Three Cybersecurity Surprises from State Security Chiefs

The National Association of State Chief Information Officers (NASCIO) held their 2022 annual conference in Louisville, Ky., this past week, and the event brought record attendance of almost 1,000. There were many great themes and stories that emerged throughout the week, including this sample of stories from GovTech:

• “NASCIO Survey Suggests Remote Work’s Star May Be Fading”
• “Bringing in the Next Generation of IT Talent in Georgia”
• “‘No Wrong Door’: Nebraska Works Toward Single Sign-On Portal”

WHAT ABOUT CYBERSECURITY NEWS?

As expected, cybersecurity was a major theme in several NASCIO conference sessions, and this overview article highlighting the 2022 Deloitte-NASCIO Cybersecurity Study starts this way: “CISOs are gaining attention outside the IT office and cyber funding isn’t a top challenge — for the first time in survey history. But CISOs still wrestle with talent gaps and need to strengthen local relationships to build whole-of-state approaches.”

The survey results listed in the report cover workforce gaps, whole-of-state cybersecurity and many other topics.

(As an aside, I covered the vital importance to the whole-of-state cybersecurity approach in this recent article.)

I really like the description given by Leah McGrath, executive director of StateRAMP, in a recent LinkedIn post on the NASCIO keynote session:

“Today’s National Association of State Chief Information Officers (NASCIO) Session on Cybersecurity was fantastic, and I was again impressed by the speakers and thoughtful discussion. The discussion also reinforced for me the importance of StateRAMP.

“I took a moment write down a few takeaways: 1) The shortage in cybersecurity workforce will force government to look further to private sector partners and to collaborations like StateRAMP.  Government will need to focus even more on doing only what they can do and working with others to achieve their goals. With StateRAMP, government can shift the work they are doing assessing third party vendors to StateRAMP, so they can spend more time doing what only they can do managing risk for the citizenry they serve.  
2) Whole of State approaches and building cyber ecosystems between State, Locals, Higher Ed and K12 continues to be a need. Common language and common standards is important when building bridges. StateRAMP provides a common standard for States, Locals + Public Education agencies for their third party cloud providers. 3) Government historically has turned to “after the fact” consequences when managing Third Party Vendor risk, such as incorporating incident reporting, penalties, or cyber insurance into contracts. StateRAMP offers a preventative approach to third party risk management. Together, we can shift our approach, expectations, and mindset around cloud security. Thank you NASCIO for another great day!”

SURPRISING CYBER NEWS FROM THE NASCIO CONFERENCE

OK, so what surprised me regarding cybersecurity news from state governments over the past week?

First, several states mentioned that they may decide NOT to accept federal grant funds from the State and Local Cybersecurity Grant Program, because the paperwork, federal system monitoring of their state networks and other legal language contained in the program may make the funds more trouble than benefit.

Let me be clear that only a small number of states were saying that they may not accept federal grant dollars, and most states are eagerly working to submit their plans and get the funding ASAP. These states also said that they are working with the Cybersecurity and Infrastructure Security Agency (CISA) to try and address their concerns. Nevertheless, I was very surprised by these statements made in open conference sessions and in private.

Second, several states plan to submit joint plans with other states in order to remove the cost share requirements for their state budgets.

As stated at the CISA website fact sheet:

“What is the required cost share for individual projects? Answer: For applications made by an individual eligible entity, the FY 2022 non-federal cost-share requirement is 10%.

“What is the cost share for a multi-entity project? Answer: There is no cost-share requirement for multi-entity projects in FY 2022.”

Finally, the third item that surprised me regarding cybersecurity from NASCIO this week was the top concern from state CISOs listed in the Deloitte-NASCIO Cybersecurity Study: “Legacy infrastructure and solutions to support emerging threats” was the top concern at 52 percent — as compared to only 34 percent of the respondents in 2020.

“This year inadequate availability of cybersecurity professionals was the #2 concern at 50%. Also, inadequate cybersecurity staffing was third at 46% of the respondents.”

What shocked me about this? “Insufficient Cybersecurity Budget” was the top item TWO years ago, but it did not show up at all in the top five items in 2022. To be fair, the second item on the list was not enough cyber professionals, but budget is not the same thing.

FINAL THOUGHTS

Once again, the NASCIO conference provided a great opportunity to network and learn from public- and private-sector peers focused on government technology nationwide. As I have written many times, NASCIO is a must-attend conference for serious government technology leaders.

For those who could not make it, I urge you to visit the NASCIO 2022 Recognition Awards Library and learn from the best practices being followed by state award winners in various categories, including cybersecurity.

NASCIO awards dating back to 2017 can be found here.