When it comes to cybersecurity at the state level, there is no one-size-fits-all model. And while the public and private sectors are keen to spend plenty of time and energy discussing the benefits of consolidating IT resources and cybersecurity command, the fact is that reworking the IT environment is not always practical, productive or possible.
In Mississippi, a state with a federated IT model, officials have opted for an approach that fits their organizational cybersecurity needs rather than choosing a compete structural overhaul. Consolidation, for all the good it offers under the right circumstances, can also lead to problems when forced upon agencies with functioning processes already in place.
When Gov. Phil Bryant signed House Bill 999 into law earlier this year, he codified the state’s Enterprise Security Program within the Department of Information Technology Services (MDITS). But it also formalized many existing aspects of state cybersecurity programs while also working around the IT environment's federated structure.
Rather than pulling all cybersecurity operations under one umbrella, the Mississippi model allows MDITS to set the pace and standards, while letting agencies continue to protect their respective data. As Security Services Director Jay White explained, the law establishes a chain of accountability and rule-making authority without distracting from the overall mission of each agency.
“This bill really establishes the governance or authority of the Enterprise Security Program to begin identifying the initiatives and things that need to be done…to improve cybersecurity…and reaffirm that shared responsibility,” White told Government Technology. “In a federated environment, each agency has their mission that they are carrying out, and their staff that carries that out, and they have their particular sets of data that are needed to carry out their mission.”
What the approach boils down to is finding a solution that fits what already exists while empowering each state agency to continue with their individual cybersecurity missions, he explained, rather than molding an entire enterprise to fit a popular solution.
In addition to giving MDITS coordinated oversight of statewide cyberefforts and policy authority, it also codifies each agency director's responsibility for adhering to policy and protecting the data stores they oversee.
“Also, what it is going to help do from our perspective is confirm the responsibility that is shared by each of the agencies as part of the state network for the protection of data and IT resources that are under the agency’s purview,” White said.
Before HB 999 was made law, the security director said agencies were already working together in a less formal capacity, often coordinating based only on existing policy and well-formed professional relationships — something he said is key in a federated environment.
“When you don’t have something formalized and you are working with these agencies, it’s very important to develop that relationship trust with them," White added, "because this is one of those areas where not one group or one person can work to improve the security effort of an environment like this. It really has to be a collaborative effort."
As for the legislative process, White said the increasing focus on cybersecurity of late helped to move along the discussions with state leadership about its importance. Though many lawmakers were already aware of the situation, the attention garnered from the 2016 presidential election and reports of Russian interference allowed for even more latitude in the legislative discussions.
“The leaders of our state took a look at the environment from an IT perspective," he said, "realized the cyberthreat that has been going on for some time now, and really felt like it was an opportunity to put some things in place to be able to ensure that everyone understands there is a responsibility that we have to work together to protect."
The law officially took effect July 1.