Franklin commission weighs renaming IT department to include security amid concerns about scope and staffing

Chair Greg Strach called the Franklin City Technology Commission to order on Feb. 25 and the panel spent the majority of the meeting debating whether to change the city's Information Services/IT department name and scope to formally include security functions.

Richard Metalski, director of IT for the City of Franklin, outlined the case for a name and scope change, saying many security responsibilities are already being performed by IT but are not formally recognized. "We're doing it, but it's not in our scope of services," Metalski said, pointing to decentralized physical- and information-security functions, audits and an incident in 2024 that required forensic review of 2 to 2.5 terabytes of data.

Why it matters: Metalski told the commission that the expanded compliance and auditing requirements from CJIS and NIST have placed new obligations on the city's systems and that centralized authority would improve consistency. He said formalizing security could reduce enterprise risk by giving someone structural authority to set policies and require standards across departments.

Commissioners and members disagreed about boundaries. "I don't want you to have to just struggle with something that's beyond the scope," Chair Greg Strach said, urging caution about giving the IT director responsibility for matters such as when doors should be locked or physical security decisions at the water utility. James Rayberger raised the risk of one point of failure if too many responsibilities are centralized. Dan Romanzewski and others warned the IT team is already stretched thin.

Options discussed included creating a new dedicated security department; integrating security responsibilities more formally under IT while leaving physical operations with facilities or operating departments; or outsourcing specific security functions to third-party vendors. Andy Pelkey suggested pursuing grant funding and inter-municipal help, noting a state innovation-grant program as a possible source of support (Pelkey described that program as large enough to be worth exploring).

Metalski said several security functions already performed by IT — vulnerability management, identity and access management, web filtering, email security and body-camera and squad-camera data stewardship — would remain IT responsibilities even if a separate physical-security role were created. He recommended explicitly defining what is inside the IT boundary and what is outside it to avoid "scope creep."

The commissioners discussed practical budget and staffing steps, including a chargeback model to cost projects for IT support and a formal estimate process so the common council can account for ongoing resource needs during the July budget cycle.

Outcome and next steps: The commission did not adopt a final change. Members agreed to table the matter for additional work, ask the director of administration to join a future discussion and return with a proposed scope document and suggested charter revisions for the Technology Commission. The item will be carried to the next meeting agenda as "scope of IT service."