West Virginia gives CISO greater authority to lead statewide cyber program

Source Domain: statescoop.com

West Virginia Gov. Patrick Morrisey on Thursday approved legislation designed to strengthen the state’s cybersecurity and grow the authority of its chief information security officer, a role currently held by longtime state IT staffer Leroy Amos.

The bill directs the state’s Cybersecurity Office, led by Amos, within the state’s Office of Technology, to standardize the state’s approach to cybersecurity. Amos is tasked with developing statewide cybersecurity policies and standards comprising a “framework” that ensures uniform compliance with the industry’s best practices. While discussing the bill in Charleston in recent months, state lawmakers claimed that much of West Virginia’s cybersecurity activities are the product of disparate, ad-hoc efforts, not carefully managed by a central authority keeping an eye on compliance across agencies, though the IT office has partially disputed this criticism.

The bill’s enactment drew approval from the Alliance for Digital Innovation, a Washington nonprofit that advocates for laws and policies “that contribute to the development of a modern, 21st century digital government,” according to its website. In a letter to the governor urging his signature, Dan Wolf, the Alliance’s director of state programs, noted the legislation’s “thoughtful and forward-looking approach to managing cybersecurity risk” and its accommodation for “the shared and interdependent nature of cyber risk across agencies.”

Wolf noted that the bill “ensures that software licensing practices do not restrict the state’s ability to deploy solutions on the infrastructure of its choosing, helping to prevent vendor lock-in and promote flexibility, competition, and cost efficiency,” a nod to one of the bill’s amendments, after concerns arose that new cybersecurity standards, too rigidly administered, might hamper the state’s hardware or software options. “Effective cybersecurity requires centralized…

Source