According to State governments at risk: Turning strategy and awareness into progress, cybersecurity is becoming part of the fabric of government operations. For the first time in this biennial survey, all respondents reported having an enterprise-level CISO position.
Governor-level awareness also is on the rise, according to the survey, which found that 45 percent of respondents discuss cybersecurity monthly at agency or office executive leadership meetings — up from 30 percent in the 2014 survey.
That’s a phenomenal increase,” said Srini Subramanian, principal with Deloitte. “On the contrary, communication with the legislature is not seeing a positive trend. There’s not a consistent [connection with] state legislators.”
In Indiana, CISO Tad Stahl said when he first landed the role, “The governor [Mike Pence] said, ‘I want you to lean into it,’” he said, “and I didn’t know what that meant.” But, he added, “We definitely have increased exposure to the governor’s office. It’s not a direct from me to the governor’s office; normally I go through the CIO [Dewand Neely], who has monthly updates and that goes to the governor through him.”
Despite this increase in awareness, however, a “confidence gap” remains — two-thirds (66 percent) of state officials indicate they’re very or extremely confident that adequate measures are in place to protect against cyberattacks, while only one-quarter (27 percent) of CISOs maintain the same level of confidence.
This, Subramanian said, just underscores the importance of transparency in cybersecurity operations.
On the whole, the survey found that having a formal cybersecurity strategy in place can lead to more resources that are necessary for combating consistently evolving cyberthreats. And the top barriers for CISOs are insufficient funding and a shortage of quality cybersecurity professionals.
Cyber is an enterprise risk management issue, said Deloitte Managing Director Michael Wyatt, who shared a cautionary tale about how CISOs can express the status and priority of their program.
“When asking about investment in the program … balance the need with providing confidence to the legislature and governor about what you’re doing and what you’re doing right,” he said. “But be careful of co-mingling that with the ask.”
In other words, Wyatt said, share “pockets of goodness” to show that what you’re doing is working — but also stress what you need and why.
In the state of Washington, CISO Agnes Kirk said she and her team have made a concerted effort to educate over time.
“We realized our legislators have to make policy and funding decisions about vast topics,” she said. “Everybody has a need and at varying degrees. I just hope legislators understand that if you don’t invest in cybersecurity up front, you'll invest on the back end."
The survey also found consistency in what the state CISOs are doing when it comes to cybersecurity. “They’re starting to focus on areas that they can control,” Subramanian said.
Those top two areas, according to the survey, are strategy and planning, and awareness and training.
According to the survey, 67 percent of states have cybersecurity strategies documented and approved, 14 percent have strategies documented but not approved, and 18 percent have neither, but intend to get a cybersecurity strategy documented and approved within the next 12 months.
And the states with an approved strategy, Subramanian said, seem to have more success in getting additional resources and budget.
“When we established our funds, we put together a strategy [about] what we needed to do to address the most significant risks at the time,” Stahl said. “Largely for us, the strategy has stayed the same while tactics have changed.”
Washington also has a formal strategy that has been communicated not only within government, but also to the Legislature and the state’s private-sector partners.
“People can get behind a common vision once they understand what your agendas and goals are,” Kirk said, “because they understand that to execute on our strategy, we need to work together, to have a vision all can work toward.”
Connecticut, however, is in the third category: “We don’t have a strategy in Connecticut,” state CIO Mark Raymond said. “Nobody wants to give you money when you have problems. They want to give you money when you have a strategy to fix the problems.”
As for how cybersecurity relates to third-party services, it was noted that the confidence level on these is a bit questionable.
Kirk noted that state agencies are focused on their mission, not on cyberprotection. “When we talk about third parties, for us I look at it from the perspective that it’s less about the security controls but more concern about the real shared responsibility or viability,” she said. “I think that’s something we’re beginning to see in some of the new contracts. But until there’s true shared liability, we’re always going to struggle with how much and how to work that out.”
Many of today’s contracts were established well before cybersecurity became an issue, Kirk said, so it’s difficult to incorporate them. “That’s an area I believe we’re going to need to address,” she said. “Until there’s shared responsibility, I think CISOs will be a little reluctant to share data.”
Kirk also said that if “we don't do security well, we won’t be doing anything,” adding that she and her team are learning to leverage relationships, “because relationships are a force multiplier.”
And Wyatt made sure to mention that the term "cyber" must be used — not information security — in order to get policymakers’ attention