Joshua Spence, West Virginia’s chief technology officer, is pushing for an additional $4.5 million in funding to launch a program that would allow his office to compare and analyze the cybersecurity risks currently facing state agencies. The bill Spence is lobbying for, called the Secure WV Act, would enable legislators to get a more in-depth understanding of the state’s current risks and how best to mitigate them in the future.
The proposed program was born out of West Virginia’s involvement in the National Governors Association’s (NGA) Policy Academy on Implementing State Cybersecurity. The state was one of four to earn a spot in the Academy in June 2018. The Academy brings together industry experts, Federal officials, private sector experts, research organizations, and academia to advise the states on how to develop and share best practices in cybersecurity.
“Recognizing both the integration of technology into all aspects of our lives and the exponentially growing cyber threat, the state of West Virginia has enhanced our cybersecurity strategy to focus on cyber risk,” said Spence, who was then the state CIO, when the state was accepted into the program. “The NGA Policy Academy serves as an excellent resource in accelerating the implementation of our strategy and ensuring that steps are taken to leverage cybersecurity best practices.”
During its work with the Academy, the state’s technology team decided it wanted to work more closely with the state Legislature to champion cybersecurity policies and called for starting a new cyber-risk management program. Those two goals are on tap to be realized in the form of the Secure WV Act.
“The reason risk is so important to understand in this context is it helps demystify some of the concerns around cybersecurity, or the unknowns,” Spence told WVNews. “A lot of people get it–they understand there’s something there because they hear about it on the national news. They hear it, but they don’t have that background so they don’t know what it means.”
He further explained that the legislation is about “establishing an enterprise service for cyber risk management, allowing the state to conduct self-assessments or have [a] third-party assessment conducted, and then all of the assessments are conducted off the same standard so we can compare apples to apples.”
However, the impact of the legislation won’t be immediate. Spence said that if the bill becomes law, it’ll take his office roughly two years to complete initial work and after that, his team would have to determine which part of the state government most needs their assistance.
Spence said that ideally the program would eventually be expanded to all levels of government within West Virginia–though he’s in no hurry to expand.
“We didn’t want to bite off more than we can chew,” Spence said. “We want to show value in the program. It allows us to keep the dollar amount down, build it out, show value, show we can actually do it and do it well, and then we’re not dealing with voluntary participation.”