Strong Security Gains for State Governments, But the Work Isn't Done YetTo keep pace with an evolving threat landscape, government agencies should adopt a risk-based approach to security By: SecureWorks
The 2016 Deloitte-NASCIO Cybersecurity Study has some glad tidings to report. Starting in 2010, the National Association of State Chief Information Officers and Deloitte have teamed up to survey state CIOs biennially on how they are addressing cyber risk. This year's report recognizes what many state and local CIOs and Security Directors have been grappling with—that the very innovations which are improving government's efficiency and service to constituents are also introducing new cyber risk.
According to a NASCIO, state CIOs ranked cybersecurity as their top priority in 2014, 2015, and 2016. Small wonder when you consider the increase in security-breach headlines and instances of political hacktivism splashed across the media. According to Darryl Ackley, NASCIO President and Cabinet Secretary and CIO for the New Mexico Department of Information Technology, "There continue to be challenges with proper funding, finding qualified talent, and training and awareness. But the good news is that we are seeing positive indications that Chief Information Security Officers (CISOs) and CIOs are having a strong impact, as communication and collaboration among agencies and all levels of state government is increasing."
Communication Cadence with the Highest Levels of Government
Key findings from the study show the following positive gains in cybersecurity at the state government level:
- Increased attention from governors on cyber risks and mitigations
- A larger emphasis on cybersecurity within government operations
- Some improvements in security funding and access to security talent, although these remain top challenges.
Getting the governor's ear on vital cybersecurity issues is important. According to the 2016 survey report, 61 percent of state officials say that cybersecurity is discussed at executive leadership meetings at least quarterly, compared with 48 percent in 2014. Governors are receiving cybersecurity briefings more frequently as well, with 29 percent of CISOs reporting that they provide monthly cybersecurity reports to their governors compared with only 17 percent doing so two years ago.
Keeping Pace with Evolving Threats
CISOs continue to improve security operations. The survey respondents indicated that the top ﬁve functions within the scope of the CISO included:
- Strategy and planning
- Training and awareness
- Audit logs and security event management
- Incident management
- Vulnerability management
All of this is good news for the security posture of state governments. But the threat landscape continues to increase in size and complexity, and security budget dollars and qualified resources are still hard to come by. Still 80 percent of respondents say inadequate funding is one of the top barriers to effectively address cybersecurity threats, while more than half (51 percent) cite inadequate availability of cybersecurity professionals.
Essential Planning Can Make a Case for More Budget and Resources
Survey evidence suggests that devising and communicating a security strategy can help CISOs attain higher budgets and more full-time equivalents (FTEs) focused on cybersecurity. According to the survey report, 11 out of 33 states with an approved security strategy reported they have more than 15 FTEs dedicated to cybersecurity, and 16 out of 33 states with an approved strategy reported they had an increase in budget.
With critical budget and headcount riding on your security strategy, you can't afford to neglect essential planning. An effective security program should account for people, processes and technology within the context of risk. Rather than being an IT issue, information security should be championed at high levels of state and local government oversight.
Start by Assessing Your Risk to Understand Where to Begin Building Your Strategy
In order to create an effective security strategy, you need to conduct a security and risk assessment. This assessment will evaluate your controls against best practices and prominent security frameworks to determine how effectively those controls protect your organization from cyberattacks. It will also help reveal any weak security controls and areas of risk in your environment. Combined with clear guidance and recommendations to improve those controls, an assessment will help you establish a strong security posture that is more effective in protecting against cyber threats.
As governors and state legislatures become more security conscious, they may ask if you know where the most vital data resides. Where is it most vulnerable? And how you are best utilizing security dollars? Starting with a security assessment will help you answer these tough questions. It will also shift your organization from prevention-oriented security controls to a risk-based approach that focuses protection, prevention and detection around the most valuable assets in context with the most relevant threats.
Armed with guidance and insight from a security risk assessment, you can work to create a robust security strategy with processes and controls based on the security framework that best supports your organization, including:
- ISO 27001
- National Institute of Standards and Technology (NIST)
- Critical Security Controls Assessment (SANS Top 20).
The gains in cybersecurity awareness at top levels of state government, and the increased focus on security strategy are bright spots in the ongoing effort to prevent cybercrime. The next survey should occur in 2018. Why not start today when it comes to full awareness of where vital data resides, and the technical and organizational risks that affect it? Then use this context to align security with the needs of your organization, best practices, and a risk-based approach to meeting compliance.
To learn more about how state and local governments can benefit from a risk-based security strategy, please read our latest white paper, State and Local Governments Take a Risk-Based Approach to Cybersecurity.
 2016 Deloitte-NACIO Cybersecurity Study; State governments at risk: Turning strategy and awareness into progress; http://www.nascio.org/Portals/0/Publications/Documents/2016/2016-Deloitte-NASCIO-Cybersecurity-Study.pdf