The state of California just opened a cybersecurity branch that is headed by Keith Tresh, the state's previous chief information security officer. Los Angeles’ Department of Water and Power just hired its first CISO. The University of California and the State University System have CISOs.
Some specialized entities have CISOs, including Los Angeles International Airport and the Port of Los Angeles. More and more public entities are hiring chief information security officers to assist in the protection of digital assets.
But lots of local governments are still looking for a CISO.
The county of San Bernardino’s call for applicants, posted Friday, describes the CISO’s responsibilities “to provide countywide leadership in the protection and confidentiality of the County's information and technology assets.”
UC Berkeley posted a job opening for a CISO two weeks ago.
San Francisco recently hired Jackson Muhirwe as CISO to oversee 54 city departments. However, the city posted a job opening for a CISO just three weeks ago.
“One major reason is they get offers of employment with higher salaries from private-sector companies,” Tresh wrote in an email to Techwire about CISOs leaving their public entity positions.
Even the state is looking for CISOs. CalPERS began the search for its next CISO at the end of June. “CalPERS seeks a dynamic individual to join our technology team. We are currently recruiting for a Chief Information Security Officer,” the posting reads.
Still, some agencies are dealing with the CISO shortage by rolling the position into others. Rami Zakaria serves as Sacramento County’s chief information officer, chief data officer and CISO. This means C-suite executives are handling many challenges.
“Another reason is that despite the high profile of cyberincidents, a lot of CISOs do not get the support and resources they need to develop and maintain a mature and resilient information security program,” Tresh wrote.
Some agencies roll the responsibilities into technology director, privacy officer or risk-services positions.
Others, like the city of San Diego, which recently lost its top cybersecurity official when Gary Hayslip went to work in the private sector, have brought on interim officers.
“And lastly, I would say they leave because they get burned out working at a breakneck pace to try to keep the entity they work for out of the news and from being hacked,” Tresh wrote.
