IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Will California's Cybersecurity Shortcomings Lead to More Investment?

Scrutiny coming from all directions — the State Auditor, the Legislature, the agencies and departments themselves — might motivate the state of California to make some changes and investments.

The state of California's security readiness, or lack thereof, has become a popular punching bag for criticism.

But there are some anecdotal signs that the scrutiny coming from all directions — the State Auditor, the Legislature, the agencies and departments themselves — might motivate the state to make some proactive changes and investments.

Security is becoming much more of a focal point, and that could end up being a good thing, former state CIO Carlos Ramos said Wednesday at a tech forum in Sacramento.

"My hope is that with all this increased focus, we'll get more resources for information security officers and their staff, more training and development for IT operational staff so that they're aware not only of good security practices — but also some actual investment in bringing the technology and infrastructure that we have and rely on, up to date," Ramos said.

A 2015 state audit found most state departments self-reported that they aren't fully compliant with the state's security standards, and new legislation (AB 670) is requiring the state to conduct security audits on dozens of state agencies and departments each year.

Both of these appear to have the attention of department-level CIOs and chief information security officers.

"Assembly Bill 670 is the most talked about topic right now in state security and the IT community right now," said Ashish Kumar, information security officer for the California Housing Finance Agency.

California High-Speed Rail Authority CIO Keith Tresh, who formerly served as the state's chief information security officer, said his organization wasn't one of the initial 35 agencies selected to undergo a security audit. But he's getting High-Speed Rail ready because he knows it will be coming. High-Speed Rail is revamping its security awareness program and putting in tools for managing security vulnerabilities so they can be proactive rather than reactive, he said.

"Because High-Speed Rail is such a high-profile project, we need to make sure we're not adding to the issues," Tresh said.

Being proactive versus reactive has become a a topic of discussion with the state's IT community as the Brown administration considers how it might reposition or bolster the state's information security office currently housed within the Department of Technology. There are indications the California Office of Emergency Services (CalOES) is taking on more responsibility over cybersecurity.

"Which is something I'm not sure I would recommend doing, because if you look at the responsibility of the emergency services agency, their fundamental job is to respond and to recover after something has happened. I don't think that's necessarily the right focus," Ramos said.

Ramos said the state needs to be more proactive and focused on prevention. That would require California to make significant upfront investments.

"In my experience a lot of exposure we have comes from having outdated technologies, having an infrastructure that needs to be modernized and hardened," Ramos said.

On the topic of investment and resources, there could be some common ground with CalOES.

States have been left to build cybersecurity capacities with limited resources and trained personnel, and the creation of a grant funding stream would help them build their cybercapabilities, Cal OES director Mark Ghilarducci told the U.S. House of Representatives' Homeland Security Committee at a congressional hearing on Tuesday.

Matt Williams was Managing Editor of Techwire from June 2014 through May 2017.