2022 Biennial Performance Report
Accelerating the Next Generation of Technology in Texas
2022-2026 State Strategic Plan
Goal 1: Secure IT Service Delivery
Texans entrust government with some of their most sensitive and confidential
information. State agencies bear the responsibility for ensuring that
information is not compromised.
The 2022-2026 State Strategic Plan identifies four objectives to help guide state
agency efforts to minimize security risks to technology and evolve cybersecurity
practices. Desired outcomes for agency alignment with the IT security objectives
below include mature, risk-based security programs; cybersecurity-aware
organizations; on-going investment in cybersecurity staff; reduced exposure to
cyberattacks; and regional approaches to preparedness that build resilience.
Objectives
- Create scalable, integrated tactics for cybersecurity based on cost-effective security tools.
- Reinforce risk-based security practices, including continuous prediction, prevention, detection, and response to cybersecurity threats.
- Form a resilience mindset and a vigilant organizational culture through cybersecurity education and training.
- Develop regional approaches to cybersecurity engagement and response.
Assessment
The State of Texas has made great strides to address complex cyber threats targeting the
public sector. To continue this progress, state agencies must evolve cybersecurity practices
and identify security priorities specific to their agencies’ missions.
State agencies identified data protection, security training, and disaster recovery among
their top security initiatives for the next biennium.
Agencies must have mature, risk-based cybersecurity programs to protect against
increasingly sophisticated cyber threats. In 2022, state agencies are showing progress
in the following areas.
When cybersecurity incidents, natural disasters, pandemics, or other events disrupt
IT systems, organizations must respond quickly. Because Texas covers more than
268,000 square miles, regional approaches can help facilitate the rapid restoration
of government operations and services.
State agencies reported that they are prepared to respond to and recover from a
security incident with 82% of agencies indicating they regularly review or revise
their security incident response plans. Furthermore, over half of agencies say they
have adequate resources to address the impacts of a security incident. Importantly,
all state agencies now have security incident response plans in place; many of these
entities are reviewing and testing them regularly – some as often as every six months.
Concerns
Agencies reported the same top five barriers to addressing security issues in 2022 as
they did in 2020. The increasing sophistication of threats remains the top issue, with
approximately 10% more agencies identifying this as a barrier than in 2020, followed by
a lack of sufficient funding and a shortage of cybersecurity professionals. More agencies
also reported a lack of documented processes as one of their top barriers.
Recommendations
The Texas Legislature prioritized cybersecurity in the 87th Legislative Session by funding
new initiatives and passing forward-thinking legislation to improve the state’s cybersecurity
posture. The bills passed created regional security operations centers, professional and volunteer
cybersecurity incident response teams, the Texas Risk Authorization and Management Program
for cloud computing services, and expanded security awareness training.
For the next biennium, DIR recommends that the legislature consider the following actions: