Over and over again.
And now a series of crucial cybersecurity initiatives designed to protect Florida are languishing. The team that exists is just 50% staffed.
What is emerging here is a lesson and a warning for cybersecurity leaders of all kinds: with demand for cybersecurity professionals at an all-time high, your culture and workplace environment can drive away talent if you get it wrong.
Cybersecurity officials struggle in Florida
Chief Information Security Officers (CISOs) and other information security executives have the luxury of being an incredibly hot commodity, so they can pretty much pick and choose where they work, as they are almost guaranteed to have a job waiting for them somewhere.
The Florida state government is apparently not one of those workplaces that many are looking at, and for a few legitimate reasons.
In the last year, the state has seen a cyberattack take out the top regulatory agency, a data breach compromise the personal information of thousands of applicants for children's health insurance, and a cyberattack that resulted in confidential information of 58,000 unemployment applicants being stolen, including Social Security numbers and bank information.
In hopes of defending against attacks like these, Governor Ron DeSantis formed the Florida Digital Service team. The team has attracted a number of qualified security professionals, but they keep quitting, some of them without notice.
The Florida Digital Service team is now searching for its third CISO in less than a year, while five out of the 10 positions on the state's cybersecurity response team are currently vacant.
DeSantis appointed former state Rep. Jamie Grant, a lawyer from Tampa, as Florida's new Chief Information Officer (CIO) and to lead the Digital Service team. But since Grant took over, a number of people have walked away from a six-figure salary.
The Miami Herald reports the following positions have opened up in the last year:
- "The state's chief information security officer is supposed to lead Florida's cybersecurity response. The state is now looking for the third person to fill that role in a year. The first left within a month, later becoming the chief information security officer for the City of Tallahassee. His replacement was quickly hired but quit without giving notice six months later, becoming a private consultant, according to his LinkedIn profile."
- "The state's chief data officer quit in March before he could finish the Legislature's task of cataloging the state's data."
- "In July, the state's first-ever enterprise architect quit, just eight months after being recruited by Grant for an ambitious project to create a single technical framework to help improve every state agency. The project was due in October. It is now delayed until 2022."
- "And earlier this month, the state's chief operations officer quit. He was leading Florida's negotiations on a potentially $500 million project to privatize the state's data center, but he left before finalizing a contract with the winning bidder."
About one third of the 185 positions under Grant's supervision remain vacant. When asked about why this is the case, Grant took some responsibility:
"I promised the Florida Digital Service team that I would help them build an organization led by talented, dependable, and ethical leaders. All of the personnel moves I have made have been consistent with that commitment and in furtherance of our team's shared principles."
Cybersecurity concerns in Florida state government
The Miami Herald reports that former employees say Grant has a "chaotic managing style." That could be one reason employees are quitting.
Another factor is that the Digital Service team is now the fourth iteration of a statewide technology agency, as the previous three were all shutdown over contracting scandals or issues with the legislature. And this is increasing cyber risk.
James Taylor, CEO of the Florida Technology Council, discusses the vacancies and other problems the state faces:
"Those seats being vacant is a massive concern for us. There's no way around it. Cybersecurity should be our No. 1 concern in our state right now.
Even if we had every position filled, and fully staffed, protecting our state while working to build an enterprise architecture to drive change would be a massive undertaking. A pandemic, combined with a rapid increase in cyberattacks, adds a new level of urgency for filling these vacancies with qualified staff."
Another major issue Florida is trying to overcome is funding for cybersecurity. The state legislature assigned $30 million to a variety of cybersecurity measures this year, but some experts says that number is not close to enough.
In contrast, Texas assigned $105 million to cybersecurity, with an additional $1 billion more to modernize technology and increase security at state agencies.
David Taylor, CIO for the State of Florida from 2008 to 2012, said this about the state's funding: "In terms of the third-largest state, it's a ludicrously insufficient amount of money."
Taylor also tells the Miami Herald that Florida's political leaders don't understand the seriousness of cyberthreats the state faces. He said he believes the only reason the state hasn't seen a critical system-wide breach is that attackers are busy going after targets with more money.
Related podcast: New York CISO's discuss the challenges of developing a cybersecurity workforce at scale.