A recent study, State Governments at Risk: Turning Strategy and Awareness into Progress, by Deloitte & Touche LLP (Deloitte) cybersecurity service practices and the National Association of State Chief Information Officers (NASCIO), has some important cybersecurity risk lessons and advice for local governments.
The survey, conducted every two years, asked state and federal chief information security officers (CISOs) and other officials about the status of cybersecurity in their states, as well as their perspectives and insights.
Their concerns have implications for local governments as well. But while some larger local governments may have the resources to attract and retain cyber specialists, most smaller governments do not. Report co-author Srini Subramanian, Deloitte principal and state government cyber risk services leader, told EfficientGov about the ways local governments can raise awareness about, and also address cybersecurity risk.
The report recommends that governments strategize cybersecurity process, funding and communications.
Governments should first document and formalize their cybersecurity strategies and go through that process with stakeholders. By ensuring input from various parties, governments can improve their overall cybersecurity strategies while strengthening collaboration among civic departments. The effort can also increase the chances of garnering more funding for cybersecurity needs.
“States taking a proactive approach to strategy setting and communication are more likely to see improvements in funding and access to talent,” said Subramanian, citing the 16 out of 33 states with an approved strategy surveyed reported an increase in budget.
A formal strategy can engage stakeholders in several ways:
- First, the development of the strategy itself can be a way to engage and generate constructive dialogue
- Second, once in place, strategy updates can provide regular check-in points
- Third, a strategy can provide clear goals and metrics, demonstrating how progress is being made
“This progress then gives stakeholders greater confidence and understanding in how cybersecurity is being addressed,” he said.
While cybersecurity budgets have increased at the state, and more significantly at the federal level, the results showed a greater need for CISOs to more effectively communicate evolving cybersecurity risk. It seems about two-thirds of other state officials surveyed are confident that data is adequately protected. The realities of cybersecurity are a little more rocky than they understand, which can affect cybersecurity funding.
That’s because cybersecurity is always evolving. This year’s survey revealed that top level government cybsecurity officers see a new wave of cybersecurity threat on the horizon. They cited threats targeted at employees—phishing, pharming, social engineering and ransomware are a top concern for 2016. They are also concerned about the security practices of third parties–contractors, service providers and business partners.
Local governments should work with stakeholders to make cybersecurity a line item on budgets. Like any business, funding for solutions should be commensurate with risk.
Cyber talent is one area of need at all government levels. “Even at the state government level, CISOs cite inadequate availability of cyber professionals as their second biggest challenge – next to funding,” said Subramanian.
He suggests local governments can look at creative collaboration with other cities and the state to share cybersecurity resources, like talent. “Collaboration with State level CISOs/CIOs will help, particularly when it comes to needing to get assistance to deal with a threat or an incident,” he advised.
One way to persuade cyber talent to consider local government employment is to focus on opportunities to make impacts in their communities, as well as by providing educational incentives. “This strategy of winning hearts and minds, coupled with a rich training and development opportunities — are becoming the basis to recruit millennial talent,” he noted.
Because survey results suggest state officials are significantly more confident than CISOs about their states’ abilities to protect against cybersecurity risk, the right cybersecurity risk messages may not be getting across.
Subramanian advises local governments to use metrics and numbers to tell a compelling story about cyber risk. They should also increase frequency of their cybersecurity communications—especially with civic executives and state legislators—to more effectively communicate the cybersecurity risk their governments are facing.
“Know your state level CIO/CISO counterparts; open a channel of communication and share threats, incidents, best practices…Provide special briefings on specific threats that seem to target local governments,” he said.
For example, when facing a ransomware threat, brief leadership on what the threat is, the risks to your local government, your plan and needs to mitigate these risks.