Maryland CIO Michael Leahy has seen huge gains made from portfolio management, providing a model for other agencies to follow.

Oct 09 2022

NASCIO 2022: Q&A: Maryland CIO Michael Leahy Keeps His Eyes on the Future

The president of the National Association of State Chief Information Officers values the processes and standards that will serve the next administration.

Maryland CIO Michael Leahy plans to wrap six years in office when Gov. Larry Hogan leaves his post in January. In his time as CIO, Leahy has made significant progress in optimizing the state’s resources and preparing Maryland for a cloud-smart future. He also has made remarkable strides in establishing standards and processes that empower agencies to measure gains and examine tech alternatives.

StateTech Managing Editor Mickey McCarter chatted with Leahy about his priorities in his remaining months in office. As Leahy is currently president of the National Association of State Chief Information Officers, he also shared some potential focus areas for the 2022 NASCIO Annual Conference on Oct. 9-12 in Louisville, Ky.

STATETECH: What’s on your mind as you prepare to welcome a new administration in Maryland?

Leahy: The highest priority is making certain that those who follow in the next administration are very aware of everything we have accomplished. New administrations come in with lots of new ideas and new priorities. I want the folks who follow in our footsteps to understand that there is significant value in building on what we’ve done.

We must provide them with a transition plan that lays out the entire landscape and identifies the quick wins available to them. We last issued an IT Master Plan for three years: the last two years of the Hogan administration and the first year of the next administration. It was mostly geared toward process. It’s terribly important in my mind, even if you are going to maintain a federated system, that everyone know their responsibilities and that there is a methodology to track the progress or the problems associated with any particular issue.

We’ve done an amazing job. We started our Portfolio Office three years ago. It has been so successful in terms of running our customer service and our project intake flows that three other significant state agencies have adopted that model.

Click the banner below to gain customized insights for government agencies as an Insider.

STATETECH: What are your immediate IT priorities in Maryland? 

Leahy: For me, from a technological standpoint, the focus is still on making certain that our one-stop portal continues to intake new applications and modernize for the various government projects. We are very heavily involved in looking at how we will incorporate identity into the portal. If you are going to build a centralized portal, the focal point has to be making sure that the citizens and residents using the services know that their information is secure and that their privacy is being protected. 

Our financial management system for the state has been in operation since the early 1990s. It’s a mainframe system. We have started looking at what resources are going to be necessary and what aspects are desired in a replacement for that system, which more than likely will be cloud-based. Although that study won’t finish before the end of the Hogan term, it is already well underway, and I am really looking forward to watching the results from the outside.

DISCOVER: What state and local agencies plan for identity and access management for citizens.

STATETECH: What is Maryland’s cloud posture?

Leahy: We have a rather interesting model because we are neither fish nor fowl. I would describe us presently as a federated system, where there are five significant agencies that quite literally have IT programs bigger than my entire department. Although there are a number of services we provide them, they tend to have significant independence. That said, the focus on the cloud has gone from cloud-first to cloud-smart, and Amazon Web Services is our sole cloud provider.

We have a very good relationship with our own private cloud. With the expansion of our one-stop portal and the MD THINK program, which are all cloud-based, and a number of other initiatives in public safety and in the health department, the growth of our cloud platforms will accelerate. I suspect you will see use of the cloud expand over the next decade from probably 25 to 30 percent of things today to over 70 percent.

STATETECH: We anticipate that there will be a wave of federal funding for cybersecurity. Have there already been plans in Maryland for dedicating such funding?

Leahy: We’re waiting for the final direction from the U.S. Cybersecurity and Infrastructure Security Agency with regard to the distribution of those funds. The current expectation is that it will occur in early fall. Of that funding, 80 percent has to go to local governments. Although it is a significant amount of money, it is one-time money, and I want to be very cautious that local governments don’t spend it buying shiny objects that they can’t fund going forward. Our focus is on looking at services that could be distributed among the number of local governments, so that the cost would be lowered simply because of the breadth and the expanse involved.

It’s very important to get folks thinking about common defensive measures. Sharing data about what is going on in any particular network allows us to align our priorities. So, the focus will be on common services, which CISA has said it will allow. And folks who have not had the resources to conduct significant cyber defense in the past hopefully can run an assessment of where they are and what is likely to provide them the most value for the money spent.

EXPLORE: Ways to implement multifactor authentication for agencies without a mobile device.

STATETECH: What are you looking forward to at the NASCIO Annual Conference today? 

Leahy: I have focused a lot of my personal interest into questions surrounding identity. I want to make sure we continue to have discussions about that issue. Security, obviously, will be a significant question, and particularly how folks are looking at the idea of common defense. There are a number of states that have started implementing their security operation centers to work together. North Dakota has been a terrific leader in distributing its model to local governments and working with a couple of other states. 

Many of the issues facing state government come down to defining acceptable risk. Thinking about risk management and how we determine what is acceptable is going to go a long way to addressing issues that states are facing now with cyber insurance. Obviously, it’s more difficult to obtain. It’s become very expensive. States can do more to manage risks to their data and how they intend to protect things. 

States also must mind the vendor relationships for their supply chain. Obviously, we have faced issues with shortages in the supply chain. But we are using more and more services in the cloud, and as such our secondary and tertiary partners’ risks truly become our own. States must understand what we want to protect and require our partners’ operations to incorporate our view of risk.

Check out more coverage from the NASCIO 2022 Midyear Conference and follow us on Twitter at @StateTech, or the official conference Twitter account, @NASCIO, and join the conversation using the hashtag #NASCIO22.

Photography by Gary Landsman

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT