Ohio CIO Stu Davis talks to private-sector CIOs during the NASCIO conference last month in Philadelphia. Photo by e.Republic/David Kidd
A familiar hot topic is back in the #1 priority slot for state CIOs. After bouncing around in the top ten rankings for the past few years, cybersecurity is back at the top of the “must do” list.
But why? After providing some background I'll explain five reasons.
According to a National Association of State CIOs (NASCIO) press release issued last week:
IT security strategies and tools are at the forefront of discussion around the states, with ‘Security’ topping the list of Priority Strategies, Management Processes and Solutions and ‘Security Enhancement Tools,’ such as continuous diagnostic monitoring, coming in second among Priority Technologies, Applications, and Tools.
With the breadth and depth of cross-sector cybersecurity issues now facing local, state and federal governments, the sense of urgency is now growing stronger. For example, NASCIO President and Mississippi Chief Information Officer Craig Orgeron recently said,
"It is significant that security has now risen to the number one priority on our top 10 list. As I presented in congressional testimony before the Committee on Homeland Security last week, cyber-attacks against state governments are growing in number and becoming increasingly sophisticated. Security has to be the top priority for all sectors. Clearly from our top 10 voting results, the state CIOs agree on this.”
The complete top 10 final priority ranking for state government CIOs can be found at this NASCIO website.
In the state CIO surveys, the security category is more specifically defined as: “Risk assessment, governance, budget and resource requirements, security frameworks, data protection, training and awareness, insider threats, third party security practices as outsourcing increases, determining what constitutes ‘due care’ or ‘reasonable.’”
Other top management processes and solution priorities in the top five priorities include:
2) Consolidation / Optimization
3) Cloud Services
4) Project and Portfolio Management
5) Strategic IT Planning
The top five priority technologies, applications and tools selected for 2014 are:
1) Cloud computing: software as a service
2) Security enhancement tools: continuous diagnostic monitoring (CDM), digital forensics
3) Mobile Workforce: technologies and solutions
4) Enterprise Resource Planning (ERP)
5) Virtualization: servers, desktop, storage, applications, data center
Why highlight this poll now?
As mentioned in previous NASCIO press announcements, security has always been a top ten priority for state CIOs. Security was the #3 priority last year, the #6 priority two years ago and the #7 priority three years ago.
Notice a trend?
Remember that the majority of state CIOs started in their current roles over the past three years, after the 2010 elections brought in a host of new Governors. This means that cybersecurity has been a rising issue for them since day one.
Another interesting aspect of this survey result is that security is a part of almost every other priority listed as well. For example, CIOs could have just assumed that security is a major component of cloud computing or mobile strategies or datacenter consolidation or application development.
But no – security is still highlighted separately. And now security is back at #1.
A few years back, many experts even predicted that security would be incorporated into everything in IT and become less of an overall (or at least unique) challenge. The drop in security's importance in the NASCIO survey results at the time seemed to affirm that perspective.
Why is that? In my view, the reasons get back to where IT leaders are spending their time - and losing their sleep. That leads to us answering the question: What issues are CIOs most worried about as we head into 2014?
Five trends that keep CIOs up at night
Here are my top five reasons why security is now back at #1 in the NASCIO survey:
1) The number of security incidents occurring now. Breaches are happening, and talented leaders often take the fall when it happens. From South Carolina to wherever…, there have been both high profile and lower profile security incidents in 2012-2013. More cyber headlines are inevitable. No CIO wants to be a 2014 headline or in a breach news story.
2) The bad guys are getting much better – and it is hard to keep quality good guys (white hat hackers). As CIOs and CISOs dig into potential solutions, the gap in talent and resources becomes painfully more apparent. Meanwhile, the current model for bringing in and keeping the best all-around security staff needs to be reexamined in many states.
3) The scope and complexity of securing major new computer systems. Managing contractors and integrators, as well as multiple technology teams, is a constant headache. The recent security and performance challenges of deploying the Healthcare.gov website is another current reminder.
4) The ubiquitous use of technology in every area of life. From pacemakers to cars that drive themselves – the list of issues and areas impacted by cybersecurity is growing. The never-ending number of enhancements to mobile devices, cloud computing and other technology means that security is a moving target with hard to define end points. Can we ever declare victory?
5) The people problem in security. From providing effective new cyber training to rolling out BYOD programs to stopping staff from clicking on bad links, it is hard to influence an employee who now depends on their mobile device to get their work done. Social engineering has become an even hotter topic in global enterprises. Add in the incoming millennial generation and retiring experts, and the complexities associated with culture change are harder than ever to address.
In short, cybersecurity is back as the top priority.
Are you really surprised?
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.