That means the state will be engaging more with vendors on security, and looking for partners to achieve its goals. At the California Cybersecurity Education Summit held Dec. 17 in Sacramento, state and private-sector IT leaders gathered for a panel on the “whole-of-government” approach to cybersecurity to talk about what the future looks like.
Here are three drivers of the state’s vendor work heading into 2025.
1. BUTTONING UP VENDOR RISK
Even after StateRAMP, and all the other cybersecurity standards the California Department of Technology has set, it’s not easy for the state to keep an eye on the security practices of all the vendors used across its sprawling, complicated enterprise.
But the state will be looking to change that in coming years.
“They may not be doing their due diligence — and we’re not aware of it — in terms of having their own security controls implemented. And they’re actually aligned with our state standards,” said Payam Hojjat, the state’s cyber risk and governance chief within CDT. “And then there’s a lot of different avenues for threat actors to get into the state environment from those third parties. So that’s going to be a very important topic over the next several years where we’re going to really try to focus and buckle down on making sure we do vet out those third-party vendors.”
Hojjat didn’t provide much detail about what that might look like, but he did specify that one basic problem is in simply understanding what the state’s technology landscape looks like.
“Every entity can pretty much buy what they want … we’re struggling with that visibility of understanding what everyone has out there, and we don’t have that capacity to make sure that those specific entities or vendors out there are fully compliant,” he said.
2. CYBER HYGIENE STILL A PROBLEM
As widespread as security training has become, basic cyber hygiene among end users in state government is still a problem, the panelists said. Maria Lipana, who manages the California Cybersecurity Integration Center’s (Cal-CSIC) Cyber Threat Intelligence branch, said one of the main avenues for hacking in the state is computers with default passwords that are never changed.
Hojjat said multifactor authentication (MFA) is also an issue. CDT has policies requiring MFA, but compliance is spotty.
“I think 80 or 90 percent of … the major incidents that I see are because they don’t have MFA enabled. That’s literally why,” he said. “It’s just baffling to me because we have state policy out there, but some people just don’t want to implement MFA.”
3. COLLABORATION, COLLABORATION, COLLABORATION
The state has made much advancement in recent years when it comes to a collaborative, enterprise approach to security. That’s the whole idea behind Cal-CSIC, which promotes best security practices, shares vulnerability information and responds to threats and incidents across departments.
In early 2025, Lipana said Cal-CSIC hopes to have an operational technology lab open that will give it more opportunities to collaborate with vendors and government agencies.
“That’s where we have all partners come in, from government and private [sector], and that’s where we’re able to do some red teaming and have a safe and controlled environment to look at these systems and defend against them,” she said.
Such collaboration is vital, said Fred Gomez, agency information officer and IT director for the Department of Food and Agriculture. When he served as CIO of the Public Utilities Commission, he said, he lacked a full view of what systems were mission-critical for different pieces of the organization. Only by engaging them one-on-one could he gain the type of understanding he needed to pitch technology to them — as well as go through processes such as drafting technology recovery plans.
“It’s easy for me to identify technology in security going forward, but if I don’t understand the business, if I don’t have some level of understanding, it’s really hard for me to sell a solution to them,” Gomez said.
