Amy Tong credits strong agile development and project management with California’s advances in digital services. 

Jan 18 2019

Q&A: California CIO Amy Tong Calls for More Focus on Cybersecurity

While California has been a national leader in digital services, its IT chief believes officials could do more to boost cyberdefenses.

California’s website ranks among the 150 most popular websites in the United States. That may be because it’s so easy to use. Indeed, California receives high marks for offering citizen services digitally. To advance California’s status as a digital leader, state CIO Amy Tong emphasizes making strategic investments, brokering services for other agencies and bolstering cybersecurity.

In an interview with StateTech, Tong described how far California has come in its modernization efforts and what more she and others must do, particularly to defend against cyberthreats.

GET STARTED: Register for the StateTech Insider program today.

STATETECH: The Center for Digital Government’s 2018 Digital States Survey recently gave California an A- grade for its practices. What factors led to California getting such a high grade? 

TONG: We’re very happy and very grateful for the fact that we were able to get a grade of A-, which is up from our B+ for the past 10 years. A lot of hard work made that happen. In addition to the work associated with agile development and project management, we increased our presence in project oversight to ensure that large investments are well managed. We also have modernized IT procurement to support our agile methodology. We started doing more modular procurement so that things can move faster with a lower risk.

We also put a lot of emphasis on public safety, public communication networks and the services that are needed. In addition to the A- grade, we ranked first in public safety.

STATETECH: At the NASCIO 2018 conference the organization promoted the concept of the state CIO as a broker. What do you think of that model? 

TONG: State CIO as a broker is absolutely the path that we take in California. In fact, we took on that role publicly about two years ago when I first came on board. We as a state technology organization cannot do everything ourselves. There are a lot of resources out there and a lot of partners we can tap into. It’s a matter of how to facilitate those partnerships with a focus on delivering business outcomes.

So, we are actively reaching out to our private sector partners to let them know what they can do to help the state. We don’t need to do everything ourselves. And we’re continuing to increase brokering services for our customers based on their demands, so that we can continue to adjust what services California requires and who our partners should be.

STATETECH: If budget wasn’t an issue, what would be on your wish list for modernization? 

TONG: I would absolutely want more emphasis on cybersecurity. Today, it’s still an afterthought when it comes to budgeting, although there’s heightened awareness of the need for cybersecurity.

I don’t think enough folks see cybersecurity protections as part of the cost of doing business. Obviously, the adversaries use cyberthreats as a way to threaten us. If they were to operate without budget constraints, what would we spend to stop them?

Amy Tong, California CIO
I don’t think enough folks see cybersecurity protections as part of the cost of doing business.”

Amy Tong California CIO

STATETECH: The cybersecurity threat landscape is always evolving. What keeps you up at night? 

TONG: I still feel like we’re not doing enough. We need to do more from within. In many cases, we can prevent mistakes by end users with better training, for example. We can do more to remind everyone what they should be doing so we don’t leave the door open and allow vulnerabilities to be exploited.

MORE FROM STATETECH: These are the top state and local government IT trends to watch in 2019. 

STATETECH: How has the state’s use of cloud evolved over the past couple of years? 

TONG: Cloud migration has been a focus of the state of California for a while. More than four years ago, the state adopted a cloud-first policy. With anything that is built brand-new, we should consider cloud as the first choice. And whenever we can, migrate to cloud as a first choice.

However, through the past several years, we’ve seen that migrating to cloud is not as easy as some might think, especially when you have large legacy systems that are not cloud-ready. We have switched our focus to encouraging cloud adoption rather than simply insisting on cloud-first.

Be smart. Be strategic. Be thoughtful about what it will take to actually move a solution into a cloud environment when it was not designed to be that way. Or make a very concerted effort to plan anything that is brand-new in the cloud.

STATETECH: What lessons learned would you share with your peers who are not as far along on cloud migration? 

TONG: Going to the cloud is a journey, not an overnight destination. Many of my peers are facing my situation, where they have a lot of existing systems to consider. They must conduct a cloud readiness assessment, which California did for every single one of our major systems, whether it was a simple “lift and shift” to go to the cloud or it required design and building out.

Look at the budget ahead of time and set expectations on the timing required to develop a realistic plan for going to cloud. Do that assessment up front and then decide what things can go in easily and what things require more time.

Photography by Robert Houser

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT