In a recent survey, state CIOs named "security and risk management" as their chief priority for 2016, followed by developing a framework for implementing cloud services.
[ Related: State CIOs List Security as Top Priority for 2015 ]
That security ranks at the top is hardly a surprise -- NASCIO, the association of state CIOs that conducted the survey, says that members have named security strategies their most pressing priority for the past three years.
In too many state governments, cybersecurity is still seen primarily as a technical issue, the province of the IT department, separate and distinct from the business side of the operation, according to Doug Robinson, NASCIO's executive director.
In the corporate world, particularly in the aftermath of high-profile breaches at household-name companies like Target and Home Depot, cybersecurity has commonly been elevated as a subject of discussion in the boardroom. Not so in the typical state government, says Robinson.
"Those same conversations unfortunately are not taking place as much as they should in the cabinet level and the governor's office," he says. "There's just not enough communication and conversation about this as a risk."
The challenge for state CIOs on security, Robinson explains, is "making it clear to public officials and appropriators that this is a business issue."
After security, state CIOs ranked questions around how state governments should adopt a cloud strategy a close second as a priority for 2016.
[ Related: 'Provider Sprawl' Complicates Government Move to Cloud ]
Certainly security issues are in play there, as well, though the greater challenge CIOs face in moving ahead with a cloud initiative is a procurement system that is oriented around technology that is owned and operated in-house, with the accounting skewed toward a capital expenditure, rather than operating expenses, according to Robinson.
However, despite some of those logistical and cultural challenges, the discussion of cloud computing in state governments has generally moved from a question of if to one of when and how.
"I don't think there's much of a debate that cloud is in their future," Robinson says.
He explains that that process is very fluid, however, with states typically moving lightweight, commodity applications like email to the cloud, but still hesitant to embrace the fully outsourced, public-cloud model.
"For the most part, I'd say most of the clouds today are private clouds, meaning they're hosted by the CIO organization," Robinson says.
But that's beginning to change, as well, as more state CIOs warm to the idea that they don't have to be the ones to deliver every service and application the organization uses.
"It's a philosophical debate as to whether the role of state government is to be the direct provider of all these services," he says.
"The CIOs clearly see their role in the future as a broker of a portfolio of services," he adds. "They see their model as changing -- 10 years ago they were the exclusive provider of all these services."
Now, CIOs are evaluating whether a wide range of applications would be better running through state facilities or from an outside provider. It's the same conversation IT shops were having a few years ago with email, Robinson explains.
[ Related: Government CIOs fret over apps reliability in the cloud ]
"Ten years ago I would have been a heretic if I'd said to CIOs you need to get rid of email, because that was a mission-critical service they suppled to all the agencies," he says.
While security and the cloud headlined the CIOs' ranking of their priorities for 2016, it's a crowded field. Respondents to NASCIO's survey also indicated their plans to focus on consolidating and optimizing services and operations, business intelligence and analytics, modernizing legacy IT, and establishing an "enterprise vision and roadmap for IT."
Other CIO priorities included efforts to cut or contain costs, recruit and retain top IT talent, improve the development and delivery of software, and advance their plans for disaster recovery and business continuity.
In many of those areas, CIOs could benefit from stronger support from key personnel in the executive branch and the legislature, Robinson says, stressing the importance of tech leaders winning the buy-in of top brass in the budget and procurement processes.
At an organizational level, states could bolster their IT operations with a more holistic governance model, Robinson suggests, citing security as perhaps the most critical area that could improve from a more consolidated operating structure.
"In too many states the security posture is decentralized. There's some general guidance, but there's not strong oversight and compliance," he says. "They've got a speed limit, but no one's running the radar gun."