From laying cable throughout his college campus to heading up the state government’s information technology organization in New Mexico, state CIO Raja Sambandam has come a long way. However, he’s used to it.
Sambandam earned a bachelor’s degree in mechanical engineering from the University of Madras, India, and his master’s degree in management from South Dakota State University. He later worked for 20 years in information technology and business in the areas of banking, finance, taxation, healthcare, and manufacturing.
With the state government in New Mexico for a decade now, Sambandam has held the role of Chief Risk and Security Officer for the Taxation and Revenue Department (TRD) where he established the security, risk, and compliance functions for TRD. In addition, he oversaw TRD’s Internal Audit Function. Sambandam joined the Department of Information Technology (DoIT) in April of 2020 as State Chief Information Security Officer (CISO).
In June 2023 Sambandam was named the Acting Cabinet Secretary and State CIO. He oversees an annual operational budget of around $70 million and 165 employees.
An “acting” part of any title has a degree of uncertainty that is universal and in a state CIO position, it’s no different. “This is something that they asked me to take on, so I am happily working and delivering on that. That is where it is right now. I do not know what happens next,” Sambandam said.
As state CIO at DoIT his department’s primary responsibility is to provide certain core services. “It includes being the system custodian and providing technology support and the technology aspects of our ERP system, which is the fabric that connects every single state government employee. And there’s only a few fabrics that connect every single employee in terms of technology,” Sambandam explained.
ERP is the statewide accounting and budgeting application, a PeopleSoft subsystem that is housed at DoIT while the process owners are finance and the state personnel offices. “We also provide the statewide office productivity suite of applications which is Microsoft Office, and all the product features, and the functionalities associated with it,” Sambandam said. That covers the entire State Executive Branch ecosystem, 75 agencies, boards, and commission.
I explained that I recalled when the first CISO positions were created in the mid 1990s. Then the role changed from a deputy CIO to the new chief information security officer, and now it’s set up in certain states as a completely independent department. That’s what Sambandam had in New Mexico. It’s interesting that he was CISO, but independent from the state CIO. Then all of a sudden, he becomes the boss, the state CIO, so his perspective on the independence of the CISO might have changed over time.
“Having worked in banking and financial services, which, in my opinion at least, is one of the most structured IT environments because of the compliance aspect, because of the money aspect, every single internal control that you can think of has to be vetted, validated, and signed off on,” Sambandam said. That’s because of the Treasury regulations, because of the FDIC requirements, because of the Patriot Act, and any other banking requirements. It is very methodical and very structured.
“Having gained that insight into how that system operates, there are some lessons learned for other process owners in terms of understanding the maturity and the structure around it.”
Then when the National Institute of Standards and Technology (NIST) issued Special Publication 800-53, it provided a framework for collaboration. “For example, if Department of Health and Human Services says, ‘Oh, we are HIPPA compliant’, then the Department of Public Safety says, ‘Oh, we are CJIS compliant’. We don’t need to view them as a silo.”
Internal controls are internal controls. They need to exist. “Since that is the framework that we all subscribe to, and that’s the framework that the feds are pushing to, we wanted to leverage that framework, to bring those federated silos, because the state operated very similar to many other states, a federated, fragmented enterprise.”
New Mexico was looking for synergies to produce economies of scale. That’s the whole intent and spirit of the department of IT that was created in the mid 2000s. “But how do we gain that leverage? That’s the question. We looked at various different alternatives, but having this as governance and oversight functions, it can be achieved appropriately by providing that level of independence, and then that level of transparency.”
The CIO who’s the operational owner of IT should be doing so under the guidance of the system. “There was a subtle opportunity for conflict of interest and some undue influence, and those are some of the things that the private industry was trying to address.” And so the independent CISO was born.
“There is a perceived notion that risk management or risk assessments are still considered an administrative nightmare, but without understanding the risks, you cannot put in mitigating controls to bring it to an acceptable or a tolerable level,” he said. Having that separation between the CIO and CISO provides the ability to develop a control structure in such a way that is acceptable,
There are just a few states like New Mexico, including Arizona and New Jersey, with independent CISOs, but with the vast, ever expanding cyber threats to government continuity, state executives, especially in the governors’ offices, are closely examining this situation and their governments reaction and organizational response to it.
Figure on seeing more examples of independent CISO, and even governors’ direct reports, in the future. The failure of this function is a potential nightmare for elected officials.