In the last several months, the new Florida Digital Service has seen a wave of high-level departures. Top officials have left without giving notice. It’s looking for its third chief information security officer, who leads cybersecurity defense for the state’s $100 billion government, in less than a year. Half of the state’s 10-member cybersecurity response team positions are vacant.
The rapid brain drain of technology experts has observers concerned about the state’s security amid a growing number of cyberthreats.
“Those seats being vacant is a massive concern for us. There’s no way around it,” said James Taylor, CEO of the Florida Technology Council, a trade group of technology companies that sometimes advises and assists state government but does not lobby. “Cybersecurity should be our No. 1 concern in our state right now.”
Like its counterparts across the country, the state government has seen a noticeable uptick in hackers trying to steal information or hold it ransom for millions of dollars.
In October, the state’s top regulatory agency was taken offline by a cyberattack. In January, the state said thousands of applicants for children’s health insurance might have had their personal information stolen during a subcontractor’s data breach. Last month, the state announced that attackers stole confidential information, including Social Security numbers and bank information, of at least 58,000 unemployment applicants.
In response to growing threats, state lawmakers passed a law this year giving oversight of cybersecurity to the Florida Digital Service, a new agency created in 2020 by DeSantis and the Legislature to resolve the state’s longstanding technology problems. They also assigned 15 new positions and $30 million to beef up state security.
To lead the new office, DeSantis last year chose former Republican state Rep. Jamie Grant, a lawyer from Tampa, as Florida’s new chief information officer with a $149,000 salary. Despite having little experience working in technology, Grant’s connections to the Legislature were seen as a potential asset in getting money and resources assigned to the office.
A LOOK AT THE STAFF DEPARTURES
Since Grant took over, the office has struggled to keep its employees. Several key people have left their six-figure state salaries — leaving behind critical state initiatives:
▪ The state’s chief information security officer is supposed to lead Florida’s cybersecurity response. The state is now looking for the third person to fill that role in a year. The first left within a month, later becoming the chief information security officer for the City of Tallahassee. His replacement was quickly hired but quit without giving notice six months later, becoming a private consultant, according to his LinkedIn profile.
▪ The state’s chief data officer quit in March before he could finish the Legislature’s task of cataloging the state’s data.
▪ In July, the state’s first-ever enterprise architect quit, just eight months after being recruited by Grant for an ambitious project to create a single technical framework to help improve every state agency. The project was due in October. It is now delayed until 2022.
▪ And earlier this month, the state’s chief operations officer quit. He was leading Florida’s negotiations on a potentially $500 million project to privatize the state’s data center, but he left before finalizing a contract with the winning bidder.
In all, about a third of the 185 positions under Grant’s supervision appear to be vacant, including half of the state’s cybersecurity team.
When asked why so many people have left, a department spokesperson did not say. Grant, in a statement, implied that some of the departures have been his choice.
“I promised the Florida Digital Service team that I would help them build an organization led by talented, dependable, and ethical leaders,” Grant said. “All of the personnel moves I have made have been consistent with that commitment and in furtherance of our team’s shared principles.”
He added that he was proud of the work the people currently in the Office of Information Security have done.
IS MANAGEMENT THE PROBLEM?
Former employees who spoke with the Herald/Times say they have bristled under what they describe as Grant’s chaotic managing style, and multiple people said they were “concerned” for the state’s cybersecurity with so many vacancies. All said they left on their own terms. None would talk on the record.
Grant told lawmakers this year that recruiting is one of his toughest challenges, and he said he’s adopting a “tour of service” model where top tech workers for private companies can work for the state for a year or less. So far, the agency doesn’t appear to have hired anyone under that model.
Most state agencies have their own tech departments, including information security officers, that can respond to agency-specific threats. But state lawmakers this year, at the request of DeSantis and Grant, made the Florida Digital Service the “lead entity” for assessing cybersecurity threats and creating a statewide plan. The bill named the chief information security officer — a position currently vacant — the point person for overseeing the state’s cybersecurity response.
The creation of the Florida Digital Service was a nod to the state’s longstanding struggles with coordination and oversight of technology projects. The state has faced embarrassing public failures in recent years, including the state’s SunPass tolling system meltdown in 2018 and the CONNECT unemployment system failing millions of Floridians last year.
The new office is the fourth iteration of a statewide tech agency. Its three predecessors were each shuttered over contracting scandals or clashes with the Legislature. For years, Florida was one of the only states in the nation without a chief information officer.
Since creating the Digital Service, DeSantis and lawmakers have dramatically expanded the office’s role. In addition to leading cybersecurity response, lawmakers recently required the office to vet and approve large technology projects across all state agencies.
The recent vacancies have put the state, and Grant, in a difficult position, Taylor said.
“Even if we had every position filled, and fully staffed, protecting our state while working to build an enterprise architecture to drive change would be a massive undertaking,” Taylor said. “A pandemic, combined with a rapid increase in cyberattacks, adds a new level of urgency for filling these vacancies with qualified staff.”
FUNDING MAY NOT BE ADEQUATE
State lawmakers also assigned $30 million for various cybersecurity measures this year, an amount observers say is nowhere close to enough.
“In terms of the third-largest state, it’s a ludicrously insufficient amount of money,” said David Taylor (no relation to James Taylor), Florida’s chief information officer from 2008 to 2012.
By comparison, Texas lawmakers this year assigned $105 million to cybersecurity, plus more than $1 billion more to modernize technology and increase security at state agencies, according to the Texas Department of Information Resources.
David Taylor said Florida’s political leaders don’t understand the seriousness of the cyberthreats the state faces. The only reason why the state hasn’t seen a critical system-wide breach is that attackers are busy going after targets with more money, he said.
“People had no idea how bad it was,” he said of his time as Florida’s technology chief. “When I was there, we had to beat heads to get some kind of awareness.”
Copyright 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.