Gov. Hogan creates CISO position for State of Maryland

Gov. Larry Hogan on Tuesday signed an executive order that’s designed to centralize the state’s cybersecurity activities aimed at preventing attacks and protecting data.

“Security of Marylanders is at the forefront of our administration’s efforts on a day-to-day basis. In today’s world of emerging cyber threats, it is crucial that we work in unity to improve the processes and procedures designed to protect Marylanders and to manage and minimize the consequences of cyber events,” Hogan said in a statement. “The steps we are taking today are about ensuring that Maryland’s infrastructure and citizens are as safe as possible from cyber attacks.”

The executive order creates three new roles and entities within state government under the banner of the Maryland Cyber Defense Initiative:

• The position of Maryland Chief Information Security Officer, to be assumed by John Evans
• The Office of Security Management, which is located within the state’s Department of Information Technology
• Maryland Cybersecurity Coordinating Council, comprised of state officials from multiple departments

According to data compiled by the National Conference of State Legislatures, at least 15 other states have statewide CISOs.

Evans previously served as CISO for the state’s Department of Information of Technology. The new role will extend statewide, and Evans will lead the Office of Security Management. This office will be responsible for overall cybersecurity strategy and policy for the many state agencies that fall within the executive branch. It will also be tasked with updating the state’s cybersecurity manual.

Along with applying best practices from federal government agencies like Maryland-based NIST, these efforts will help align efforts and goals across multiple organizations.

For its part, the Maryland Cybersecurity Coordinating Council is tasked with providing policy-level guidance as cybersecurity standards are implemented. It will also work alongside stakeholders from inside and outside government to provide recommendations on securing the capabilities necessary to “identify, protect, detect, respond, and recover from cybersecurity-related risk,” the governor’s office stated.

While officials are often touting the state’s talent when it comes to cybersecurity, this executive order is focused on the internal work of protecting public data.

The executive order states that the moves comes as there is an increase in the “volume and capabilities of malicious actors seeking to negatively impact the confidentiality, integrity and availability of State systems and data.”

There’s been increasing focus on cyber threats to state and local governments in recent weeks. Locally, that’s come into focus with the ransomware attack against the City of Baltimore.

In Washington, D.C. on Tuesday, the Baltimore attack was referenced as two U.S. senators introduced legislation that’s looking to enable the federal government to provide resources and training to state and local governments that can help detect risks to infrastructure, The Washington Post reported.