Budget Cuts Stifle State Cyber-Security Strategies, Survey Finds

Extreme budget cuts across state governments put vital data and personal information at risk, which means state chief information security officers (CISO) must make cyber-security an immediate priority, according to a new study by Deloitte and the National Association of State Chief Information Officers (NASCIO).

The survey, State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust, found that 79 percent of state CISOs report stagnant or slashed budgets, a serious problem that stifles their ability to adequately handle growing internal and external threats.

“Unprecedented budgetary cuts across state governments and growing reliance on contractors and outsourced IT services are creating an environment that is even harder to secure,” said Utah CIO Steve Fletcher, the outgoing president of NASCIO, in a release.

As governments continue to utilize technology to store data, manage workflow and improve efficiency, concerns about protection and privacy remain a challenge for IT officials, from the federal level on down. Last December, President Barack Obama appointed the nation’s first cyber-security chief, Howard Schmidt. And a proposed bill on Capitol Hill would give the president the power to declare a national cyber-emergency in the case of a huge network attack.

States, of course, have their own cyber-battles to fight, but as the report highlights, many CISOs need to enhance their strategies and expand their resources if they want to be successful against threats.

“Many state CISOs lack the visibility and authority to effectively drive security down to the individual agency level,” said Srini Subramanian, director of Deloitte, a leader in state government security and privacy services, in a statement. “At the federal level, the president has recognized the critical nature of the problem and appointed a cyber-security coordinator to address it; it’s imperative that governors and state legislative leaders make cyber-security a priority.”

Based on responses from 49 states, the Deloitte-NASCIO report identifies the lack of funds, programs and resources as weak spots in public-sector cyber-security efforts, especially when compared to private-sector enterprises. Key findings from the survey include:

• Governance: CISOs must continue to evolve this position to garner enterprise visibility, authority, executive support and business involvement.
• Strategy: More states are embracing strategic planning as part of their cyber-security approaches and converging on the National Institute of Standards and Technology (NIST) risk assessment framework for strategic alignment. But without compliance audit and enforcement mandate at the federal level, compliance to the NIST framework is less likely.
• Budget: With the economy impacting state budgets, the gap between public and private sector continues to expand. As noted, a lack of adequate funding for governments intensifies cyber-security weaknesses.
• Internal and External Threats: With threats to personally identifiable information and personal health information on the rise, states must work to prevent internal breaches while protecting data from outside security threats.
• Security of Third-Party Providers: States must improve security management when it comes to contractors, managed service providers and other third parties that deliver sensitive and critical constituent services.

“State CISOs and CIOs recognize the threats and realize all government leaders need to be better informed on the risks,” said Doug Robinson, executive director of NASCIO. “It’s clear CISOs have tough jobs without adequate resources. A staggering 88 percent of respondents mention lack of sufficient funding as a major barrier to effectively addressing information security.”

Based on the findings, Deloitte and NASCIO offer recommendations that state CISOs might use to help bridge some of these gaps: partnerships within state government, executable strategies, ideas for standardization and tips for better preparing staff, to name a few.