The state of California is engaged in a national search for a chief information security officer (CISO) that has identified multiple candidates in a process that has stretched on for months.
The position, which has not been permanently filled since March, has become higher-profile as the state has started to revamp its cyberstrategy in the wake of an unflattering audit of state agencies and department released last year that prompted increasing scrutiny from lawmakers.
In a conversation with reporters this week, state CIO and Department of Technology Director Amy Tong said finding a state CISO for California is not an easy task and that the Governor's Office has been actively engaged in the recruitment.
"We have several candidates we're in talks with, so we're hoping soon that we'll be able to announce someone, but we're not there yet," said Tong.
It remains to be seen if or how the duties of the next CISO will change, but the office that person will lead — the California Information Security Office — already is evolving, Tong said.
"Maybe because of the leadership style that I bring forward to this organization, as well as the heightened visibility of information security and working with the four partner entities," Tong said, referring to her department, CHP, California Office of Emergency Services and the Military Department, "I think the way this office will be operating will change."
In one example, Tong said some Office of Information Security staff already are co-located at the California Cybersecurity Integrated Center (Cal-CSIC), a new threat-monitoring facility at CalOES that went live earlier this year.
Gov. Jerry Brown created Cal-CSIC through an executive order issued soon after the 2015 cybersecurity audit was made public. The audit found that most state agencies departments self-reported that they aren't fully compliant with California's existing security standards.
There were also rumors and rumblings that the administration might opt to move the Office of Information Security out from under the Department of Technology, and perhaps relocate it to CalOES.
But Tong said that to her knowledge, there are no plans to make that move.
"From everything I've seen so far, I feel very comfortable the CISO office — the California Information Security Office — will remain under Department of Technology," said Tong.
Scott MacDonald is serving as California acting CISO.
