After suffering the nation’s worst data breach at a state agency, South Carolina’s computer security could become a model for the country, an information-technology expert told lawmakers Tuesday.
A bill introduced in the state Senate would create a cabinet-level Department of Information Security, reporting to the governor, that would oversee protection of state computer networks.
The authority, accountability and visibility proposed for the new post impressed Doug Robinson, executive director of the National Association of State Chief Information Officers, who testified at a Senate hearing Tuesday.
“I definitely think you are moving in the right direction,” Robinson told the Senate Finance Committee. “You could be a role model for the rest of the nation.”
Never miss a local story.
South Carolina would be the only state in the country with a separate computer security agency that reports to the governor, rather than a chief information officer, Robinson said.
Colorado had a separate security officer who reported to the governor until 2011 when its Legislature consolidated all computer work, which is how most states operate, he said.
“It could work,” Robinson said of South Carolina’s proposed arrangement. “You have some challenges around the coordination” between a chief information officer, who oversees computer networks, and security boss, who protects them.
Senate Finance chairman Hugh Leatherman, R-Florence, prefers keeping the computer networks and security separate.
“We may need somebody who butts heads,” Leatherman said. “You need someone over here saying, ‘Wait a minute, you can’t do that.’”
The state does not have a cost estimate for a new computer security agency. Based on national spending annually on cyber-security, state Sen. Paul Campbell, R-Berkeley, estimated the state should spend about $20 million a year protecting its networks. He noted that would be less than the state now is spending to deal with the fallout from a fall hacking incident that saw the financial records for 6.4 million S.C. consumers and businesses stolen from the S.C. Department of Revenue.
The extra money for a new agency is worthwhile if it gives South Carolinians peace of mind, Leatherman said.
“Whatever it takes. They have already been compromised,” he said. “And (allowing) any further compromise, I’m not willing to go there.”