STATETECH: What are your immediate IT priorities in Maryland?
Leahy: For me, from a technological standpoint, the focus is still on making certain that our one-stop portal continues to intake new applications and modernize for the various government projects. We are very heavily involved in looking at how we will incorporate identity into the portal. If you are going to build a centralized portal, the focal point has to be making sure that the citizens and residents using the services know that their information is secure and that their privacy is being protected.
Our financial management system for the state has been in operation since the early 1990s. It’s a mainframe system. We have started looking at what resources are going to be necessary and what aspects are desired in a replacement for that system, which more than likely will be cloud-based. Although that study won’t finish before the end of the Hogan term, it is already well underway, and I am really looking forward to watching the results from the outside.
DISCOVER: What state and local agencies plan for identity and access management for citizens.
STATETECH: What is Maryland’s cloud posture?
Leahy: We have a rather interesting model because we are neither fish nor fowl. I would describe us presently as a federated system, where there are five significant agencies that quite literally have IT programs bigger than my entire department. Although there are a number of services we provide them, they tend to have significant independence. That said, the focus on the cloud has gone from cloud-first to cloud-smart, and Amazon Web Services is our sole cloud provider.
We have a very good relationship with our own private cloud. With the expansion of our one-stop portal and the MD THINK program, which are all cloud-based, and a number of other initiatives in public safety and in the health department, the growth of our cloud platforms will accelerate. I suspect you will see use of the cloud expand over the next decade from probably 25 to 30 percent of things today to over 70 percent.
STATETECH: We anticipate that there will be a wave of federal funding for cybersecurity. Have there already been plans in Maryland for dedicating such funding?
Leahy: We’re waiting for the final direction from the U.S. Cybersecurity and Infrastructure Security Agency with regard to the distribution of those funds. The current expectation is that it will occur in early fall. Of that funding, 80 percent has to go to local governments. Although it is a significant amount of money, it is one-time money, and I want to be very cautious that local governments don’t spend it buying shiny objects that they can’t fund going forward. Our focus is on looking at services that could be distributed among the number of local governments, so that the cost would be lowered simply because of the breadth and the expanse involved.
It’s very important to get folks thinking about common defensive measures. Sharing data about what is going on in any particular network allows us to align our priorities. So, the focus will be on common services, which CISA has said it will allow. And folks who have not had the resources to conduct significant cyber defense in the past hopefully can run an assessment of where they are and what is likely to provide them the most value for the money spent.
EXPLORE: Ways to implement multifactor authentication for agencies without a mobile device.
STATETECH: What are you looking forward to at the NASCIO Annual Conference today?
Leahy: I have focused a lot of my personal interest into questions surrounding identity. I want to make sure we continue to have discussions about that issue. Security, obviously, will be a significant question, and particularly how folks are looking at the idea of common defense. There are a number of states that have started implementing their security operation centers to work together. North Dakota has been a terrific leader in distributing its model to local governments and working with a couple of other states.
Many of the issues facing state government come down to defining acceptable risk. Thinking about risk management and how we determine what is acceptable is going to go a long way to addressing issues that states are facing now with cyber insurance. Obviously, it’s more difficult to obtain. It’s become very expensive. States can do more to manage risks to their data and how they intend to protect things.
States also must mind the vendor relationships for their supply chain. Obviously, we have faced issues with shortages in the supply chain. But we are using more and more services in the cloud, and as such our secondary and tertiary partners’ risks truly become our own. States must understand what we want to protect and require our partners’ operations to incorporate our view of risk.
Check out more coverage from the NASCIO 2022 Midyear Conference and follow us on Twitter at @StateTech, or the official conference Twitter account, @NASCIO, and join the conversation using the hashtag #NASCIO22.