This article can also be found in the Premium Editorial Download "Information Security magazine: Security Readers' Choice Awards 2008."
Download it now to read this article plus other related content.
The legislation that created Arizona's Statewide Information Security and Privacy Office last August (ARS 41-3507) brought David VanderNaalt home to Phoenix as the state's chief information security officer. One of the former American Express and City of New York CISO's first acts in office was to work with Governor Janet Napolitano's office to develop Executive Order 2008-10, which mandates that state agencies formalize their cybersecurity efforts and mitigate threats against citizens' personal information.
Were there external drivers that elevated cybersecurity to such a high level in the state government?
| of politicians. At the end of the day, the governor and legislators care about these things as part of providing services to their constituencies. We don't want to have a government organization lose information that could lead to identity theft.
Every state will say they're doing this kind of stuff, but I haven't heard of many states that have legislation that creates this office and gives this office authority and puts in place a CISO and CPO. Arizona is doing something I've been talking about for many years and that's the convergence of those risk mitigation capabilities at a business level.
Some corporate security offices are finding conduits in different lines of business who help foster that alignment with security. Do you subscribe to that thinking? From the perspective that I have responsibility for the strategic direction for security and privacy, I have to have a good contact at every agency and they have to understand the business of what I do and how that applies to what they do.
Out of the executive order, each agency has an information security officer and agency privacy officer. I identified the security officer as being an IT executive and the privacy officer as a business executive so that when an agency appoints those two positions, we will have a good conduit back into the environment to align processes for security and privacy and make sure they get back to the right level in the business environment.
It must be nice to have the governor in your corner; it certainly isn't always the case in the corporate world. This is a whole different way to do business, and I guarantee, it's the best. We have heard for years there are two things that prevent us from doing good security--one is resources and budget, and two is visibility in the boardroom. We have visibility in the boardroom with the CEO, and I am very grateful for the governor's support because it lends a lot of credibility to what I'd like to do.
This was first published in April 2008