At the moment, all 18 South Carolina state agencies have their own chief information officers responsible for keeping the data doors locked against bad guys. But these CIOs are far from confident.
One told the inspector general "what scares me is what I don't know." Another said South Carolina's statewide information security ranks two out of five "on a good day."
None of this is a surprise to Charlotte attorney and security consultant Chris Swecker.
"It does not work if everybody gets to essentially run their own pass patterns when it comes to cyber-security," says Swecker. "That's when you get what's happened in South Carolina, and it's what you've seen across the U.S."
Continuing Swecker's football analogy, South Carolina's Inspector General says the state needs to get a cyber-security quarterback.
There's already a Division of State Information Technology, but it doesn't have any authority to create or enforce policies. Inspector General Patrick Maley is urging the governor and legislature to appoint a Chief Information Security Officer for the entire state who would have that power.
Maley also recommends the state hire a private security consultant to set-up the statewide system and help agencies be proactive in identifying threats.
Swecker says South Carolina is not the only state with a patchwork system of information security. Corporations often have the same problem with separate divisions doing their own thing.
"But I will say government agencies have silos and siloed processes down to a science," says Swecker. "Those silos protect themselves all the time. That's why it takes a very strong Chief Information Security Officer to drive this."
Swecker says the best practice is a completely centralized information security system for the entire state. Inspector General Maley says the CIOs at South Carolina's 18 agencies would prefer a less-centralized system where they're able to implement and adapt the policies created by a Chief Information Security Officer.
