Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:05
Hi and welcome NASCIO Voices , where we
0:07
talk all things state IT . I'm
0:09
Amy Glasscock in Lexington , Kentucky .
0:12
And I'm Alex Whitaker in Washington DC . Today
0:14
, Amy and I are talking about the newest State Chief Privacy
0:16
Officer survey and report that was released
0:18
a couple of weeks ago NA SCIO . As our
0:20
resident privacy expert and author of the report
0:23
, Amy is going to give us the rundown . Let's get
0:25
into it . So
0:27
we do surveys each year of the CIOs
0:30
and every two years of the CISOs . How does
0:32
the CPO survey compare to those ?
0:35
Yeah , really good question . So
0:38
the CPO survey first of all , it doesn't
0:40
really go along any particular
0:42
cadence . We've done them three years apart , we've done them two years
0:44
apart . We've done them two years apart . Probably
0:46
need to be somewhat regular about them . But
0:48
outside of that , there are some
0:51
other differences . So the
0:53
CIO and the CISO communities
0:55
are already very well established
0:57
. So every state has a CIO
0:59
and every state has a CISO , and
1:02
states are rarely asking about how
1:04
those roles should be structured or how
1:06
to hire one at this point . So
1:08
those surveys are a lot more focused on policy
1:10
issues and what they're working
1:13
on , how they're thinking about different
1:15
policy issues or new technologies
1:17
or established technologies , things like that . So
1:20
, by contrast , the CPO community
1:22
is still emerging . Only about half
1:24
of states have someone identified as working
1:27
on privacy at the enterprise level , either
1:29
full-time or as part of their job . So I
1:31
look at this survey and report as
1:33
more of a tool for two purposes
1:35
. So one purpose
1:38
is for the current state CPOs
1:40
to use it as a benchmark to see where
1:42
their state is in the process of developing
1:44
a privacy program or establishing
1:46
the CPO role , as well as something that they
1:48
can take to the legislature or higher
1:51
up in the executive branch to say look
1:53
, other states are doing this and I think it would be
1:55
great for us to do this too . Or
1:57
this isn't just something I've been asking
2:00
for . This is a recommendation from NASCIO
2:02
, where the state chief privacy officer community of
2:04
practice resides . And then the
2:06
second purpose is for state CIOs
2:09
or other state officials who are interested in
2:11
hiring a state CPO , and these
2:13
people are usually looking for guidance on what
2:15
the reporting structure should be like and what
2:18
NASCIO recommends , so that that future
2:20
CPO has the best chance of success in their role
2:22
.
2:23
That's really so interesting , and one of the
2:25
things that I've loved about watching the CPO community
2:27
grow is just how it sort of mirrors how NASCIO
2:30
has grown over the last few years , because I'm sure when
2:32
you started you probably didn't expect to be running our CPO
2:34
group as well .
2:36
Yeah , definitely we didn't have one .
2:38
Right , okay , so how is
2:40
the role structured in state government and what
2:42
have the trends been ?
2:45
So the reporting structure is kind of all over the place
2:47
. 25% report
2:49
to a state CIO , which is less
2:51
than it has been historically . So
2:56
in 2019 , that number was 42% and in 2022
2:58
, it was 29% . So it's continuing to decrease
3:00
. And the number of CPOs who report
3:02
to a CISO is also decreasing
3:04
, at 19% currently , which
3:06
is down from 33% in 2019
3:09
and 24% in 2022
3:11
. The most common answer was
3:13
other administration official , at 38%
3:16
. So in my view , I
3:18
think all of this shows that states are increasingly
3:21
recognizing , like we do , that privacy
3:23
is not just a function of technology
3:25
or a subset of cybersecurity , but
3:28
it deals with data in general . When
3:30
asked how a state should ideally structure the role
3:33
we always say , I always say that
3:35
a CPO should have authority over
3:37
the executive branch agencies and
3:39
wherever that works best in that
3:42
state is where they should be . And
3:47
I also caution states not to embed the CPO too far down in the hierarchy of the executive branch
3:49
, because they need to be able to have some authority
3:51
to get things done . Now
3:54
, when we ask current CPOs what
3:56
branch they have authority over , only
3:58
a little over half said that they had authority
4:00
over the executive branch agencies and
4:03
41% said that they only have authority
4:05
over their department or agency . So
4:07
obviously we'd like to see that number go up
4:09
for executive branch agencies
4:11
and we found in the survey that
4:14
lack of authority was a real challenge in general
4:16
for respondents , and you
4:18
know these folks are tasked with leading privacy initiatives
4:20
for more than their agencies but aren't
4:23
actually given any authority or budget to get
4:25
things done and to get the things done that
4:27
they know they need to get done as privacy pros
4:29
. So obviously that's an issue
4:31
.
4:32
Yeah , unfortunately , hearing the
4:34
refrain that a role is not getting the budget or
4:37
support that it needs is not rare
4:39
in state government , but certainly seems like the CPOs
4:41
are really doing a lot of great work and it's always great to hear
4:43
from them at at our conferences . Yeah
4:45
, Um , so what is the thing that feels the most
4:47
different in this survey as compared to the
4:49
one two years ago ?
