Cindi had a column this morning on the new post of cybersecurity chief that the Legislature is adding to the state payroll (maybe the title could be, “Officer in Charge of Closing the Barn Door after the Horses have Run Off”) — or rather, on the outrageous fact that they want this person to be immune from firing by the governor.
As she correctly points out, we have too many state employees like that already — people who don’t really “work for” anyone, since no one can fire them.
There is zero reason to make this particular person independent — unlike, say, the attorney general or the inspector general. Arguments can be made for those. Not for this new post.
Cindi and I have been fighting the Legislature’s aversion to accountability for a lot of years now. So she can be forgiven for winding up into a bit of a rant at the end:
Frankly, I’m willing to trust that politics will keep the governor in line on this one. It’s tough enough for a governor to have to explain that 6.4 million individuals’ and businesses’ Social Security numbers and bank records were hacked because her agency director either didn’t know about or ignored concerns from his own IT people. She certainly doesn’t want to have to explain that we had another breach because she fired the state cybersecurity chief, or cowed him into backing off basic protections.
Truth be told, I’d be more concerned that a governor wouldn’t be aggressive enough if a cybersecurity chief gets out of control.
As much as some legislators are fond of saying that no price is too high to secure our personal information, the fact is that there is always, always more that can be done to provide security, be it for our computer networks or our cities or our businesses or our homes. The fact is that some prices are indeed too high, and it’s the job of our Legislature and our governor, or whoever a cybersecurity director reports to, to balance the risk against the cost, in money and in time.
If you’re going to give union-style job protections to the cybersecurity chief, then why not give them to the governor’s lobbyists — since she might not like it if they tell her that legislators don’t like her? Or to the prison director — since she might not like it if he tells her how much it’s going to cost to keep the prisons safe?
In fact, why not just go back to the way we did things when I moved to South Carolina, when the governor couldn’t fire the directors of any state agencies? When those directors reported to part-time board members who, even if the governor could appoint them, couldn’t be fired.
For that matter, if S.C. governors are that untrustworthy, maybe we ought to go back to the old system whereby the Legislature elected the governor. After all, what’s the point of bothering voters with the matter of electing a governor if the governor has no power to carry out the agenda those voters elected her to carry out?
Or maybe, just maybe, we could decide that government officials should be held accountable for their actions. Maybe we could decide that it’s better to trust that a governor won’t abuse her power over powerful officials than it is to risk that those officials will either get too comfortable in their jobs or else let their power go to their heads, and be less aggressive, or more aggressive, than they ought to be, because they don’t have a boss — and they know they’ve got a job for life.
Amen to all that.
Related Posts
I don’t get it. It seems the ‘powers that be’ keep putting incompetent people in jobs, and then insuring that no one can fire said folks from these jobs. Why haven’t we/they learned yet?? It’s bad enough that we’re a bit late on the cyber security front. But haven’t we had enough of unassailable incompetency?
Apparently we have not, because we keep reelecting the same clowns who appoint unaccountable and incompetent fools to positions of public trust and responsibility.
I definitely agree with Ms. Scoppe on this one, although a State division of Information Technology already exists inside of B&CB, so this whole thing seems redundant.
http://www.cio.sc.gov/Pages/default.aspx
I agree with Scoppe on this. As a fundamental part of human nature, people work best when they know they will be held accountable. Also, I don’t see how a digital security executive would ever have a conflict of the type that the AG or SLED would.
Hire someone good, give them a specific mission, and hold them accountable. We’re not building a rocket, here.
You would have thought with the recent debacle over not being able to fire the Richland County Elections Director, they would have avoided the exact same pitfall.
B&CB is a law unto itself, and participation in the excellent services its IT department, at which a relative of mine is employed, is regrettably optional.
Does anyone recall my comment on one of Brad’s earliest posts about SC’s breach? I opined that it would only involve those who e-filed their returns, which was not confirmed to be true until several months have passed. I bring this up because to me it was basic (chef, not IT expert) and it relates to what I suggest next.
The state of Georgia avails proprietary cyber security tools (as recently reported by a CBS affilliate as ‘Nexis Lexis’, but which is probably Nessus or NMAP) to detect cyber vulnerability and discover intrusions of protected information.
South Carolina seems to keep the public in the dark about the actual cyber security measures (compared to the State of Georgia) until forced to admit no employee actually performed/supervised security functions at all.
Having dealt with both Georgia’s and SC regulatory agencies I believe no high-level state employee should be accountable only to part-time legislators. The house and senate must expedite their approval of a government reorganization fit for the 24-7 digital era in which we now live. These part-timers waste more time than in session than dishwashers on smoking breaks.