as simple as working with partners to provide constant uninterrupted connection and access to Wi-Fi for citizens, or to track, store and share data across state lines between Philadelphia, New York and New Jersey to trace spikes in opioid overdoses and Naloxone usage in real-time.
5. A New Culture of Collaborative Innovation
CIOs are the conveners of state plan implementation, pulling in resources from across industries to innovate and tackle their unique state challenges. Private partnerships have opened up avenues for data sharing across silos and states to drive smarter innovation decision-making.
It’s essential to “pull the right partners to create the right ecosystems,” says Calvin Rhodes, director and CIO of the state of Georgia. “That forced us to think outside the box. Oftentimes, leadership has to push the culture to embrace doing things differently.”
Changing the narrative takes time in order to implement successful and sustainable innovation, says Weaver, the Washington CIO. “It’s about acting on some ideas and assessing the outcomes of those ideas,” he says. “If we make a leap, the ideas crumple very quickly.”
Today’s CIOs are ushering a new culture of innovation, emphasizing that with innovation come mistakes and opportunities to learn. This learning process pushes for more modernization, but can help lower risk by working with the right partners.
CenturyLink aims to be one of those partners and stands ready to collaborate with government agencies by working together to meet strict requirements and deliver real solutions that meet the demands of today’s citizens.
“Part of our challenge as leaders is to begin to work at that culture and enable our peers to become bolder, take more educated risks and try something new,” Weaver says. “I have to know how to slow down to move faster.”