Courtesy photo.
Understanding and addressing user needs, fostering interagency connection, educating end users, ensuring data security and protecting infrastructure are part of Bond's strategy to build a strong information security foundation.
“I always ask people, ‘Where should we start, where should we stop, and what should we continue?’” Bond told Government Technology in an interview after her appointment. “There are different needs, but it’s very important to understand where our stakeholders are ... if we’re meeting their needs, if there’s additional training, if there’s more flexibility needed.”
Bond, a career technologist, took on the role of overseeing the Department of Information Technology’s (NCDIT) Enterprise Security and Risk Management Office (ERSMO) on March 3. She said she believes information security requires a collaborative mindset from the outset, from understanding stakeholders to receiving feedback about user needs. It requires collaboration across agencies, education for end users and ensuring proper access management, among other points.
“My big three pillars are always, always going to be people, processes and technology,” Bond said. “We must have all three of those aligned to a certain extent to have any type of consistency with how we protect our data.”
ERSMO has nine to 10 full-time employees, supported by a managed security services provider, which contributes an additional five to six contracted staff, Bond said. This blended team conducts core operations for the organization’s cybersecurity and technology risk management, and works strategically with state agency CISOs, executives and additional stakeholders.
On shared responsibility, she said that “helping secure the state’s information is not just my job alone. It takes collaboration with everyone.” This requires effort from the end users who are logging in at home, NCDIT employees responsible for identity management and overall security, agencies sharing information, and third-party vendors providing cloud and additional services.
The CISO said she sees potential rather than threat in artificial intelligence (AI). “I actually see AI — specifically, generative AI — as a friend,” she said. “If it is implemented correctly, used correctly, it can complement processes that we have in place.”
Technology alone cannot solve problems, Bond said; the success of any tool depends on educated users and well-defined processes. Overreliance on “shiny new tools” without addressing the human and procedural aspects can introduce new vulnerabilities, and this includes tools from third-party vendors.
Bond advocated, in the interview, for an adoption framework that identifies and assesses new technologies thoughtfully, communicating their purposes and intended use cases, and ensuring secure delivery and proper access. She also stressed the importance of education, especially in areas such as the cloud. Many still view the cloud as a mysterious or abstract solution, she said, when in fact it relies on physical data centers managed by third parties who also introduce complexity and risk. Understanding individual responsibility for data security, regardless of the platform or provider, is key.
