Ernest Shih is agency information security officer (AISO) at the California Department of Veterans Affairs (CalVet), a position he has held since May 2016. He was previously the chief enterprise architect for the Employment Development Department, and later had a similar role at the California Department of Corrections and Rehabilitation. Shih teaches computer science courses at American River and Cosumnes River colleges. He also serves as a communication services officer for the United States Coast Guard Auxiliary.
Shih has a master’s degree in computer science from National University and a bachelor’s degree in engineering from California State University, Sacramento. He holds certifications from companies including CompTIA, Compaq/HP, IBM, SIIA and Toshiba in hardware and software applications and was trained by the Department of Justice in computer forensics and justice systems. In his spare time, Shih works to expand his own computing experience into the area of building applications and helps small businesses and nonprofits grow.
Techwire: As AISO of your organization, how do you describe your role; and how have the role and responsibilities of the AISO changed in recent years?
Shih: As agency information security officer (AISO), I am responsible for information security program oversight, policy and procedures. This includes ensuring compliance with applicable control agency policies, standards and guidelines contained in the Statewide Information Management Manual (SIMM) section 5300. This role includes working with our diverse programs. For example, CalVet is a Health Insurance Portability and Accountability Act (HIPAA) covered entity that is implementing an electronic health record solution for our Veterans Homes throughout California. My role helps ensure that appropriate information security requirements are considered and incorporated within CalVet’s IT solutions. Project success is of the utmost importance, and ensuring that deliverables appropriately cover the three core tenets of information security — confidentiality, integrity and availability (CIA) — as well as a fourth, accountability (CIA+A), is no small undertaking. This is especially important as many agencies and departments have increased their cloud computing presence. Cloud computing has added a different dynamic to my role as AISO.
Over the years, my focus has been on ensuring CIA+A from a client/server computing perspective; whereby, risks have been associated with physical devices and a physical infrastructure. That world has rapidly changed, and our workforce is no longer tied to a physical workspace. Now, a year into the pandemic, our department has relied on more cloud solutions and remote work (aka telecommute or telework) as the recent adoption during the emergency pandemic. For me, the risk focus has changed from a traditional office to that of a virtual one. Incidents and threats are Internet-based with infrastructure, computing and applications available to staff in the cloud. Contracts and service-level agreements (SLAs) with vendors, often sharing and/or transferring risk, have become increasingly important. Moreover, the need for more security awareness has also increased over the past year with the use of video conferencing and Microsoft Office 365.
Techwire: How big a role do you personally play in writing your organization’s strategic plan?
Shih: My contributions are as a member of our IT leadership team. Our department strategic plan includes “implementing modern information technology solutions throughout CalVet.” I support the overall strategic planning effort by providing an information security perspective and foresight during the planning effort.
Techwire: What big initiatives or projects are coming in 2021? What sorts of RFPs should we be watching for in the next six to 12 months?
Shih: CalVet’s focus, over the next 12 months and beyond, is on a successful implementation of the CalVet Electronic Health Record (CEHR) system. This is a non-delegated project with California Department of Technology oversight. We have already selected the vendor for this project. Our department will continue to explore cloud solutions where it makes the most sense.
Techwire: How do you define “digital transformation,” and how far along is your organization in that process? How will you know when it’s finished?
Shih: While there are many variations in the definition of digital transformation, I define digital transformation as simply enhancing your business through all things digital. Digital transformation is a top focus for CalVet. For example, our CEHR project is solving business problems that exist due to paper processes. With the CEHR project, the goal is to go paperless with an electronic health record system. Additionally, the CEHR solution will be completely in the cloud. From an information security perspective, CalVet follows all state policies and regulations. CalVet is committed to moving forward with processes and procedures that account for and handle information security. As mentioned previously, another tangible example of digital transformation is that cloud computing has enabled CalVet to conduct business virtually and embrace remote work. This was extremely important during this pandemic as the state directed the use of emergency remote work.
Techwire: What is your estimated IT budget and how many employees do you have? What is the overall budget?
Shih: The department’s overall 2020-21 budget is $514 million, with approximately 3,540 authorized positions. The Information Services Division comprises approximately 100 employees, serving offices in Sacramento Headquarters, Veterans Homes, Veterans Services District Offices, and cemeteries.
Techwire: How do you prefer to be contacted by vendors, including via social media such as LinkedIn? How might vendors best educate themselves before meeting with you?
Shih: I prefer vendors to contact our Agency Information Officer (AIO) Isaiah Mall. Also, prospective vendors should educate themselves on CalVet’s mission and strategic plan prior to contacting us.
Techwire: In your tenure in this position, which project or achievement are you most proud of?
Shih: I have been involved with many projects in my tenure at CalVet. My involvement in the current CEHR project is what I am most proud of. I have devoted most of my energy in nearly five years to CEHR and have learned a great deal about large and complex projects involving planning, requirements analysis, and procurement. In addition, I am proud of the work my security team and I have done with evaluating security requirements and documenting as well as enhancing our department’s information security policies, plans, processes and procedures. Through this effort, I feel we have helped position CalVet to be prepared for and respond to its information security needs.
Techwire: If you could change one thing about IT procurement, what would it be?
Shih: State government is heavily reliant upon standardized IT procurement procedures. If I could change one thing about IT procurement, I would like to see more vendor participation.
Techwire: What do you read to stay abreast of developments in the gov tech/SLED sector?
Shih: I read a variety of technology resources, including Techwire, to stay abreast of gov tech and to better understand the SLED market, including its emerging technology trends, vendor profiles and stability, product composition, licensing schedules, fee structures, etc.
Techwire: What are your hobbies, and what do you enjoy reading?
Shih: My main hobby is cooking. I absolutely love cooking. Simply put, my kitchen is my playground in every sense. When a cookbook is not in my hands, I enjoy reading books on health and nutrition.
Editor’s note: This interview has been lightly edited for style and brevity.