The recommendation, outlined in the department’s 2022 Biennial Performance Report tracking state agencies’ technology progress, noted that state law requires each state agency and higher ed institution to designate an ISO, but does not permit agencies or institutions to designate a joint ISO as a shared resource. The department’s report said that changing this policy to allow the sharing of IT security expertise could help colleges and universities with limited resources that are struggling to fill cybersecurity administrative roles and retain personnel.
“Permitting state agencies and IHEs [institutions of higher education] to designate a joint ISO that is employed by one organization and simultaneously serves as the ISO for two or more designating entities will provide cost-effective, resource sharing that benefits smaller agencies and IHEs,” the recommendation in the report read.
According to the state’s Chief Information Security Officer Nancy Rainosek, the recommendation generally aims to help smaller agencies and institutions, which have less staff and funding, gain access to the expertise needed to secure growing networks amid an increase in digital learning and telework.
While Texas already allows agencies to share information resources managers who help prepare biennial operating plans and project management practices, Rainosek said in an email to Government Technology that the new recommendation would apply this idea to ISOs. She said small state agencies and public junior colleges would be most likely to utilize this policy if enacted, “with a goal of having proper controls in place to prevent security incidents and effectively respond when needed.”
“Unlike large state agencies and institutions of higher education, the smaller agencies don’t usually have the resources to dedicate staff to tackle security full time, and their ISOs are wearing multiple hats, such as network administrator or IT manager," she wrote. "Having the ability to ‘share’ ISOs between organizations would provide a person that was focused on ensuring security is a priority at those smaller agencies. Public junior colleges may also benefit from a program like this."
Rainosek said that allowing universities, colleges and other agencies to share cybersecurity expertise could bolster network security as cyber attacks against government entities become both more frequent and sophisticated. The need is particularly important for colleges and universities battling costly data breaches and cyber attacks, such as a hacker attack against the University of Texas at El Paso last year that shut down networks for days and ransomware attacks like the one that led to the permanent closure of Illinois’ Lincoln College earlier this year.
“Information security threats are ever evolving and increasing for the public and private sector in general,” Rainosek wrote. “The goal is to equip the Texas public sector to be prepared to thwart attacks.”