Michele Robinson, the state of California's chief information security officer, is no longer serving in the position, she announced in an email to colleagues on Monday.
Robinson wrote that she plans to remain active in the information security community and will assist the state with transition activities as needed.
"It has been an honor to serve as your State CISO and to work with you all toward the advancement of information security and privacy programs in state government, as well as California’s overall cybersecurity posture," Robinson wrote.
The move comes two weeks after an oversight hearing where Robinson faced pointed questions from state lawmakers about a scathing 2015 state audit that questioned the state government's cybersecurity readiness.
The Brown administration appointed Robinson the state's top IT security official in May 2013. In the position, she directed the Office of Information Security (OIS) within the Department of Technology.
Robinson joined OIS in 2007 and was the acting director since February 2013 after the departure of Keith Tresh. Prior to being the acting director, Robinson was the deputy chief information security officer, managing daily operations and the statewide information security program.
The OIS is charged with ensuring the protection of state government data, systems and applications. The office also serves as a liaison to federal, state and local government on cybersecurity.
"We are battling a well-advantaged adversary,” Robinson told the Assembly Select Committee on Cybersecurity in April 2015. “They are well-funded, well-organized. They don’t have to follow the rules we have to follow when dealing with technology and information sharing.”
In a state audit of the state's cybersecurity readiness made public in August 2015, 71 of 77 state entities reported that they weren’t fully compliant with cybersecurity measures in the State Administrative Manual and other security regulations. State Auditor Elaine Howle called the findings "alarming."
The audit seemingly prompted intensified scrutiny from the executive branch and the Legislature.
In September, Gov. Jerry Brown issued an executive order creating a California Cybersecurity Integration Center within the California Governor’s Office of Emergency Services (Cal OES).
New legislation introduced last month by Assemblymember Jacqui Irwin could thrust Cal OES into a lead role on cybersecurity. Irwin’s bill, AB 1841, states that Cal OES is up to the task of creating a statewide cybersecurity response plan because it is the lead executive entity that coordinates state resources for emergency preparedness, response and damage mitigation.
Irwin also brought forward legislation (AB 670) signed by the governor last year requiring at least 35 independent security audits of state entities each year.
At the Feb. 24, 2016, oversight hearing, Robinson said the department had either partially completed or completed all of the auditor’s recommendations. Robinson reported that the department has directed state agencies in the use of standardized self-assessments, and plans of action are currently being reviewed.
“Protecting state information, assets and data entrusted to our care is a top priority for us. We take it very seriously,” said Robinson at the Feb. 24 hearing.
The Governor's Office said it appreciates Robinson's service and will move as quickly as possible to fill the State CISO position.
Techwire contributing editor Samantha Young and other staff sources contributed to this report.
