CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology
Californians get hacked all the time. The state’s top cybersecurity job is vacant
In summary
Gov. Newsom has yet to appoint a commander who is tasked with informing businesses and governments of cybersecurity threats.
Lea esta historia en Español
You might think the home of Silicon Valley would rush to hire a cybersecurity chief, but you’d be wrong: California has left its top cybersecurity post vacant for nearly two years.
A spokesperson said there is no current timeline for Gov. Gavin Newsom to appoint anyone for the position, commander for the Cybersecurity Integration Center. 
“We are a target,” as a tech industry leader, the most populous state in the country, one of the busiest ports in the world, and the fifth largest economy in the world, said former cybersecurity integration center commander Jonathan Nunez in a video posted to YouTube two years ago. He took the helm in June 2020 and was the last commander appointed by Newsom, leaving the position in June 2022.
State officials say the vacancy hasn’t hampered the state’s ability to respond to threats, but experts outside the state government are concerned that an acting commander is spread thin.
The commander job entails assisting law enforcement agencies with criminal investigations and safeguarding California’s economy and critical infrastructure. Other job duties include maintaining a security operation center that disseminates actionable information to all state entities, forming public and private partnerships, and developing state cybersecurity strategy. The commander is paid a salary of up to $187,000 a year.
The challenge of a position like cybersecurity commander is it’s not a matter of public or media interest until something goes wrong, said Dan Schnur, a former spokesperson for Gov. Pete Wilson who now teaches political communication at the University of Southern California and University of California, Berkeley. There’s no set timeline for appointments and depends almost entirely upon the urgency to fill the job and quality of applicants, but in his experience, taking more than a year to appoint is an unusually long amount of time. 
“Either they’re going through a painstaking process to pick the right person or it slipped through the cracks and there’s no way to know which of the two it is,” he said. “Unless you find a unicorn who’s willing to forego that kind of financial compensation in exchange for public service, you’re already starting out with a compromise.”
There have been four full-time commanders prior to the current acting commander. 
Keith Tresh was appointed by former Gov. Jerry Brown and acted as commander from 2016 to 2018. He is now chief information security officer at consultancy firm AMEG. Mario Garcia served as acting commander from 2018 to 2020 and now works as state coordinator for the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.  Jonathan Nunez was appointed by Gov. Newsom in 2020 and now works as an analyst at consultancy firm Gartner. David Lane served as acting commander for an unspecified period of time in 2022. Deputy Director of homeland security Tom Osbone is also the acting commander.
Tresh previously served as chief information security officer for the states of California and Idaho and was the first Cybersecurity Integration Center commander. He said he jumped at the opportunity because the job acts as a second set of eyes for public institutions like city and county governments, not just the state of California.
“We helped school districts and regional transit authorities when they had breaches,” he said. “That’s why I think it’s absolutely a perfect position to continue on.”
Cyber attacks on public institutions like local governments, hospitals, and school districts are on the rise. Hospitals and health care providers are still recovering from a ransomware attack that affected payment processing for Change Healthcare, which processes roughly half of all health care claims and payments nationwide.
The Cybersecurity Integration Center receives reports when a school district, state agency, or private company experiences a data breach. The center also receives threat reports from federal agencies such as the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Homeland Security.
Former Gov. Jerry Brown created the cybersecurity agency in 2015 to operate within the governor’s Office of Emergency Services. It works with the Department of Technology to investigate and report incidents and helps restore operations after an attack. Director Liana Bailey-Crimmins told CalMatters in an interview in February that her agency works closely with the office of emergency services to address the needs of the state as they fill key positions so they never miss a step.
A spokesperson for the governor’s Office of Emergency Services said Osborne is serving as acting commander while the governor carries out a nationwide search for a qualified candidate.
Over the course of the past month CalMatters repeatedly asked details about data breach reports and compliance with additional duties assigned to the commander and cybersecurity integration center by a five-year cybersecurity plan approved in 2021 but received no comment. 
The last time the state compiled a report detailing the kinds of data breaches, number of records compromised, and number of Californians affected in cyber attacks was back in 2016, before the cybersecurity integration center existed.
CalMatters reached out to the office of Attorney General Rob Bonta for the latest data breach report. The attorney general’s office referred CalMatters to the cybersecurity center, which did not share new information but said it would post new data publicly later “this spring.” 
After audits found that state agencies were woefully unprepared for cyber attacks, California Assemblymember Jacqui Irwin, a Democrat from Thousand Oaks, coauthored a 2018 law that made the Cybersecurity Integration Center a permanent state agency and required development of a state cybersecurity strategy. Irwin, who is also chairperson of the Assembly cybersecurity committee, told CalMatters in a statement that finding a new commander has not been easy. 
“The state has struggled to recruit and retain cybersecurity specialists, just as many businesses have, with their skill set in high-demand,” she said.
Former state cybersecurity employees told CalMatters they think it’s difficult for the cybersecurity center to keep commanders because the pay is less than for similar jobs in the private sector. State employees may treat an acting commander — who will be in the job temporarily — differently than a commander appointed by Newsom.
A former cybersecurity center employee who spoke to CalMatters on background for fear of professional reprisals said the biggest issue with the position is lack of real authority; the commander has limited capacity to act and hold people accountable.
Public agencies, especially in California, are major targets for cybercriminals seeking confidential information or just want to cause panic, said Steven Ward, a cybersecurity fellow at center-right think tank R Street Institute and former digital forensics examiner for law enforcement agencies in Sacramento.
Ward said the vacancy is reflective of a number of trends: First, the cybersecurity threat landscape moves quickly, and public agencies move slowly. Second, it mirrors a larger cybersecurity workforce shortage. California has the second-highest in the U.S., according to a 2022 report by the nonprofit  International Information System Security Certification Consortium.
Third, public agencies can’t compete with pay and benefits offered by private companies. Another 2022 study found that the private sector pays 14% more than government agencies. The pay gap creates a situation in which entry-level employees are responsible for guarding highly sensitive systems. It’s hard to say what the consequences of the vacancy are, but since the center develops the state cybersecurity strategy and is a hub for sharing attack threat information and how to patch vulnerabilities, Ward said he’s worried that the acting director might be spread too thin.
“It definitely needs to be filled,” he said. “It’s important that this type of work continues without interruptions.”
We want to hear from you
Want to submit a guest commentary or reaction to an article we wrote? You can find our submission guidelines here. Please contact CalMatters with any commentary questions: commentary@calmatters.org
Leslie, Washington, CA
Featured CalMatters Member
Khari is CalMatters' first tech reporter. He previously covered artificial intelligence use by businesses and governments as a senior writer for WIRED and VentureBeat with an emphasis on policy, power,…
info@calmatters.org
membership@calmatters.org
We’ve recently sent you an authentication link. Please, check your inbox!
Sign in with a password below, or sign in using your email.
Get a code sent to your email to sign in, or sign in using a password.
Enter the code you received via email to sign in, or sign in using a password.
Subscribe to our newsletters:
Sign in with your email
Lost your password?
Try a different email
Send another code
Sign in with a password

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

AVG Free Antivirus and Internet Security betas released – BetaNews

AVAST has announced betas of AVG Free Antivirus 15 (32-bit here) and AVG Internet Security 17 (32-bit here).The releases follow AVAST’s acquisition of AVG earlier this year, and aim to…

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *