State and Local IT Leaders Debate Effective Cybersecurity Strategies

At the recent Florida Public Sector Cybersecurity Summit* in Tallahassee, government technology leaders debated cybersecurity topics such as full-time versus fractional CISOs, operational versus strategic roles, collaboration and the role of AI.

The panel, moderated by Candace Wynn of the Florida Digital Service (FLDS), included Will Armstrong, information security manager at the Agency for Health Care Administration; Jason Bertoch, lead network security engineer at FLDS; Joey Hornsby, chief information officer at the Department of Law Enforcement; and Alan Russell, cybersecurity manager at the Office of Information and Technology in Leon County.

When asked whether having a full-time CISO or a fractional CISO on staff — that is, a virtual or remote CISO — would be best, all panelists agreed that a full-time CISO is ideal. However, they also recognized that most agencies lack the funding to employ a full-time CISO.

The discussion also highlighted the importance of having a comprehensive understanding of cybersecurity needs, which may include having a full-time chief data officer (CDO).

“Data is the backbone of everything we do, and a dedicated CDO ensures that this critical aspect is managed with the focus it deserves,” Armstrong said.

Hornsby argued that while not all organizations can afford full-time roles, investing in dedicated security leadership is crucial for robust cybersecurity.

“We would love to have more dedicated people and build a team solely focused on cybersecurity. If you have the funding and people to do that, absolutely. However, not everyone has that luxury,” he said.

The practical benefits of fractional CISOs, especially for smaller counties or organizations, are significant. The ability to collaborate with external experts when needed can be more advantageous than not having a CISO at all.

Russell pointed out the success of Florida's collaborative approach, noting that “smaller counties need fractional CISOs and the ability to tap into external expertise.”

“Even at the highest level, the state of Florida has successfully collaborated with Texas,” he said. ”Collaboration enhances everything. Regardless of whether it's a full-time or fractional CISO, there will always be a need for collaboration.”

The panelists also addressed the challenges of distinguishing between operational and strategic cybersecurity roles.

“Security leadership often requires balancing policy, strategy and operations. It's tough to find one person who can effectively manage both,” Russell explained.

In response, Armstrong proposed that further clarification of these roles is needed: “We need a clearer definition of operational versus audit and policy-focused CISOs. Conferences like this one are a good platform to continue these discussions.”

Hornsby emphasized that tools alone are not enough.

“I can spend money on tools all day long, but without the right people to operate them, they’re useless,” he said. ”Training our internal IT staff on security is crucial. Enhancing their skills will make them our first line of defense against attacks.”

Armstrong stressed the importance of internal training and proactive communication. Business units need to see the value of security and open themselves to collaboration with the IT department.

Security concerns can lead to tension between goals. Bertoch emphasized the ongoing challenge of balancing security and functionality.

“In networking, we want packets to flow freely, but from a security standpoint, we often want to restrict that flow. It’s about finding a balance based on the risk you’re willing to accept,” he said.

The panel also touched on AI’s role in cybersecurity. Armstrong observed that AI is not a new concept, but has evolved over time. It's been integrated into policies and tools, but many people, he argued, are trying to implement it without fully understanding what that means.

Hornsby also acknowledged the need to approach AI cautiously.

“The level of acknowledgment of AI’s capabilities is crucial. Solutions should be implemented securely and in accordance with existing policies,” he said.

He added that AI’s effectiveness depends on its deployment environment. Some solutions are effective running in secure environments, and sometimes opting out of AI is the best course.

*Note: The Florida Public Sector Cybersecurity Summit is hosted by Government Technology, a sister publication of Industry Insider — Florida. Both are part of e.Republic.