DATE: July 8, 2025
TO: Board of Supervisors
SUBMITTED BY: Paul Nerland, County Administrative Officer
Mike Kerr, Director of Information Technology/Chief Information Officer
SUBJECT: Establishment of Office of Information Security under the County Administrative Office
RECOMMENDED ACTION(S):
TITLE
1. Establish and authorize the assignment of operational management for the Office of Information Security (OIS) under the County Administrative Office; and
2. Approve Amendment to the Salary Resolution establishing the Information Security Analyst classification series and the Information Security Manager and Chief Information Security Officer classifications; reclassifying one Deputy Director of Information Services laterally to Chief Information Security Officer, one Information Technology Manager laterally to Information Security Manager; three Information Technology Analysts laterally to Information Security Analysts, and two Senior Network System Engineers laterally to Senior Information Security Analysts, transferring the positions from Org 8905 to Org 8909, and approve Amendments to the Salary Resolution, Section 100, effective July 7, 2025, as reflected in Appendix “F”; and
3. Adopt Budget Resolution decreasing FY 2025-26 appropriations and estimated revenues for Information Technology Services Department (ITSD) Org 8905 in the amount of $726,081 for the period of July 1, 2025, through the adoption of the FY 2025-26 Final Recommended Budget (4/5 vote); and
4. Adopt Budget Resolution increasing FY 2025-26 appropriations and estimated revenues for the OIS Org 8909 in the amount of $726,081 for the period of July 1, 2025, through the adoption of the FY 2025-26 Final Recommended Budget (4/5 vote).
REPORT
There is no Net County Cost (NCC) associated with the recommended actions. Approval of the first recommended action will create the OIS under the County Administrative Office, utilizing existing positions within the Information Technology Services Department Org 8905. The County Administrative Officer, or their designee, will oversee OIS operations. Unlike County IT security teams that focus on operational security within individual systems, the OIS will provide centralized governance, enforce countywide cybersecurity standards, and coordinate risk management across all departments.
Approval of the second recommended action creates the Information Security classification series, establishes the Chief Information Security Officer (CISO) classification, and reclassifies seven existing positions to perform Information Security functions within the Office of Information Security, without adding any new positions.
Approval of the third and fourth recommended actions will decrease ITSD budgeted appropriations and allow the re-budgeting of appropriations to OIS Org 8909 in FY 2025-26. The recommended budget resolutions are necessary to provide the budgetary tools necessary for the new OIS position classifications under org 8909 without an increase to the Internal Services Fund overall budgeted appropriations and estimated revenues. This item is countywide.
ALTERNATIVE ACTION(S):
If your Board were not to approve the recommended actions, the Office of Information Security would not be established, the existing classifications would remain under the Information Technology Services Department, and the incumbents would not be reclassified to the more appropriate Information Security roles.
FISCAL IMPACT:
There is no increase in NCC associated with the recommended actions. Approval of the third and fourth recommended actions will decrease ITSD budgeted appropriations and estimated revenues in the amount of $726,081 and fully offset the budgeting of appropriations and estimated revenues in the amount of $726,081 to OIS Org 8909 in FY 2025-26 for the period between July 1, 2025, and the Board of Supervisors’ adoption of the FY 2025-26 Final Recommended Budget.
DISCUSSION:
In response to growing cybersecurity threats, the County engaged B. Riley Advisory Services (B. Riley) to conduct a comprehensive cybersecurity assessment. The assessment advised that the County would benefit from centralized cybersecurity authority, a formalized risk management program for cybersecurity issues, and more consistent security policies, standards, and situational awareness capabilities. If unaddressed, these systemic issues could leave the County's critical systems and data exposed to increasing cyber risk.
To address these issues, B. Riley recommended the creation of a centralized Office of Information Security, independent from, and to provide oversight to, County Departments and information systems, led by a CISO reporting to the County Administrative Office. The CISO will have the authority to establish and enforce Countywide cybersecurity and information policies and standards, conduct security risk assessments, direct incident response efforts, review and approve security architecture, and require corrective actions when security protocols are not adhered to. This structure will be designed to establish centralized cybersecurity and information governance, enforce Countywide standards, and build the foundation necessary to support a resilient and modern security program.
Following this recommendation, the County Administrative Office, in coordination with Human Resources, initiated a classification and compensation study to define and inform the proposed OIS. This effort demonstrated the need to create dedicated security classifications by reorganizing existing personnel into clearly defined cybersecurity roles, thereby establishing the County’s first centralized cybersecurity function.
Approval of the recommended actions will:
• Create the OIS under the County Administrative Office.
• Create distinct classifications for Information Security roles, setting them apart from other County Information Technology positions and formalizing the structure and responsibilities of the Office of Information Security.
• Establish the Information Security Analyst, Senior Information Security Analyst, Information Security Manager and CISO classifications.
• Reclassify one Deputy Director of Information Services laterally to CISO, one Information Technology Manager laterally to Information Security Manager; three Information Technology Analyst IV positions laterally to Information Security Analyst, two Senior Network System Engineers laterally to Senior Information Security Analysts; and transfer the positions from Org 8905 to Org 8909.Update Footnotes E and y of Section 100 of the Salary Resolution. This will add the Information Security Analyst and Senior Information Security Analyst classifications to Footnote E for eligibility for call-back, stand-by, and on-call provisions, and to Footnote y for eligibility for the same base salary increases/decreases afforded to their represented counterparts.
• Authorize a Budget Resolution in the amount of $726,081 from the Information Technology Services Department Org 8905 to the Office of Information Security Org 8909 to provide interim appropriations for salary and benefit costs for the seven reclassified positions and services and supply costs from July 1, 2025 through October 1, 2025, ensuring uninterrupted funding and operational readiness of the Office of Information Security.
ATTACHMENTS INCLUDED AND/OR ON FILE:
Salary Resolution Amendment - Appendix “F”
On file with Clerk - Budget Resolution (Org 8905)
On file with Clerk - Budget Resolution (Org 8909)
CAO ANALYST:
Amy Ryals