DIR Recommends Sharing Information Security Officers Among Agencies, Higher Ed Institutions

The Department of Information Resources (DIR) is again recommending that the state allow agencies and universities to designate joint information security officers (ISO).

A shortage of cybersecurity professionals, tight state staffing and limited resources means that finding singular ISOs is a challenge, according to the DIR’s 2025-2029 agency strategic plan, posted Friday.

The agency also outlined the recommendation in its 2022 Biennial Performance Report. It generally aims to help smaller agencies and institutions with fewer employees and less funding access the expertise needed to secure growing networks amid an increase in digital learning and telework, Texas’ chief information security officer, Nancy Rainosek, told Government Technology* at the time.

“Unlike large state agencies and institutions of higher education, the smaller agencies don’t usually have the resources to dedicate staff to tackle security full time, and their ISOs are wearing multiple hats, such as network administrator or IT manager,” Rainosek said. “Having the ability to ‘share’ ISOs between organizations would provide a person that was focused on ensuring security is a priority at those smaller agencies. Public junior colleges may also benefit from a program like this.”

In 2017, the Texas Legislature added Section 2054.136 to the state code. This requires that each state agency designates an information security officer who will report to agency executives, has authority over the agency’s information and is trained and experienced in the information security arena. These duties would be the officer’s main responsibility.

The statute doesn’t allow agencies or higher education institutes to designate a shared ISO, but the state does allow sharing of information resources managers.

“An employee … may be designated to serve as a joint information resources manager by two or more state agencies,” reads Section 2054.071.

DIR lists the recommendation under the “Redundancies and Impediments” section of the strategic plan, saying that one ISO may be designated to serve more than one agency and that the language should be changed to reflect that.

*Government Technology is a sister publication to Industry Insider — Texas.