Alex talks with Amy about the newest NASCIO survey and report about the state chief privacy officer role, new AI responsibilities and continuing challenges around governance, funding and authority.
https://www.nascio.org/resource-center/resources/the-shifting-privacy-paradigm-state-chief-privacy-officers-evolving-roles-and-persistent-realities/
Find the transcript at: https://www.buzzsprout.com/704052/14859172
Alex talks with Amy about the newest NASCIO survey and report about the state chief privacy officer role, new AI responsibilities and continuing challenges around governance, funding and authority.
https://www.nascio.org/resource-center/resources/the-shifting-privacy-paradigm-state-chief-privacy-officers-evolving-roles-and-persistent-realities/
Find the transcript at: https://www.buzzsprout.com/704052/14859172
Hi and welcome NASCIO Voices, where we talk all things state IT. I'm Amy Glasscock in Lexington, Kentucky.
Alex Whitaker:And I'm Alex Whitaker in Washington DC. Today, Amy and I are talking about the newest State Chief Privacy Officer survey and report that was released a couple of weeks ago NA SCIO. As our resident privacy expert and author of the report, Amy is going to give us the rundown. Let's get into it. So we do surveys each year of the CIOs and every two years of the CISOs. How does the CPO survey compare to those?
Amy Glasscock:Yeah, really good question. So the CPO survey first of all, it doesn't really go along any particular cadence. We've done them three years apart, we've done them two years apart. We've done them two years apart. Probably need to be somewhat regular about them.
Amy Glasscock:But outside of that, there are some other differences. So the CIO and the CISO communities are already very well established. So every state has a CIO and every state has a CISO, and states are rarely asking about how those roles should be structured or how to hire one at this point. So those surveys are a lot more focused on policy issues and what they're working on, how they're thinking about different policy issues or new technologies or established technologies, things like that. So, by contrast, the CPO community is still emerging. Only about half of states have someone identified as working on privacy at the enterprise level, either full-time or as part of their job.
Amy Glasscock:So I look at this survey and report as more of a tool for two purposes. So one purpose is for the current state CPOs to use it as a benchmark to see where their state is in the process of developing a privacy program or establishing the CPO role, as well as something that they can take to the legislature or higher up in the executive branch to say look, other states are doing this and I think it would be great for us to do this too. Or this isn't just something I've been asking for. This is a recommendation from NASCIO, where the state chief privacy officer community of practice resides. And then the second purpose is for state CIOs or other state officials who are interested in hiring a state CPO, and these people are usually looking for guidance on what the reporting structure should be like and what NASCIO recommends, so that that future CPO has the best chance of success in their role.
Alex Whitaker:That's really so interesting, and one of the things that I've loved about watching the CPO community grow is just how it sort of mirrors how NASCIO has grown over the last few years, because I'm sure when you started you probably didn't expect to be running our CPO group as well.
Amy Glasscock:Yeah, definitely we didn't have one.
Alex Whitaker:Right, okay, so how is the role structured in state government and what have the trends been?
Amy Glasscock:So the reporting structure is kind of all over the place. 25% report to a state CIO, which is less than it has been historically. So in 2019, that number was 42% and in 2022, it was 29%. So it's continuing to decrease. And the number of CPOs who report to a CISO is also decreasing, at 19% currently, which is down from 33% in 2019 and 24% in 2022.
Amy Glasscock:The most common answer was other administration official, at 38%.
Amy Glasscock:So in my view, I think all of this shows that states are increasingly recognizing, like we do, that privacy is not just a function of technology or a subset of cybersecurity, but it deals with data in general.
Amy Glasscock:When asked how a state should ideally structure the role we always say, I always say that a CPO should have authority over the executive branch agencies and wherever that works best in that state is where they should be.
Amy Glasscock:And I also caution states not to embed the CPO too far down in the hierarchy of the executive branch, because they need to be able to have some authority to get things done. Now, when we ask current CPOs what branch they have authority over, only a little over half said that they had authority over the executive branch agencies and 41% said that they only have authority over their department or agency. So obviously we'd like to see that number go up for executive branch agencies and we found in the survey that lack of authority was a real challenge in general for respondents, and you know these folks are tasked with leading privacy initiatives for more than their agencies but aren't actually given any authority or budget to get things done and to get the things done that they know they need to get done as privacy pros. So obviously that's an issue.
