South Carolina could have two people overseeing agencies' cybersecurity as part of an effort to centralize responsibility, the head of the state's information technology division told senators Wednesday.
Statewide oversight of computer policies could be separated into two new positions. While a chief information security officer would be responsible for protecting data, a statewide privacy officer would define exactly what should be protected, Jim Earley of the Division of State Information Technology told senators.
He noted a national group of states' chief IT officers recommends the splitting of duties, in a report titled, “State governments at risk: a call for collaboration and compliance.”
Earley and state Inspector General Patrick Maley testified before a Senate panel that's looking into the hacking of millions of taxpayers' personal data. Data stolen in the nation's largest hacking of a state agency includes unencrypted Social Security and bank account numbers.
The testimony came a day after Maley released his interim report on the state's cybersecurity situation. Gov. Nikki Haley issued an executive order calling for his review Oct. 26, the same day she initially announced the hacking of Department of Revenue computer servers. The tab for her administration's response to the theft is nearly $20 million so far.
Maley told senators the state's current decentralized approach is a recipe for problems.
Neither Maley nor Earey advocated complete centralization, but rather centralizing responsibility of computer security and letting agencies handle operations. Each agency's chief information officer could report to a new statewide cybersecurity chief.
That means someone is in charge to create guidance and set the rules, and agencies can decide how to tailor them for their own circumstances, Earley said.
“Agencies know their operations best,” he said.
Maley did not give any cost estimates for the transition, which would include paying consultants. He said his next report will focus on the cost and timeline of options.
“Whatever your investment on the front end, you get dividends down the road in productivity as well as reducing the risk of a catastrophic failure,” he said.
Currently, Earley's division, which is part of the Budget and Control Board, can only suggest policies. Since 2003, the division has offered security-monitoring services free to state agencies, local governments and school districts. Federal grants, totaling $5 million, have so far funded the monitoring services.
The Department of Revenue has been criticized for not fully using the division's free services prior to the hacking. It became the 54th state agency to sign up for full system monitoring Oct. 20, the day officials say Revenue's breach was closed.
Maley suggests keeping the chief cybersecurity officer independent from Earley's division, due to agencies' historic distrust over what the division charged, often without explanation, for computer services other than monitoring.
Earley said he's working to change the perception that his division puts profits ahead of service.
Sen. Kevin Bryant, the panel's chairman, said the state probably needs to hire one or two people for the statewide oversight, though it's possible that positions could be rearranged to cover the jobs.
He believes the state needs to contract for services, saying private-sector businesses would have an extra incentive not to let another such breach happen.
“Can you imagine the devastating impact it would be on a private corporation to be in the headlines every day with this problem?” he asked.