South Carolina Mulls New Ways to Secure ITBuilding Security, Privacy Organization Almost from Scratch
A breach last fall of the South Carolina tax system revealed a glaring hole in the state's IT security governance model: There wasn't one, so to speak. Each agency was responsible for its own cybersecurity policies.
"There's a lack of consistency," says Mike Wyatt, director of Deloitte's Center for Security and Privacy Solutions. "With that lack of consistency, it's very tough to have security controls."
Wyatt's comments came during a hearing earlier this month of the Budget and Control Board, the central administrative agency for South Carolina state government, where he presented Deloitte's plan for a federated model of IT security and privacy governance. Under this plan, a central organization would establish policies, but individual agencies would implement them. It's an approach taken by other state governments. "We are not disrupting agency operations," Wyatt says. "They would work in close collaboration with the security office."
The Deloitte plan isn't the only one South Carolina is considering. The state Senate last month unanimously approved a bill that follows recommendations fom the South Carolina inspector general, who similarly called for a federated model of IT security [see South Carolina Inspector General: Centralize Security]. A major difference between the bill winding itself through the South Carolina legislature and the Deloitte recommendation - for which the state paid $3 million - is the structure of the new, centralized IT security organization.
The Senate bill, which the House is considering, would establish a Division of Information Security within the Budget and Control Board, chaired by the governor. The governor would nominate the CISO for a four-year term after consulting with the Division of State Information Technology. Senate confirmation would be required.
Deloitte's recommendations are less legalistic than the Senate bill - it is not in the form of legislation. The consulting firm counsels the state to establish an enterprise information security organization with the authority to set, independently assess and enforce policy. The information security program would consist of three core, interrelated components: privacy, information security and technology and security operations. Under this plan, the information security organization, headed by a chief operating officer, would be established within the Budget and Control Board.
Under Deloitte's scenario, a CISO would oversee the security functions and report to the COO. This plan also would establish seven deputy CISOs who would serve as subject matter specialists in domains such as law and justice, higher education and finance and administration. The deputy CISOs would work closely with agency information security officers. Each agency would have an ISO who would report to the respective agencies' directors or chief information officers, with a secondary reporting relationship to the CISO.
The COO also would oversee a chief privacy officer, who would establish enterprise privacy policies related to personally identifiable information, according to the Deloitte plan. Agencies that collect, store, share and process sensitive information should designate a privacy officer who would report to their agencies' directors under the Deloitte proposal. The agency privacy officer would have a secondary reporting relationship with the chief privacy officer.
Other recommendations from Deloitte include implementing an enterprise security awareness program for state employees, strengthening the state's cybersecurity workforce, as well as rethinking how the state manages information technology. "The state's current decentralized IT governance model is likely to continue to constrain the effectiveness of the information security program," the Deloitte report says. "To overcome the challenges associated with multiple points of security risk evaluation, control and enforcement, we recommend that the state consider moving to a federated governance model for IT."
$15 Million Price Tag
The Deloitte report estimates that South Carolina taxpayers would pay nearly $15 million in fiscal 2014, which begins July 1, to ramp up the new approach to IT security, as well as more than $7.3 million a year to maintain it. (A budget bill before the legislature would appropriate $25 million next fiscal year for IT security, but that includes additional funding for credit-fraud monitoring for taxpayers whose financial information was stolen in last year's breach of the Department of Revenue system.)
The costs in the Deloitte study include the estimated chief operating officer annual salary of $155,000, with $48,050 worth of benefits; the CISO would receive a salary of $150,000, with $46,500 in benefits. A chief privacy officer would receive an annual salary of $120,000, with $37,200 in benefits.
The mean salary of a CISO in the United States is $172,800 a year, according to the 2012 Mercer Salary Study of Information Technology, which Deloitte cited in its report. The cost of living in South Carolina is much lower than many other states.
When the breach occurred last year, the position of CISO within the Revenue Department was unfilled because the agency could not attract anyone to the position that paid a $100,000 salary, about half of what the private sector pays [see How Much is a Good CISO Worth?].
A hacker, believed to be from Eastern Europe, last summer stole a state employee password that led to the breach of the South Carolina tax system, resulting in the exposure of records on more than 6.4 million individual and business tax filers [see Stolen Password Led to South Carolina Tax Breach].