The Cybersecurity Advisory Services Program will prioritize requests from entities that are involved with IT infrastructure for elections, health care, K-12 education, and water and wastewater. The program officially launched in March, with two offerings. The first offers one-on-one consultations with a cyber expert, while the second brings together organizations within the same sector to learn about a specific cybersecurity topic and share experiences with each other.
This initiative is open to any member of either the Multi-State Information Sharing and Analysis Center or the Elections Infrastructure Information Sharing and Analysis Center, both of which are free to join for relevant government entities.
Former Montana CISO Andy Hanks helms the program and provides some consultations. Consultants also include former Missoula County, Mont., CIO Jason Emery, as well as advisers from Kroll Industries and Cyber Strategies Group, two vendors with experience consulting with state and local government. Hanks said making a difference means not just advising participants on what to do, but also helping them with how to do things, including directing them to free resources and tools.
“We don't want to just do a service [where] all they have is a document at the end of it,” Hanks said. “We want it to be able to be something that can further either their making a decision or taking an action to enhance their posture.”
Participants have sought advice on everything from understanding what qualifications to look for when considering candidates for cybersecurity positions to how to create and justify cybersecurity budgets.
“We have members that have some budget, but they don't know what to spend that on,” Hanks said. “We have other members that have no budget, and they want to know how to get budget.”
In some cases, participants already have strong cybersecurity, and the program advisers have been able to reassure them that they’re doing well. But overall, the most common question has been how to get started when an agency doesn't have a cybersecurity department.
This program intends to be responsive to organizations’ needs, Hanks said. The team is eyeing adding about nine more services and is open to helping develop other offerings as demand arises.
“The bottom line is, we’re here to provide cyber expertise to those that don’t have it,” Hanks said.
The program has already revised some approaches and timelines in response to feedback.
For example, Hanks and his team originally planned to introduce an 80-hour cyber consulting service and a 100-hour strategic service that participants would complete over 10 consecutive weeks. But for many of the small entities the program is trying to help, cybersecurity and IT are handled by an employee juggling those responsibilities alongside another full-time job. As such, it’s difficult for the employee to commit that kind of time.
In fact, some were having trouble finding time for just a one-hour consulting call and often had to reschedule it. Realizing this, Hanks’ team decided to split its planned multiweek series into individual one-off sessions that organizations can complete as schedules allow, selecting the topics and order that suits them. The program also fast-tracked plans to eventually offer a service focused on creating incident response plans, in response to demand.
Working with a small team and having strong backing sets the program up to be flexible and responsive, Hanks said. It’s supported by resources of the Center for Internet Security and the Multi-State and Elections Infrastructure ISACs as well as funding from the federal Cybersecurity and Infrastructure Security Agency.
To find out more or apply for community or member advisory services, interested parties can visit https://www.cisecurity.org/ms-isac/services/cybersecurity-advisory-services-program.
