COLUMBIA — South Carolina could have two people overseeing agencies’ cybersecurity as part of an effort to centralize responsibility, the head of the state’s information technology division told senators Wednesday.
Statewide oversight of computer policies could be separated into two new positions. While a chief information security officer would be responsible for protecting data, a statewide privacy officer would define exactly what should be protected, said Jim Earley, of the Division of State Information Technology, to senators.
Earley and state Inspector General Patrick Maley testified before a Senate panel that’s looking into the hacking of millions of taxpayers’ personal data. Data stolen in the nation’s largest hacking of a state agency includes unencrypted Social Security and bank account numbers.
The testimony came a day after Maley released his interim report on the state’s cybersecurity situation. Gov. Nikki Haley issued an executive order calling for his review Oct. 26, the same day she initially announced the hacking of Department of Revenue computer servers. The tab for her administration’s response to the theft is nearly $20 million so far.
Maley told senators the state’s current decentralized approach is a recipe for problems.
Neither Maley nor Earley advocated complete centralization, but rather centralizing responsibility of computer security and letting agencies handle operations. Each agency’s chief information officer could report to a new statewide cybersecurity chief.
That means someone is in charge to create guidance and set the rules, and agencies can decide how to tailor them for their own circumstances, Earley said.
“Agencies know their operations best,” he said.