Three years after a major overhaul of the way the state controls its information technology systems, Louisiana is saving millions of dollars, and officials say that it’s well positioned to protect information from security threats.
Efforts are underway to learn even more about cybersecurity threats and what more can be done.
“Right now, I think the state is in its best posture ever, and we’re continuing to improve upon that,” Dustin Glover, the chief information security officer in the state’s Office of Technology Services, said in a recent interview with The Advocate.
Gov. John Bel Edwards, through a recent executive order, created a 15-member “cybersecurity commission” to identify and mitigate the state’s risks.
In announcing the group, Edwards said his goal was for the state to “continue our commitment to establishing cybersecurity capabilities and resources in order to adequately maintain the stability of public services while ensuring proper privacy and protection for the data that is entrusted to the state by our citizens.”
Edwards has picked Craig Spohn, executive director of the Cyber Innovation Center in Bossier City, to lead the new commission. It will be staffed under the Louisiana National Guard.
Aside from monitoring the state’s security measures, part of the council’s charge is to foster cybersecurity education programs, research and jobs.
Louisiana leaders say the state is always vulnerable to cyber-attacks that aim to breach or damage computers and networks. In addition to potentially costing the state money, those threats also pose privacy risks for residents.
“It’s always going to be a target,” Glover said.
Rep. Barry Ivey, a Central Republican who often totes an iPad around the State Capitol, sponsored legislation last year requiring an overview of Louisiana’s current cybersecurity measures and other information technology issues. He’s on the National Conference of State Legislatures’ task force on cybersecurity.
He said he doesn’t have legislation in mind just yet, but he hopes that the report due to the Legislature next month will help identify areas where improvements can be made.
“It will help us understand where we truly are vulnerable and assess whether additional funding is needed and where the most critical needs are,” Ivey said. “Understanding where the big holes are could help us prioritize the spending.”
He said he worries because most breaches exploit vulnerabilities. Without knowing those potential entry points, the state is less prepared to stop threats, he said.
“We are responsible for so much personal information that we must do what is necessary to make sure it’s safe and secure,” Ivey said.
Louisiana set out on a wave of upgrading its computer systems and consolidating its information technology efforts under the executive branch in 2014. The move has been the subject of glowing articles in Forbes magazine and other business publications.
“A budget-constrained state government may be the last place you’d expect to find a top-to-bottom digital transformation that ranges from citizen-facing services all the way to the underlying network. Louisiana, however, is well on its way to such a transformation,” Forbes reported in August.
The Office of Technology Services manages an average of 585 million “events per day” — which can include someone logging into a computer, sending an email or visiting a website. There are about 40,000 users in the executive branch.
Whenever an activity is flagged, the IT team reviews the issue.
Eight issues reached the level of becoming “incidents” that had to be more thoroughly investigated in 2017, Glover said. None reached the level of becoming a breach or major issue.
“That’s where we want to be, obviously,” Glover said.
A cybersecurity report compiled by Verizon in 2017 found that public sector entities were the third-most common breach victims, behind financial organizations and health care organizations. That report also found that public-sector entities were most likely to be intentionally targeted.
Often threats come in the form of emails that appear to be authentic and are tailored to a state-specific function.
Glover said that attempts to click on suspicious links or open attachments are flagged by his department and evaluated before the tasks can be completed.
He said the goal is always to improve and make the system as efficient as possible. “We’re making significant strides within that regard,” he said.
Glover said the consolidation of information technology services under the Jindal administration has helped the state modernize its efforts.
Before state agencies were moved under a centralized operation, each managed its own information technology efforts. Glover said that left holes in the system. Some smaller agencies didn’t even have a dedicated IT professional on staff full time.
The Jindal administration announced in 2015 that in the first year of the consolidation, the state saved about $75 million on its IT services — about $20 million of that in the general fund.
Follow Elizabeth Crisp on Twitter, @elizabethcrisp.