State CIOs Stress Cyber-Security’s Importance to New Governors

Call to action urges new administrations to consider and address the cyber-security risks to state government.

by / February 28, 2011
Kyle Schafer, CIO of West Virginia. Photo by David Kidd. David Kidd

As more than two dozen gubernatorial administrations across the U.S. set their agenda, state CIOs are reminding them of the critical need to improve cyber-security.

The National Association of State Chief Information Officers sent a “call to action” last week to the new governors that outlines the plethora of challenges and risks pertaining to cyber-security in state government.

“With 26 new administrations, it’s imperative that new governors and other state policy leaders be aware of the cyber-security threats that states face on a daily basis.” said Kyle Schafer, NASCIO president and West Virginia CIO, via a statement. “This call to action is meant to assist state leaders in understanding the threats and developing appropriate process and policy to mitigate risks.”

The document outlines a five-point summary of present challenges, which include administrations turning more often to IT solutions as a means to improve efficiency amid fiscal crises. But personal information continues to be at risk, as state networks are being attacked on a daily basis, according to NASCIO.

The association said an enterprise model for cyber-security is the preferable approach, no matter the state’s governance structure. A culture of security must be created across the government, according to NASCIO. “The most effective cyber-security programs produce accurate assessments of the risks associated with each system the government maintains, and for the network as a whole,” the paper said.

The call to action said one bright spot is that tight budgets are creating opportunities to improve states’ cyber-security postures by “baking” it into restructured departments and new processes. Furthermore, the federal government is realizing that states need more money to address cyber-security gaps. The U.S. Department of Homeland Security will do assessment of states cyber-security in fall 2011, according to NASCIO. 

Finally, NASCIO urges the new governors to consider some basic questions:

  • Is your state supporting a “culture of information security” encompassing a governance structure of state leadership and all key stakeholders?
  • Has your state implemented an enterprise cyber-security framework that includes policies, control objectives, practices, standards and compliance?
  • Has your state invested in information technologies that provide continuous vulnerability management and protect against critical cyber threats on an ongoing basis?
  • Are security metrics available in your state that accurately measure and report intrusion attempts, penetrations, vulnerabilities and security breaches?
  • Have state employees and contractors been trained for their roles and responsibilities in protecting the state’s cyber assets?