This Q&A is part of a new GovLoop series called “CIO Conversations.” Through 2019, we’ll feature conversational interviews twice monthly with current and former federal, state and local chief information officers (CIOs) to get to know the people behind the titles. You’ll learn about the perks and challenges of their job, how they ended up in their current position, what’s top of mind for them, how they’ve rebounded from setbacks, and more.
Sometimes, all questions aren’t great questions when it comes to implementing a strong cybersecurity posture in government.
“You’ll hear in cybersecurity the talk of, “Are we secure?” That’s a common question you hear, but it’s the wrong question to ask,” said Joshua Spence, West Virginia Chief Technology Officer (CTO) speaking with Emily Jarvis, Senior Online and Events Editor at GovLoop.
The reason why? Spence said it’s because it suggests that cybersecurity is a one-time issue to be resolved and put away when it’s actually an issue that needs to constantly be managed.
He spoke further about the state’s cybersecurity approach with Emily Jarvis, Senior Online and Events Editor at GovLoop, as well as 2020 plans and 2019 triumphs.
The interview below has been lightly edited for brevity and clarity.
You’re one of the few people in the NASCIO presentation that mentioned budget, which I feel like is often the elephant in the room. Considering that, how do you think about your priority list for 2020 when it comes to what you are doing in the CTO shop?
One of the things is around equipping the partner agencies, because I’m from central IT and supporting the infrastructure in a lot of enterprises to these agencies. Am I equipping them with the knowledge around their IT spend, so that they can make strategic decisions? And we don’t believe that we are. We believe [we’re in] the state where we’re missing some things. We can see some of the spend, but we’re not looking at it holistically. And with the prioritization that has to be put on technology — I mean, it’s completely woven into our fabric of operations now. We need to make sure we’re making smart strategic decisions around IT and not just simply solving single-use case problems at the lowest level of government.
Are there any projects or programs you are particularly proud of this year?
We are absolutely excited about our initiative around cyber risk. In partnership with the National Governor’s Association, we have participated in their policy academy. And from that, we had a bill drafted, and engaged the legislature on cybersecurity. And we wanted to clarify in law some foundational direction, and we feel like cyber risk is that direction. One of the ways in which we explain that is [this:] you’ll hear in cybersecurity the talk of, ‘Are we secure?’ That’s a common question you hear, but it’s the wrong question to ask. And the reason it’s the wrong question to ask is it implies that you’re solving a problem and then you can move on. And that’s not how cybersecurity works. It is the condition in which we’re going to have to manage. And let me give you an analogy that I really feel like helps people see this illustration.
Let’s just pretend I’m the fire marshal and [someone] asks me if the building’s fireproof. Nobody has an expectation that buildings are fireproof — we don’t build them to that level. But it’s still a risk. What do we do? We put preventive measures in to prevent a fire. We put responsive measures in, should there be a fire. It’s just risk management. Those same principles apply to cybersecurity, and that’s how we need to look at it. Otherwise, the money you spend, you may just be spending it in the wrong lane.
So this law is a huge benefit, because we’ve established the CISO [Chief Information Security Officer] in law, we’ve established this cybersecurity office in law, so that will now carry through administrations as a standard. And then we’ve also put in place, the requirement for the Office of Technology to conduct cyber risk-as-a-service. And the vision is that we can go to an agency director and say, “We looked at your situation and here’s your cyber risk that you need to be aware of.”
But not only can we tell one agency, we want to make sure we have a common framework for all of the assessments to be built off of, so we can roll up all the agencies within a department and tell the cabinet secretary holistically, “In your department, here’s your cyber risk.” But then take all the departments, ultimately, up to the governor’s office and say, “If we spend a dollar in cybersecurity next year, this is where we’re going to get the most benefit.”
A lot of folks I’ve been talking to are saying they have a more seasoned workforce and are trying to get younger people in. What does your workforce look like in West Virginia?
They’re really dedicated people that want to make a positive difference. One of the things that we’re trying to do is make sure we’re empowering them to understand that there are absolutely times where failure is acceptable. That you do have to take a risk, you do have to decide to change up and you don’t have to do it the way we’ve always done it just because that’s comfortable, or because you’re scared. We’re wanting to create that culture change where people are understanding when they can take those risks.
And then workforce retention and recruitment is a big priority of mine. Many of our [class specifications] haven’t been updated since the 90s. We have one that references an adding machine. (Laughs) So we want to overhaul those, and we’re in the process of doing that now.
The ultimate goal is to have fewer, different class families. We want to make sure there’s understanding in how they interrelate, so that we can show better, clearer career path opportunities. We feel that’s an important component to retention.
Then, we want to make sure we’re enabling entry level roles that coincide with our internship program that we’re using with the universities. Because we feel like it’s a great way we can give students an opportunity to get real-world experience. And then the ones that want to work for the state, we’ve already gone and done some vetting on those eventual employees, and they can come right into the workforce and hit the ground running.
What does IT modernization mean from your perspective, and how are you guys going about updating?
On [the] modernization piece, I think what really resounds to me is looking at it from this concept of digital government. And what I’m wanting to champion within the state is a recognition that technology is a tool we have to maximize. And right now I feel like there’s a lot of opportunity that we’re missing because we’re not taking a moment to say, “Okay, what are we really trying to accomplish here with the technology?” And making sure we’re being flexible enough to change government processes and procedures to really enable that technology to bring value.
We do talk about budget and say we’ve got limited resources. So, we don’t want to continue to go down a path where we push technology to be fully customized to match the processes we’re performing today. Because then all we’ve done is, we’re paying more money to do what we already do.
And that’s sometimes a challenge because people get comfortable with what they know. So again, it’s just a cultural change, but we think that’s a really important message we got to put out.
And then, it’s got to be to put [governance] into the management. So if you’re going to go after a project that’s a high-dollar project, you need to scope that value that you project to gain, and then it needs to be measured. Otherwise, we’re not sure if we’re going to get there, and then we might be missing an opportunity that we should be taking advantage of.