At this year’s Governing Outlook in the States & Localities conference, a panel of chief information security officers (CISOs) from state and local governments addressed the topic: “CYBER SECURITY: One of the Nation’s Most Serious Challenges.” Participants provided insight into their organizations’ greatest cybersecurity challenges and how they were managing to meet the threat landscape confronting them. In light of the fact that state and local government has historically lagged behind federal organizations with regard to dedicated cybersecurity resources, the panel discussion demonstrated progress in several key areas.
Key Areas of Progress
- Policy Imperative: At the state and local CIO level, motivation to protect personally identifiable information (PII) entrusted to government organizations has driven cybersecurity to become a policy imperative. State governors are moving, albeit slowly, to implement IT governance and policy reform and are finding effective leadership for the CIO and CISO positions. While the Veterans Administration debacle of losing a laptop with PII in 2006 might have put the federal government a few steps ahead, state and local government is moving in the right direction.
- Awareness: The panel discussed the priority and various approaches of raising cybersecurity awareness. They all agreed that engaging the user community is a critical component of meeting the threat challenge in state and local government. In fact, data from the 2013 (ISC)² Global Information Security Workforce Study actually shows state and local organizations ahead of federal agencies in their consideration of “public awareness” as an important factor in effectively securing their organization’s infrastructure.
- Effective Controls: In addition to using NIST guidance to provide proper methods of understanding risk and implementing controls, state and local CISOs are using other sources of guidance such as SANS’ critical controls and COBIT to develop their organization’s security program. What impressed me about the state and local approach is the ability to mix and match various sources of guidance to effectively meet the needs of the organization. Conversely, the federal CISO is often limited by the government’s requirement to strictly adhere to NIST guidance when developing an agency security program.
- Workforce: State and local CISOs’ top priority is to find qualified staff while balancing the priority of keeping up with threats and protecting their organization’s most exposed and critical systems. Hopefully, awareness of the federal human capital crisis and efforts to solve this challenge at the federal level will prove to be beneficial for state and local governments as well.
The Funding Roadblock
If there was one resounding roadblock of progress identified during the panel discussion, it was in the area of funding. The panelists approximated that state and local governments currently allocate a mere 1.5 to 2 percent of their IT budget to cybersecurity, whereas private industry allocates between 10 to 12 percent of their IT budget. While availability of funds for federal security programs is greater than that for state and local governments, federal funding still falls short of meeting the need.
State and local government organizations appear to be gaining ground in the race to secure government systems, but one thing is for sure: progress becomes a moot point in light of sizeable funding roadblocks. Until policymakers are able to grasp the complexities of cybersecurity and allocate resources accordingly, the funding roadblock will continue to threaten progress across all government organizations.
Marc H. Noble, EWB Member and (ISC)² Director of Government Affairs, was lead author of this peer-reviewed post