Alex Whitaker:Yeah, unfortunately, hearing the refrain that a role is not getting the budget or support that it needs is not rare in state government, but certainly seems like the CPOs are really doing a lot of great work and it's always great to hear from them at at our conferences. Yeah, Um, so what is the thing that feels the most different in this survey as compared to the one two years ago?
Amy Glasscock:So, uh, Probably not a huge surprise, but this year we asked about the CPO's involvement in AI for the first time, and I feel like that is really the big thing that has shifted since have been involved in developing policies related to AI in their state. <p
Amy Glasscock:class="MsoNormal">So this year we asked about their involvement in AI for the first
Amy Glasscock:time and I feel like that is really the big thing that has shifted since 2022
Amy Glasscock:. 77% of state CPOs reported that they are or have been involved in setting policies
Amy Glasscock:related to artificial intelligence in their state. I would even go so far
Amy Glasscock:to say that the explosion of AI is adding to the relevance of the CPO role and
Amy Glasscock:the increasing interest in having one for states that don’t. <o:p></o:p></p> So
Amy Glasscock:. I also thought it was interesting that 94% of state CPOs said that they are involved at least some of the time in the approval process for technology-related procurements and contracts the time in the approval process for technology-related procurements and contracts, and I think I can draw the line to the fact that so many IT procurements have elements of AI in them now, which means that new terms and conditions may need to be added to standard old procurement language, and state CPOs who, by the way, are usually attorneys at least 75% of them are often weighing in on how to best do that.
Alex Whitaker:Got it. Well, I knew we couldn't get through a NASCIO podcast without mentioning AI.
Amy Glasscock:Of course not!
Alex Whitaker:Are there any stats that were surprising or went in a different direction than you expected?
Amy Glasscock:For sure. One is that the number of respondents who say that they're the first person to hold the role in their state has bounced around over the years. So from 2019 to 2022 to 2024, it went from 67% down to 41% and now back up to 56%. And those are folks that say that they're the first person to hold the role in its current iteration. So when it went down two years ago, that told me that the role had been around long enough, that several states had already replaced their CPO a time or maybe even two times. And then this year, when it went up again, you know, you realize that there are still a lot of states that are just now hiring a CPO or they're creating the role in a more official capacity for the first time. So you know we've had states that have a general counsel or someone working on privacy. And then, you know, the next year they're like okay, now we have a new role, we're hiring a chief privacy officer for the first time with that title. So that's kind of cool to see as well.
Amy Glasscock:And then, second thing that you know, sort of surprising was the number of CPOs that said that they have the authority to enforce privacy compliance. It was only 20% this year, compared to 42% just two years ago. Obviously disappointing to see that number go down, but I always take this with a grain of salt, considering the small sample size. You know, there's only like 25 people on our list. 17 filled out the survey. Did these respondents interpret authority differently than the respondents two years ago did? Or are states actually taking authority away from CPOs? I mean, I have to think it's more the first one, I hope. And then, finally, the number of respondents who said that they have an established privacy program in their state went down five points, from 29% in 2022 to 24% this year. That got some press in our trade press.
Amy Glasscock:But again, I think this just may have been more of maybe an interpretation of what established means to a CPO from one year to the next, or maybe more likely it could have been that even just one state with an established program that had filled out the survey two years ago didn't fill it out this year, and then that can throw the answers off. And so you know, I doubt any state just took an established privacy program and threw it out the door.
Alex Whitaker:Right. So for those states that don't yet have a chief privacy officer and you know, it sounds like there are a few, of course what are NASCIO's recommendations for those that would like to establish the role?
Amy Glasscock:Yes. So we have three recommendations, as we always try to do in these. So the first is to establish privacy governance. Privacy governance was the number one resource CPOs said that they need to do their job effectively. The second is to ensure dedicated funding and authority for state CPOs, for states that are creating the role or who want to elevate the role. So lack of authority and lack of funding were the top two challenges that CPOs said that they face and talked about that a little bit already. I will say two years ago only one state had a dedicated budget for privacy and this year three states did.