4:52
So , uh , Probably not a huge surprise , but
4:54
this year we asked about the
4:56
CPO's involvement in AI for
4:58
the first time , and I feel like that is
5:00
really the big thing that has shifted since
5:03
have
5:17
been involved in developing policies related to AI in their state . <p class="MsoNormal">So this year we asked about their involvement in AI for thefirst time and I feel like that is really the big thing that has shifted since2022 . 77% of state CPOs reported that they are or have been involved in settingpolicies related to artificial intelligence in their state . I would even go sofar to say that the explosion of AI is adding to the relevance of the CPO roleand the increasing interest in having one for states that don’t . <o:p></o:p></p>So .
5:25
I also thought it was interesting
5:27
that 94% of
5:29
state CPOs said that they are involved
5:31
at least some of the time in the approval
5:34
process for technology-related procurements
5:36
and contracts the time in the approval
5:38
process for technology-related procurements and contracts , and
5:43
I think I can draw the line to the fact that so many IT procurements
5:45
have elements of AI in them now , which means that new terms and conditions may need to
5:47
be added to standard old procurement language , and
5:50
state CPOs who , by the way , are
5:52
usually attorneys at least 75%
5:54
of them are often weighing in on how to
5:56
best do that .
5:58
Got it . Well , I knew we couldn't get through a NASCIO podcast
6:00
without mentioning AI .
6:01
Of course not !
6:04
Are there any stats that were surprising or
6:06
went in a different direction than you expected
6:08
?
6:09
For sure . One is that
6:11
the number of respondents who say that they're
6:13
the first person to hold the role in their state
6:15
has bounced around over the years
6:17
. So from 2019 to
6:19
2022 to 2024
6:21
, it went from 67%
6:23
down to 41% and now back up
6:25
to 56% . And those
6:27
are folks that say that they're the first
6:30
person to hold the role in its current
6:32
iteration . So when
6:34
it went down two years ago , that told me that the role
6:36
had been around long enough , that several states had already
6:39
replaced their CPO a time or
6:41
maybe even two times . And then this
6:43
year , when it went up again , you know
6:45
, you realize that there are still a lot
6:47
of states that are just now hiring a CPO
6:49
or they're creating the role in a
6:51
more official capacity for the first time
6:54
. So you know we've had states that
6:56
have a general counsel or someone working
6:58
on privacy . And then , you
7:00
know , the next year they're like okay , now we have a new
7:02
role , we're hiring a chief privacy officer for
7:04
the first time with that title . So that's
7:07
kind of cool to see as well . And then , second
7:10
thing that you know , sort of
7:12
surprising was the number of CPOs
7:14
that said that they have the authority to
7:16
enforce privacy compliance . It was only 20%
7:19
this year , compared to 42%
7:22
just two years ago . Obviously
7:24
disappointing to see that number go down
7:26
, but I always take this with a grain
7:28
of salt , considering the small sample size
7:30
. You know , there's only like 25
7:33
people on our list . 17 filled out the
7:35
survey . Did these respondents
7:37
interpret authority differently than the respondents
7:40
two years ago did ? Or are states
7:42
actually taking authority away from CPOs
7:45
? I mean , I have to think it's more the first one , I hope
7:47
. And then , finally
7:49
, the number of respondents who said that they have
7:51
an established privacy program in their state
7:53
went down five points , from 29%
7:56
in 2022 to 24% this
7:58
year . That got some press
8:03
in our trade press . But again
8:05
, I think this just may have been more of maybe
8:08
an interpretation of what established means
8:11
to a CPO from one year to the next
8:13
, or maybe more likely
8:15
it could have been that even just one state
8:17
with an established program that had filled
8:19
out the survey two years ago didn't
8:21
fill it out this year , and then that can throw the answers
8:23
off . And so you know , I doubt
8:25
any state just took an established privacy program
8:28
and threw it out the door .
8:29
Right . So for those states that
8:32
don't yet have a chief privacy
8:34
officer and you know , it sounds like there are a few , of
8:36
course what are NASCIO's recommendations
8:38
for those that would like to establish the role ?
8:41
Yes . So we have three recommendations
8:43
, as we always try to do in these . So
8:45
the first is to establish
8:48
privacy governance . Privacy governance
8:50
was the number one resource CPOs
8:52
said that they need to do their job effectively
8:55
. The second is to
8:57
ensure dedicated funding and authority
8:59
for state CPOs , for states that are creating
9:02
the role or who want to elevate the role . So
9:04
lack of authority and lack of funding
9:06
were the top two challenges that CPOs
9:08
said that they face and talked about
9:10
that a little bit already . I will
9:12
say two years ago
9:14
only one state had a dedicated budget
9:17
for privacy and this year three
9:19
states did . So a little bit of progress
9:21
there Still a lot more needed
9:23
and with additional authority
9:26
and with additional funding it's going to be easier
9:28
to develop that privacy governance too
9:30
. From the first recommendation . And
9:32
then , finally , we recommend establishing
9:35
and training agency leads . A lot
9:37
more states are doing this now than they were five years
9:39
ago , and I think that's great
9:41
, because then you have a team of
9:43
privacy advocates at the agency level
9:45
who have a basic working knowledge
9:47
of privacy and who also
9:49
really understand the business of that agency
9:51
as well as the unique privacy needs
9:54
of the individual agencies .
