I was in Jackson, Miss., this past week as the opening keynote speaker for their annual Cybersecurity Summit. The event is held in October every year by the Mississippi Department of Information Technology Services (ITS) and is one of hundreds of similar events held around the nation as part of National Cybersecurity Awareness Month (NCAM).
I was impressed with the diverse audience of young and old with attendees from state government agencies, local governments, universities, K-12 school districts, private companies and more. But what impressed me most was the strong, clear, specific call to action that was presented by Dr. Craig P. Orgeron, who is the Mississippi government CIO, and Jay White, Mississippi state CISO.
And they are not alone. There is the consistency of messages and attention to detail regarding cybersecurity activity and actions within organizations across the nation that is encouraging to me. Coverage of the summit and announcements on cybersecurity protections by the Mississippi Attorney General was provided by Mississippi Public Broadcasting and other media outlets.
No, the presentations were not just a litany of PowerPoint slides with scary headlines about the relentless number of data breach headlines over the past few years. Sure, there was a bit of Fear, Uncertainty and Doubt (FUD) offered, but speakers from AT&T and Cisco also articulated vendor-agnostic support for the Cybersecurity Framework and steps toward implementing the needed risk-based security improvements in state and local governments.
The available solutions provided by the speakers offered meaningful alternatives to the traditional check-the-box approach that so often limits security programs to focus only on closing audit findings. I link to several of these solutions and best practices in the sections below.
2015 National Association of State CIOs (NASCIO) Annual Conference in Utah
Next up is the annual gathering of state government CIOs and their technology and security teams in Salt Lake City, Utah. The NASCIO Annual Conference theme this year is “Taking Off: Advancing Smart Government.”
And you can be sure that cybersecurity will be front and center in almost every topic and conversation. Cybersecurity was the No. 1 priority for NASCIO in 2015, and it is hard to see that changing in 2016.
The conference agenda is full of cutting-edge topics such as a smart government keynote panel – “Smart Cities, Smart States: Adapting Lessons Learned at the City Level.” There will be an afternoon breakout session which will highlight security and privacy challenges in smart government and how to overcome and manage these risks. I encourage readers to follow the conversion and #NASCIO15 tweets on Twitter.
Even if you are not attending this year’s conference in Utah, NASCIO offers several free security resources that can greatly help public-sector cybersecurity efforts as well as the vendor partners that support state and local governments. Here are two examples:
“… The guide includes new information from our state members, who provided examples of state awareness programs and initiatives. This is an additional resource of best-practice information, together with an interactive state map to allow users to drilldown to the actual resources that states have developed or are using to promote cyber awareness. It includes contact information for the CISO, hyperlinks to state security and security awareness pages, and information describing cybersecurity awareness, training, and education initiatives. ...“
NASCIO Innovations Forum: MI and CT Cyber Disruption Plans
More on National Cybersecurity Awareness Month (NCAM)
Beyond state governments, NCAM is a national priority that is kicked off with the Department of Homeland Security (DHS) in Washington, D.C., and extends to cyberexercises, such as this one highlighted by TheHill.com:
Just last month, we held the Quantum Dawn 3 cybersecurity exercise, which enabled financial institutions to practice how they would coordinate with key industry and government partners to maintain equity market operations in the event of a systemic attack, in this case one that interrupted the overnight clearing and settlement process within the equity markets. Over 650 individuals participated from firms of different sizes and key government partners including the U.S. Department of the Treasury, Department of Homeland Security, Federal Bureau of Investigation, federal regulators and the Financial Services Information Sharing and Analysis Center (FS-ISAC). The key takeaway: information sharing is critical and allows firms to more quickly respond to and mitigate an attack. We are working with Deloitte on a report that will further distill key takeaways and best practices for addressing cyber threats moving forward.
However, if you want to get at the heart of NCAM, you need to visit the Staysafeonline.com website dedicated to National Cybersecurity Awareness Month. At the website you will find information about how “each and every one of us needs to do our part to make sure that our online lives are kept safe and secure.”
You will also find information on how to get involved in your community as a champion or promote NCAM with free buttons, posters, social media icons, templates and Web banners that can help you develop your education and awareness campaign. There are also sections on events and resources available.
Is there a downside to NCAM? Some people have argued that too much emphasis is placed on the one month of October – at the expense of more effective year-round awareness programs as well as an ongoing approach. While I am sure that this point raises an important concern that applies to some organizations, I don’t believe that this criticism is valid in most circumstances. The reality is that smart public- and private-sector organizations treat NCAM as one piece of a much larger, year-round security awareness program that constantly strives to mitigate online risks.
Through the years, NCAM has evolved into an effective aid to help improve cybersecurity awareness in practical ways. Most technology and security leaders understand that their biggest strength and also weakest link is their employees and contractual staff.
What are you doing for National Cybersecurity Awareness Month?