The five-part strategy, developed in conjunction with the National Governors Association and National Association of State Chief Information Officers, is part of what officials see as the next leg in a journey to better protect state systems and constituent data.
State CIO Hardik Bhatt told Government Technology that the aggressive push to a more forward-looking strategy is based more on necessity than anything else. Early in his tenure, the CIO said high-level assessments identified what could only be described as “mind-boggling” deficiencies throughout the government.
“To be on the leading edge is, unfortunately for us, a requirement as opposed to being a nice-to-have, because we have not been on the leading edge for quite some time,” Bhatt said. “We have not utilized the last couple of decades in the right manner.”
Under the newly released strategy, DoIT will focus on protecting systems, reducing risk, strengthening cybersecurity capabilities, building an enterprise approach and extending efforts outward for holistic security.
Chief Information Security Officer (CISO) Kirk Lonbom said the efforts to bring the 62 agencies, boards and commissions under the governor’s purview with a more unified policy and security structure has not been without its challenges.
“You can imagine trying to do that many mergers and acquisitions at the same time and the potential impact that you would have on security,” he said.
Since coming on board in August 2015, Lonbom said agencies have encrypted or eliminated around 5 billion pieces of personally identifiable information from various systems.
But the commitment to better defenses is only one part of the larger story. At the same time officials are trying to maneuver state infrastructure to more secure waters, the state comptroller is calling for a closer look at efforts to implement a comprehensive Enterprise Resource Planning (ERP) system.
The ERP project, Bhatt explained, is a “key cornerstone” to the larger cybersecurity goal. According to the CIO, many of the 400 or so systems used to manage the state’s financial and human resource programs within state government are not only inefficient, but badly outdated.
“We have 400 systems that manage our finance, grants, do [human resources] and everything, and all of them access databases: Excel spreadsheets, mainframe systems and everything that you can think of ... We have to go through four systems to even buy a paperclip. It’s just a crazy way of doing business,” he explained.
“About 30 percent of these systems are so old, and dependent on much older technology, that we cannot even apply security patches,” Bhatt added.
Concern from Comptroller Susana Mendoza’s office centers on the what spokesman Abdon Pallasch described as the need for greater transparency when it comes to paying for the work being done.
Most recently, Mendoza suspended $27 million in funds, including $21.6 million meant to pay a number of project consultants, pending a “review of the ERP program.”
“It’s really just an effort to get more answers as to what is going on with ERP,” Pallasch said.
In two press releases (1 and 2), Mendoza took issue with what she characterized as cuts to health-care programs to pay for IT projects, including the ERP.
Bhatt said in the 17 months since the five-year ERP project first launched, roughly 25 percent of the project has been completed. According to Bhatt, it is on time and on budget. Not only that, its completion will help put Illinois — a state with notoriously troubled finances — in a better financial position going forward.
“In general, we are losing out on hundreds of millions of dollars just because we don’t have our financial house technically in order,” he explained. “This is something I wish the state would have done 15 years ago. Then we would not be having this problem.”
Efforts on the CIO’s part to break the stalemate have only garnered one 30-minute call with Mendoza’s senior staff.
Controversy aside, Lonbom agrees that updating the financial systems would go a long way to improving the security stance of Illinois government. The inability to patch certain systems requires alternative measures and extra time and cost.
“It certainly is a problem,” the CISO said of the existing infrastructure. “Obviously, we put compensating controls in place to reduce our risk. Information security is really all about reducing risk to the enterprise and to our citizens, but I think enterprises across the country, especially governments, are facing this issue.”
Pallasch clarified that no one is questioning the need for a new financial backbone.
“What they are saying about old computers is absolutely true. A lot of these computers are from the 1970s. The comptroller absolutely supports the goal of modernizing the state’s computer system ….” he said. “We all should be able to go forward with a computer modernization, but it has to be done right. It can’t be done without accountability.”
While the future remains uncertain, Bhatt and Lonbom are looking forward to ironing out the details and moving forward with plans to secure the state’s technical infrastructure.