IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Commentary: New Information Security Funding Ensures Critical Services

The state’s chief information security officer, Vitaliy Panych, offers his support for a new state funding model that ensures a better cybersecurity posture in the future.

The following commentary was posted Thursday on the California Department of Technology's Tech Blog.

When Gov. Gavin Newsom signed California’s FY 2021-22 budget, he set in motion a host of state technology initiatives that will improve the delivery of government services to California’s nearly 40 million residents. One initiative allows us, the California Department of Technology (CDT), to receive general funding to support essential statewide information security services. The significance of this new funding model can be understood by reviewing CDT’s previous model.

The previous model, funded through the Technology Services Revolving Fund, required state agencies, departments and other government entities to absorb the cost of mandated security services. Some entities found it difficult to pay the cost of program and oversight services, threat information sharing, protection, and centralized Security Operations Center (SOC) functions; all of which are mission-critical security services required of state entities. Due to competing priorities, some struggled to prioritize funding toward remediation efforts of identified audit gaps, while others were unable to sustain audits, assessments, security solutions and SOC mitigations. This new funding shift adds additional capacity to fund necessary requirements that otherwise may have conflicted with security implementations and deferred security measures.

The new centralized funding model ensures SOC and statewide information security oversight benefits for all state entities and supports maturing the statewide information security infrastructure as a default and a built-in function across state government.

As of July 1, 2021, we discontinued billing for the following services:
  • Security Operations Center (SOC) – monitors and reacts to threats on the state’s primary enterprise network, CGEN.
  • Information Security Audit Program – evaluates compliance with state security and privacy policies.
  • California Compliance and Security Incident Reporting System (Cal-CSIRS) – the tool used for security incident reporting.

This includes Information Security Program Audits, 24/7/365 SOC services, statewide incident reporting, intelligence analysis, information sharing and incident response provided by the California Cybersecurity Integration Center. The new model also ties into the state’s technology strategic plan, Vision 2023:

  • Protect California’s information assets and maximizing data access.
  • Develop a robust and collaborative risk reduction strategy.
  • Improve and invest in security capabilities to protect mission-critical systems and data.

By funding security activities in the general fund, state entities are now able to focus and prioritize on fixing critical gaps identified through the oversight program and strengthen their security postures while benefiting from built-in security mitigations from the SOC. It is a significant step that will improve our cybersecurity maturity and preparedness, protect residents’ sensitive information, and continue the safe and secure delivery of essential services to Californians.
Vitaliy Panych was named state chief information security officer in January. He joined state government in 2003 and has held a series of increasingly responsible positions across several departments before his current role, including with the Franchise Tax Board, the California Department of Corrections and Rehabilitation and the Employment Development Department.