Letter to the editor

I have several thoughts in response to your editorial titled "From the ground up."

First, the National Association of State Chief Information Officers is not composed of state security officers. In fact most states do not have a designated security officer, they have designated security contacts that do that job in addition to everything else. NASCIO, to its credit, has been attempting to fill the gap, but security is an add-on, not a priority — and rightly so given the organization's mission.

Second, it is anticipated that the national cybersecurity strategy will not address state and local government issues. This has been one of the weakest links in the proposed strategy.

This past year, Colorado created an IT risk management division within its Office of Innovation and Technology (www.oit.state.co.us). This division houses the information security and privacy functions and is dedicated to managing and mitigating IT risk. This is a model that all levels of government should emulate, including the federal government.

In the meantime, the main issues holding up effective security/privacy initiatives in this country are leadership, governance and dedicated resources. To seriously address IT problems, security officers need enforcement and compliance authority and dedicated resources.

To date I know of no state that has the proper tools to do the job. And quite frankly, we must think outside of the box and be prepared to create innovative governance structures if we are going to deal effectively with cybersecurity and cyberwarfare.

No information security officer can successfully monitor his facilities, man the stations, investigate intrusions and try to figure out who's on first all at the same time.

Valerie McNevin
Denver