County CIOs Compare Notes, Trade Tips

When it comes to IT-related challenges, California's rural and urban counties may have more in common than not.
 
That was the one key takeaway of a session Monday at the fall conference of the California County Information Services Directors Association (CCISDA), meeting this week in San Diego.
 
With input from dozens of county CIOs, IT directors and other government tech executives at the conference, several topics emerged as common to counties large and small.
 
Disaster recovery, business continuity
 
"It's a business problem, not just an IT problem," when a disaster hobbles a county's IT operation, said one CIO. "They have to understand that we're not going to be able to turn on a dime" and instantly restore IT functions and government business operations in the event of a fire, flood or other disaster. They have to help themselves, too." One way CIOs protect their counties' domains is by having each other's backs through strategic data backups.
 
Colocation as protection
 
Urban and rural counties are increasingly relying on colocation, a way to back up their data offsite by mirroring their IT environments and functionality with those of another jurisdiction that's geographically remote. 
 
San Joaquin County Information Systems Director Jerry Becker said his county and Stanislaus County have a colocation agreement, and Alameda County CIO Tim Dupuis said he and Sonoma County have a similar arrangement.
 
Becker also invited any other counties that want to colocate with San Joaquin to contact him, noting that his facilities include plenty of security and lots of capacity.
 
Phishing but not biting
 
Alameda and Fresno counties, among others, have noted a recent rise in phishing attempts, and in some cases even members of government IT staffs have taken the bait. 
 
County CIOs take different approaches to resisting digital miscreants — proactive staff training through short educational videos, increasing the frequency of authentication for staff, and using multiple tools (anti-virus software and multi-factor authentication, among others) to combat infiltration.
 
One county IT executive wondered aloud why counties couldn't pool their resources in the fight against phishing. If a consortium of counties chipped in, he said, "We could pay one vendor $2 million, rather than paying $180,000 each," but another lamented that "With all due respect to vendors, there isn't any one product that can do it all." 
 
A couple of county IT leaders were heartened by a recent spike in awareness by county boards of supervisors and other top non-IT execs toward increased security. In a central California county, one noted, top officials asked for 12- to 15-character passwords rather than just eight.
 
On the topic of multi-factor authentication (MFA), one county is shifting to having users' voices serve as their password. Others impose more stringent authentication for users logging on remotely than from inside the network.
 
Recruiting: Finding, not keeping
 
Recruiting talented IT staff is hard enough for counties large and small, the CIOs agreed. But with the private sector continually luring away the best, it's a growing challenge.
 
"We keep losing our people to a Cisco," one said. 
 
Dupuis, the Alameda CIO, cited a philosophical question that bedevils officials in their hunt for information security specialists, as well: 
 
"Do we want a theorist, or do we want a practitioner? We keep seeming to land on practitioner."