The legislation that created Arizona's Statewide Information Security and Privacy Office last August (ARS 41-3507) brought David VanderNaalt home to Phoenix as the state's chief information security officer. One of the former American Express and City of New York CISO's first acts in office was to work with Governor Janet Napolitano's office to develop Executive Order 2008-10, which mandates that state agencies formalize their cybersecurity efforts and mitigate threats against citizens' personal information. DAVID VANDERNAALT How did the executive order come about? The executive order directs every agency to report security incidents to this office; prior to the legislation it was optional. In my first month, we had three reports. I commented to the governor's office through my boss that I thought I should address the cabinet on what I've seen through my first 30 days here, and give them a hint of the things they should be working on. The message came back to me that the governor would prefer that I work with them to develop an executive order that she could sign and execute. Were there external drivers that elevated cybersecurity to such a high level in the state government? One thing that drove it is that the state of Arizona is No. 1 in identity theft. That certainly gets the attention of politicians. At the end of the day, the governor and legislators care about these things as part of providing services to their constituencies. We don't want to have a government organization lose information that could lead to identity theft. Every state will say they're doing this kind of stuff, but I haven't heard of many states that have legislation that creates this office and gives this office authority and puts in place a CISO and CPO. Arizona is doing something I've been talking about for many years and that's the convergence of those risk mitigation capabilities at a business level. Some corporate security offices are finding conduits in different lines of business who help foster that alignment with security. Do you subscribe to that thinking? From the perspective that I have responsibility for the strategic direction for security and privacy, I have to have a good contact at every agency and they have to understand the business of what I do and how that applies to what they do. Out of the executive order, each agency has an information security officer and agency privacy officer. I identified the security officer as being an IT executive and the privacy officer as a business executive so that when an agency appoints those two positions, we will have a good conduit back into the environment to align processes for security and privacy and make sure they get back to the right level in the business environment. It must be nice to have the governor in your corner; it certainly isn't always the case in the corporate world. This is a whole different way to do business, and I guarantee, it's the best. We have heard for years there are two things that prevent us from doing good security--one is resources and budget, and two is visibility in the boardroom. We have visibility in the boardroom with the CEO, and I am very grateful for the governor's support because it lends a lot of credibility to what I'd like to do. Download the complete interview with David VanderNaalt at searchsecurity.com Download a copy of Executive Order 2008-10 at http://azgovernor.gov/dms/upload/EO%202008-10.pdf