October 20, 2013    /    by

State CIOs answer questions on cybersecurity and disaster recovery (DR)

What do state government Chief Information Officers (CIOs) believe are the greatest enterprise risks in 2013?

Emergency Operations

Photo credit: Shutterstock/donvictorio

   What do state government Chief Information Officers (CIOs) believe are the greatest enterprise risks in 2013? How do CIOs characterize the current status of cybersecurity programs in their state? What action steps are they taking regarding disaster recovery, business continuity or other infrastructure initiatives? How do the cloud services or mobility projects fit into their plans? Are states prepared for the next emergency?

All of these topics and more are covered in a newly released 2013 State CIO Survey that was one highlight from the National Association of State CIOs (NASCIO) Annual Conference in Philadelphia this week. The survey results are combined into a report which is entitled, The Enterprise Imperative: Leading Through Governance, Portfolio Management, and Collaboration.

The report was the result of a combined effort from NASCIO, Tech America and Grant Thornton.

 Detailed questions in the survey cover a wide range of topics, from IT procurement to social media to consolidation. I am focusing on just two sections in this blog: Cybersecurity and Disaster Recover/Business Continuity. Still, I urge readers to examine the entire report.

Cybersecurity Survey Results

First, the survey and summary results, which are found on cybersecurity on pages 10-11, are telling. Figure 9 in the report characterizes the current status of the cybersecurity programs in state government. Here are some of the statements along with the percent of CIOs who have taken the action or who agree:

Adopted a cybersecurity framework based on national standards and guidelines - 78%

Acquired and implemented continuous vulnerability monitoring capabilities - 78%

Developed security awareness training for workers and contractors - 78%

Established trusted partnerships for information sharing and response - 75%

Created a culture of information security in your state government - 73%

Adopted a cybersecurity strategic plan - 61%

Documented the effectiveness of your cybersecurity program with metrics and testing - 47%

Developed a cybersecurity disruption response plan - 45%

Lack of executive support - 6%

Figure 10 in the same section of the report describes the barriers that states face regarding cybersecurity. Here are some examples with percentages of CIOs who agree:

Increasing sophistication of threats - 83%

Lack of adequate funding - 77%

Inadequate availability of security professionals - 55%

Emerging technologies - 42%

Lack of visibility and influence within the enterprise - 25%

Lack of support from business stakeholders - 21%

Inadequate competence of security professionals - 19%

Lack of clarity on mandate, roles and responsibilities - 13%

Lack of legislative support - 12%

Other - 10%

My view on these cybersecurity survey results from state CIOs are mixed. On the one hand, cybersecurity has clearly become a top priority nationwide. Significant steps are being taken in the majority of states to move programs forward, and CIOs are finding the executive support and building new plans to improve their cyberdefenses. CIOs understand that threats are becoming more sophisticated, and they are trying to get additional funding that they need. But why do so many CIOs still lack the required funding, if the executive support is there?

Overall, these numbers seem about right to me – with few surprises.

On the other hand… I worry about the quality of this work described. How effective is the awareness training? How updated are the strategic plans? Are our government enterprise cultures truly “security aware?” I have my doubts.

 For example, I know the amount of time resources we have invested in Michigan to build our cyber disruption response strategy. It has taken over a year and a huge amount of interaction with the public and private sector throughout Michigan.

Is it really true that 45% of states have developed a cybersecurity disruption response plan? While I don’t question the integrity of the answers, I have only seen a few states who have similar plans that have been tested by tabletop exercises with workable provisions that are needed.  In fact, I know that Michigan has a long way to go in this particular area – even with a just published plan.

 Disaster Recovery & Business Continuity Survey Results

 On pages 13-14 of the report, survey results are presented regarding the role(s) that CIOs play in disaster recovery (DR) and business continuity planning (BCP). The charts make it immediately clear that CIOs are very involved in emergency planning and response efforts throughout state government enterprises around the country.

But Figure 15 on page 14 has some rather sobering results. When asked how often the state’s IT disaster recovery / business continuity plans are reviewed and updated, the results were as follows:

Continually - 19%

Quarterly - 0%

Semiannually - 14%

Annually - 39%

Biannually - 6%

Other - 22%

Final Thoughts

In my experience, states continue to struggle in these cybersecurity, disaster recovery and business continuity planning areas. The consistent quality of our efforts across state government enterprises leaves more work to be done. Are these the numbers for the most-protected systems in the event of an emergency or the least protected? Are the backup procedures and recovery plans comprehensive enough?

The CIOs on stage at the 2013 NASCIO Annual Conference described mainframes that are tested and backed-up, but many other client-server systems and networks that are in need of much more attention. My fear is that at least a third of states, and probably more like two-thirds, have major holes in this area. Even the states that are doing well have varying levels of DR and BCP across agencies.

Within Michigan, we also have a mixed picture, with most critical systems well protected and backed-up. However, we also have many systems that are not ready for a disaster if/when one strikes. A lack of resources or other priorities for new systems are often the reasons given by business executives for not adequately supporting DR and BCP efforts.

In conclusion, the 2013 State CIO Survey provides a wealth of data regarding trends across state governments. Read the report. The data allows IT and security leaders to benchmark where they are as compared to their peers. The results enable us to see if we are engaging in the right activities, projects and plans.

But the true “quality of this work” question can only be answered by the technology leaders within each state. My view is that many of these answers are given as "best case scenarios" for the agencies within each state that are doing well. However, it is difficult to give one reliable answer for an entire state government enterprise, since every agency has somewhat different business priorities and budgets.

One thing is for sure: Time will ultimately tell if we are ready for the next emergency.