New Hampshire leaders sought to tackle the disconnect by leveraging a Cybersecurity Advisory Committee (CAC), originallyestablished in 2011 and bolstered via a 2016 executive order. The organization has evolved over the years and proved itself valuable enough that the state recently fixed it intolaw. The legislative move gives the body a greater longevity, ensuring that a future governor cannot simply revoke the executive order backing it, state CIO Denis Goulet told Government Technology.
“We now know how to operate the CAC, so I felt like it was safe to enshrine it in statute,” he said.
PUTTING CYBERSECURITY AND BUSINESS IN CONVERSATION
The CAC is focused on promoting a more positive, informed cybersecurity culture through state government and developing polices that are more attuned to various agencies’ business realities. The committee regularly convenes representatives from different departments to get their feedback about in-development cybersecurity proposals, allowing the group to make better recommendations about what should become law.
“It’s an integral part of our cybersecurity governance process now,” Goulet said. “Particularly what we’re looking for is feedback from the agencies relative to our baseline cyber posture that would be built into any policy we’re trying to implement, because what we don’t want to do is unknowingly stop legitimate business activity with our cyber policy.”
During his more than six years as CIO, Goulet has seen the CAC evolve from its earlier form as a committee that met ad hoc and only with members of executive branch agencies to a more established body with an expansive membership.
CAC’s early days saw some agencies assign whichever staff member drew the proverbial short straw to be their representative in the committee meetings. But the group has worked to be taken more seriously and has had time to prove its impact. The CAC now pushes for agencies to send personnel who have enough influence to make changes and whose positions give them insights into their unit’s cyber postures.
“We want somebody who has the juice to get to agency leadership and make decisions on that level,” Goulet said. “I tell the other commissioners and executive directors in the state that you want somebody on the CAC, because we’ll make decisions that affect you.”
New Hampshire has been working to streamline its approach to cybersecurity oversight by establishing a minimum set of common security requirements across all state agencies, Goulet explained. Conversations with different offices helped cyber policymakers recognize where they needed to tailor their approach. For example, they learned not to simply block all state personnel from visiting “really inappropriate” websites, but to instead give an exemption to the attorney general’s office whose staff may need to access such sites in the course of investigative work.
These kinds of efforts and heavy emphasis on communication have helped push agencies to see cybersecurity as a collaborative effort with IT, Goulet said.
“The nature of how we interact with the committee is way more collaborative and less ‘we/they,’ because it’s not [seen as] us trying to do it to them, but they know, it’s us trying to work together to protect state data and the state continuity of government,” Goulet said.
That buy-in has helped the CAC pass strict policies while generating little pushback, Goulet said, such as a sweeping rule barring employees from doing anything on a state-owned device other than strictly state business.
DATA GOVERNANCE IS THE NEW CYBERSECURITY
The CAC worked over the years to change agencies’ thinking on cybersecurity, and IT officials are now regarding data governance as the next frontier for such culture campaigns.
Many agencies view data governance rules the way they used to view cyber: as burdens imposed on them externally by the IT department, rather than as important business practices for maintaining smooth-running operations.
“Data governance is a lot like cyber, in the sense that if you don’t do it, right, people are just going to look at it as an inconvenience and try to do everything they can to get around it instead of being part of the solution,” Goulet said.
Goulet said New Hampshire officials are now looking to the committee-based approach to generate traction. They’ve considered creating a CAC-like counterpart dedicated to promoting data governance awareness and communication, but currently are testing out simply expanding the Cybersecurity Advisory Council’s scope to encompass the new topic.
This latter effort is in its early stages, with the CAC recently holding its third monthly meeting on the new topic.