Amy Glasscock:So a little bit of progress there Still a lot more needed and with additional authority and with additional funding it's going to be easier to develop that privacy governance too. From the first recommendation. And then, finally, we recommend establishing and training agency leads. A lot more states are doing this now than they were five years ago, and I think that's great, because then you have a team of privacy advocates at the agency level who have a basic working knowledge of privacy and who also really understand the business of that agency as well as the unique privacy needs of the individual agencies.
Alex Whitaker:Got it. So lots of information and recommendations, but, most importantly perhaps, where can listeners read the report?
Amy Glasscock:Of course, yes, so I've just sort of, you know, done the high level here. There's so much more in the report questions we haven't even talked about today. But of course you can find it on our website under our Resource Center, and we'll definitely put a link in the show notes as well.
Alex Whitaker:Awesome. Well, amy, thank you so much. This has been so interesting, and I really encourage everybody who has not yet to check out the report, because there's a lot of fascinating stuff in there. But while everyone is very interested in the role of the CPO, of course and that's why they tuned in they are also, of course, here for the lightning round. Are you ready?
Amy Glasscock:I'm ready all right.
Alex Whitaker:Well, as host of our podcast, I will ask you do you have any new podcast recommendations?
Amy Glasscock:Yes, I do. I have been loving and I think our listeners would also enjoy Hard Fork, which is a technology podcast from the New York Times with Kevin Roose and Casey Newton and I know I've mentioned this to the policy team at NASCIO but they talk about current events and technology, a lot about AI. Of course, it's educational. It's really funny. I laugh out loud multiple times every episode and you can tell that they're friends and it's just a really great way to stay up on current tech events. So highly recommend it to our listeners.
Alex Whitaker:Awesome, that's, of course, after you listen to NASCIO Voices.
Amy Glasscock:Of course. I'm sure they'd recommend ours too.
Alex Whitaker:So we have talked about the fact that you saw the solar eclipse this week. Tell us what it was like.
Amy Glasscock:Yes, it was so amazing. I will say I'm going to come across like a real like sky nerd or something here. But when I got to drive into totality because it was only about two hours from my house took my mom and my daughter with me and was just kind of you know, not really knowing what to expect. I kind of wanted to see what it was like for it to get dark in the middle of the day. That was my main goal and I was like, well, if you have some clouds it's fine, but luckily we really didn't have any clouds.
Amy Glasscock:We drove to this beautiful little park in Ohio and watched it with a thousand other people and that moment, when the moon covered the sun and we could take our glasses off and look up at the blazing Corona, it was just completely magical. I think I had tears streaming down my face and my mom did too, and my daughter said, wow, just wow, that's all I can say. So you know, if you ever have an opportunity to see one, I definitely recommend it. Spain two years from now, maybe I'll try it, because the next one in the US isn't for like 20 years, yeah.
Alex Whitaker:Yeah, all I got was burned retinas because we didn't really get it in DC, but I'm glad that you had a great time. So now for what is my favorite lightning round question what did you want to be when you were a kid?
Amy Glasscock:I feel like most kids in the 80s 90s we were trying to were like trying to save the whales and we had our Lisa Frank folders with dolphins on them. So I wanted to be a marine biologist for a short time, and also an actress. Neither of those really worked out, but I don't care so much about the marine biology anymore, but being an actress would still be pretty cool.
Alex Whitaker:All right, ok, cool, I wanted to be Indiana Jones, but then I found out how much math and science are involved for archaeology, and now I'm the government affairs director at NASCIO. That's right, you never know, all right. Well, thank you so much for the overview, Amy. Hopefully, through this work, more states will be able to establish the CPO role without feeling like they're starting from scratch. So thanks so much.
Amy Glasscock:Absolutely, and I agree. That's certainly my goal. Of course, I'd like to see all the states with a privacy lead and I'd like to have all of them join our community of practice at NASCIO. Great Thanks.
Alex Whitaker:Thank you. Thanks again for listening to NASCIO Voices. NASCIO Voices is a production of the National Association of State Chief Information Officers, or NASCIO. Learn more at NASCIO. org. We'll be back in two weeks with a preview of our mid-year conference with Emily Lane. Talk with you then.