NASCIO 2024 Midyear: Maryland CIO Katie Savage Seeks Greater IT Coordination

I think about it as three concentric circles. In the first circle, there is the security of the products that we operate at the Maryland Department of Information Technology. We weigh third-party risks to determine what software will be in our stack and how secure it is, along with terms and conditions and things like that. In the second circle is our work with our fellow agencies and various departments to think about their cyber footprints and to ensure that their endpoints and data are secure. The third circle is how to extend that service to the counties, municipalities and the public school system. How can we as a state be a resource to them?

A third priority for me is expanding our digital service capability. When I started with the state, I was surprised that we didn’t have in-house developers. I came from the U.S. Digital Service community, where we had in-house developers, engineers, designers and data scientists. They would kick the tires on technology and also look at architecture. It’s really important to have that tech talent in-house, so we are focusing on that as well.

STATETECH: You’ve done some reorganizing at the Maryland Department of Information Technology. You’ve added some leadership positions and changed the organization a bit. Can you tell us what you’ve been doing?

SAVAGE: We created the role of CTO. There are a lot of things that we need to be strategic about. We have been thinking about a more strategic data role for the organization and moving from operating a handful of applications to owning the data strategy for the state. We also are improving our Software as a Service and access management offerings.

We manage two major networks, so there is some infrastructure work that we would like to do. We would like to be more strategic. We manage networkMaryland, the state’s public sector data transport and common service delivery network. We also manage Maryland FiRST, which is the state’s radio network. In addition, we operate several data centers. There are a lot of strategic decisions to be made with regard to the two networks and our infrastructure.

And there are also client services and hardware. We are thinking about how to make more informed decisions in these areas and how they support cybersecurity. That all falls under the role of the CTO.

We’ve long had a CISO, but we are now building out a number of roles under the CISO. We created a director of cyber resilience position. That is someone who formally oversees our security operations center. We also created a director of governance, risk and compliance role, which oversees third-party risk assessments and related policies and procedures. We are building out a more robust team under the state CISO.

We also have established the state’s first chief digital experience officer. We outsource a lot of our web work. But there are so many low-code/no-code options available for web development, and we are not really leveraging them. We don’t have the engineering or content management capabilities in-house right now. Right now, if someone wants a minor change in a website, it’s a major process, and it doesn’t have to be that way. I also don’t think that a lot of the state’s websites were created with the end users in mind.

The other part of digital experience work is in applications. We have played an oversight role for managing IT projects in the state, making sure they are on time and on budget, but we have been less involved in the development of those projects. To me, it’s important that we work early and often with our executive agencies to engage in discovery up front. We want to focus on business outcomes as opposed to looking at software and deciding that it might meet a business objective.

READ MORE: Maryland’s governor sets equity priorities for MD-THINK.

STATETECH: You also established an artificial intelligence adviser role. How is the state employing AI?

SAVAGE: We hired Nishant Shah as senior adviser for responsible AI, and he began his job in August. The first order of business was working on an executive order, which the governor signed in January. That calls for a few things. First, it establishes the principles that we intend to adhere to when deploying AI to ensure that it is ethical and secure. It also calls for a subcabinet that consists of myself and other secretaries that have equities in AI and that want to ensure that we are applying, deploying and scaling AI in the right ways. It also calls for a partnership with the academic community, which we are actively working on.

It calls for establishing real use cases, and that is where Nishant Shah is focusing now. We are choosing some strategic pilots and deploying some technologies to support them. We are in the early days of deciding how we want to use AI. We have some live use cases such as license plate readers and mail scanners. But we want to look at how we can best leverage large language models and chatbots, particularly to improve services.

STATETECH: I understand that you have formed a statewide IT council.

SAVAGE: I think it’s a practice that fell off in recent years — convening the IT leadership from across the state. Like many other states, Maryland is “lightly centralized.” The Department of Information Technology provides the core of enterprise services, but individual agencies have a lot of governance over applications, websites and the like. We are still evaluating the right role for DoIT. I cannot do that alone.

So, the CIOs and the IT directors from all of the executive agencies have been meeting quarterly. We have started a conversation about their expectations of my organization. What are the products and services they require? How do we meet economies of scale? How do we achieve more seamless service delivery? What are the things at the application layer that they want to administer themselves?

The other purpose of the council is to start to make collective IT investments. Right now, agencies submit individual requests to the Department of Budget and Management. We want to start a conversation with our fellow IT leaders to decide where we want to invest to move things forward for all of us.

LEARN MORE: Here’s how chief AI officers can help state agencies innovate.

STATETECH: Maryland is once again hosting the National Association of State Chief Information Officers’ midyear conference at National Harbor at the end of April. What are you most looking forward to from the conference?

SAVAGE: I really enjoy connecting with my peers and gaining insight into their challenges. It’s nice to know that I’m not alone in this journey of centralizing and coordinating government IT.

I’m excited to talk in particular about service design. We have a fairly prescribed intake process for how we receive requests for services support from agencies. I’m interested in how other states implement service design reform and how they identified pain points and worked through them. I’m also interested in talking about prioritizing IT projects. There are a lot of stakeholders and a lot of voices that go into making a case to the governor’s office, to the legislature and to your peers. What does that look like from a leadership perspective?

Finally, there is a lot of concern about AI and data privacy and security. A lot of what we are talking about — the calls for transparency, security review or impact assessment — are things we should be doing for all technologies. I am interested in how my peers are thinking about using the advent of more readily accessible AI to improve their existing processes and procedures. How do we use this opportunity to apply best practices to all government technology across the state rather than be so specific about AI?

Keep this page bookmarked for our coverage of the NASCIO 2024 Midyear conference. Follow us on X, formerly known as Twitter, at @StateTech and the official conference Twitter account, @NASCIO. Join the conversation using the hashtag #NASCIO24.