The pandemic propelled new levels of digitization — with CISOs working to keep it all secure and private — and the rest of government has become increasingly aware ofcyber threats. For many CISOs, that’s lead to more engagement with legislative and executive branches, but persistent challenges remain.
CISOs are grappling with talent gaps and weak relationships with local agencies. The latter has emerged particularly as an obstacle to whole-of-state cybersecurity and new federal grants requiring collaboration with local partners.
CISOs also remain concerned about ransomware and other malware, while seeing foreign state-sponsored espionage as an increasing threat.
Today’s state CISOs must strive for statewide cybersecurity approaches, revise recruitment and retainment approaches that appeal to more job seekers, and advocate for reliable, long-term dedicated cybersecurity budgets enabling them to tackle the needs of the present and prepare for the future, the report recommends.
WORKFORCE GAPS
Many CISOs are taking on more responsibilities and confronting ever-more sophisticated cyber attackers, but don’t have all the capabilities they need on staff and struggle to hire more.
Sixty-two percent of CISOs said personnel don’t have all the “knowledge, skills and behavior” to meet current and anticipated cybersecurity requirements. This is a familiar problem, with 70 percent of CISOs saying the same in 2020.
Hiring woes have gotten worse: 50 percent of CISOs said there is “inadequate availability” of cyber professionals — a sharp jump from the 28 percent saying the same in 2020.
Plus, states may need to offer more than traditional hiring pitches, focused on retirement plans, job stability and meaningful public service. Today’s younger candidates often want a diverse, inclusive environment and at least part-time remote work options, per the report.
Only 25 percent of CISOs offer remote work, Deloitte’s Principal in US Government and Public Services practice Srini Subramanian said.
Some adherents are finding success:
“We are fully remote and I think people are really enjoying that. We certainly hope that that will continue,” said Connecticut CISO Jeff Brown during NASCIO’s annual conference. His office reassesses its remote work policy about every six months.
Michigan, meanwhile, has shifted into a hybrid model as the pandemic receded, with staff spending two days in the office, CISO and CIO Laura Clark said. The state isn’t exclusively focused on productivity, Clark said, but also looks at benefits like the observational learning that occurs among on-site colleagues.
States are also testing other lures, with Brown suggesting sign-on bonuses and putting job titles into the right language to reach recruits. Changing a job title from “ITA3” to “Deputy CISO” will draw more applicants, for example.
But it’s not all about hiring: states can also make strides by continually training their existing staff, collaborating with higher education institutions to build up workforce pipelines and supplementing in-house capacity with contractors and other third parties, the report notes.
WHOLE-OF-STATE SECURITY
CISOs have been firming up their positions within the state enterprise, garnering recognition beyond the IT office. All states now boast CISOs, and 44 percent have their roles and authorities established and funded by law or statute.
Many also communicate more frequently with legislators and governors. The portion of CISOs who are “never” required to report to the governor about cybersecurity statuses or postures shrunk from 18 percent in 2020 down to 8 percent in 2022, for example.
That’s a key problem, with local agencies lagging behind state counterparts in adoption of enterprise security services. States could put everyone on better standing by stepping in with intelligence sharing and supports like cybersecurity training.
“The majority of localities are small to mid-size, and they very much need the help,” said NASCIO Director of Policy and Research Meredith Ward.
States CISOs first must establish trust if they want local agencies to accept their services, Clark advised. That means having regular meetings and conversations, focused on local partners’ needs: “Have the conversation they want to have, not the conversation that you want to have,” she said.
That’s an issue CISOs are noticing as they consider how to use the State and Local Cybersecurity Grant Program (SLCGP). Eighty percent of the money must support local governments, through direct funding or shared services. This could be an opportunity for deepening collaboration, but trust is a hurdle: 63 percent of CISOs said the greatest obstacle to fulfilling SLCGP requirements would be “resistance by local government to state oversight.”
EMPOWERED ROLES
Building and maintaining a strong cybersecurity program requires resources that won’t vanish with political and economic changes.
Executive and legislative branches should ensure CISOs have the authority and reliable, continued funding to power these and other efforts, the report said. That includes a designated cyber budget — a concern for the 46 percent of CISOs who still see these funds come out of the general IT budget.
Still, as CISOs look ahead, they currently have fresh resources to help them. The federal relief funds and cyber grants have helped, and 30 states saw cyber budgets grow. That includes 23 percent of CISOs reporting a more than 10 percent increase. (Admittedly, “cyber spending was not very high to begin with,” Subramanian noted.)
NASCIO has been running this survey every two years since 2010 and, Ward said, “This is the first time ever that CISOs didn’t say that budget was their top concern.”
CISOs also may be working alongside more colleagues, with the past two years seeing an uptick in the number of states with chief privacy officers, chief risk officers or identity program directors.
LOOKING AHEAD
As CISOs consider the threat landscape, 67 percent consider phishing and pharming as a “very high or somewhat higher” threat in the coming fiscal year — fewer than the 85 percent saying the same in 2020. Meanwhile, 75 percent regard ransomware and other malware as growing threats and 54 percent named foreign state-sponsored espionage.
As they prepare for this year and the next, CISOs are focused on areas like cybersecurity strategy, multifactor authentication, risk assessments, endpoint detection and response (EDR) and enterprise identity and access management (IAM).
Michigan, for one, has been homing in on IAM as part of a move toward zero trust, and Brown noted IAM is a key part of fraud reduction.
“This is a really simple subject that’s really hard to get right,” Brown said. “IAM is really ‘who are you and what are you trying to do?’”