“I don’t think anyone is ready to declare victory in either cybersecurity or privacy right now,” he said at the NASCIO Midyear conference earlier this month.
But that doesn’t mean that Vermont isn’t working to better secure residents’ personal identifiable information (PII). The state doesn’t have a chief privacy officer, but the Agency for Digital Services (ADS) is working this year to establish a Cybersecurity Critical Infrastructure Council that Nailor said would go a long way toward protecting PII that sits outside of state government systems.
The council would be a public-private partnership chaired by Nailor and include representatives from critical infrastructure systems, emergency management and homeland security, along with the state CISO. The idea is that the state government could bring some of its own lessons learned from previous experiences — such as last month when many of Vermont’s major public-facing websites went down — to bear on the security of systems like hospitals and utilities that residents regularly use.
Nailor gave the example of a 24/7 security information and event management solution that Vermont stood up last year, something that may be out of reach for smaller operations but that the state could offer as a service. Then if a water utility’s SCADA system, for example, were to face a cyber attack, ADS could support them.
“It’s a really big step,” Nailor said, “and one that I think will benefit privacy for our citizens beyond just what government services are directly.”