9:56
Got it . So lots of information and
9:58
recommendations , but , most
10:00
importantly perhaps , where can listeners read the
10:03
report ?
10:04
Of course , yes , so I've just sort
10:06
of , you know , done the high level here . There's so
10:08
much more in the report questions we
10:10
haven't even talked about today . But
10:12
of course you can find it on our website under
10:15
our Resource Center , and we'll definitely put a
10:17
link in the show notes as well .
10:19
Awesome . Well , amy , thank you so much . This has
10:21
been so interesting , and I really encourage
10:23
everybody who has not yet to check out the report
10:25
, because there's a lot of fascinating stuff in there . But
10:28
while everyone is very interested in the role of
10:30
the CPO , of course and that's why they tuned in
10:32
they are also , of course , here for
10:34
the
10:37
lightning round . Are you ready ?
10:39
I'm ready all right .
10:41
Well , as host of our podcast , I
10:43
will ask you do you have any new podcast
10:45
recommendations ?
10:47
Yes , I do . I have been loving and I think
10:49
our listeners would also enjoy Hard
10:52
Fork , which is a technology podcast from
10:54
the New York Times with Kevin Roose and Casey
10:56
Newton and I
10:58
know I've mentioned this to the policy team
11:00
at NASCIO but they talk about current events
11:02
and technology , a lot about AI . Of
11:04
course , it's educational . It's really
11:06
funny . I laugh out loud multiple times
11:08
every episode and you can tell that
11:10
they're friends and it's just a really great
11:13
way to stay up on current tech events . So highly
11:15
recommend it to our listeners .
11:17
Awesome , that's , of course , after you listen to NASCIO
11:19
Voices .
11:19
Of course . I'm sure they'd recommend
11:21
ours too .
11:23
So we have talked about the fact that
11:25
you saw the solar eclipse this week . Tell
11:27
us what it was like .
11:30
Yes , it was so amazing . I will say
11:32
I'm
11:39
going to come across like a real like sky nerd or something here . But when I got to drive into
11:41
totality because it was only about two hours from my house took my mom and my daughter
11:43
with me and was
11:46
just kind of you know , not really knowing what to expect
11:48
. I kind of wanted to see what it was like for it to get dark in the
11:50
middle of the day . That was my main goal and I was like
11:52
, well , if you have some clouds it's fine , but
11:55
luckily we really didn't have any clouds
11:57
. We drove to this beautiful little park
11:59
in Ohio and watched it with
12:02
a thousand other people and
12:04
that moment , when the moon
12:06
covered the sun and we could take our glasses
12:08
off and look up at the blazing Corona
12:13
, it was just completely magical . I think I had tears streaming down my face and
12:15
my mom did too , and my
12:17
daughter said , wow , just wow , that's
12:19
all I can say . So you know , if
12:22
you ever have an opportunity to see
12:24
one , I definitely recommend it . Spain
12:27
two years from now , maybe I'll try it , because the next
12:29
one in the US isn't for like 20
12:31
years , yeah .
12:33
Yeah , all I got was burned retinas because we didn't
12:35
really get it in DC , but I'm glad that you
12:37
had a great time . So now
12:39
for what is my favorite lightning round question
12:41
what did you want to be when you were a kid ?
12:45
I feel like most kids in the 80s 90s
12:47
we were trying to were like trying to save the whales
12:49
and we had our Lisa Frank folders with
12:51
dolphins on them . So I wanted to be a marine biologist
12:54
for a short time , and
12:56
also an actress . Neither
12:59
of those really worked out , but I don't
13:01
care so much about the marine biology anymore , but being an actress
13:03
would still be pretty cool .
13:05
All right , ok , cool , I wanted to be Indiana Jones
13:07
, but then I found out how much
13:09
math and science are involved for archaeology , and
13:11
now I'm the government affairs director
13:13
at NASCIO . That's right , you never know , all
13:16
right . Well , thank you so much for the overview
13:18
, Amy . Hopefully , through this work , more states
13:20
will be able to establish the CPO role
13:23
without feeling like they're starting from scratch . So thanks
13:25
so much .
13:26
Absolutely , and I agree . That's certainly
13:28
my goal . Of course , I'd like to see all
13:30
the states with a privacy lead and I'd like to have
13:32
all of them join our community of practice at NASCIO
13:34
. Great Thanks .
13:36
Thank you . Thanks again for listening
13:38
to NASCIO Voices . NASCIO Voices is a production
13:40
of the National Association of State Chief Information
13:43
Officers , or NASCIO . Learn more at NASCIO . org
13:45
. We'll
13:51
be back in two weeks with a preview of our mid-year conference with Emily Lane . Talk
13:53
with you then .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More