Just as thriving communities need well-equipped and expertly trained police and fire departments, state and local governments require the best in cybersecurity.
As new governors, legislators, and local leaders take office in 2019 (and incumbent administrations return with renewed focus), cybersecurity should be a top priority because state and local governments face increasing cyberthreats. 2018 put state and local governments on notice, from the crippling ransomware attacks on Colorado’s Department of Transportation, the city of Atlanta, and Baltimore’s 911 and 311 systems, to the massive San Diego Unified School District data breach. These cyberattacks should raise concerns around the importance of state and local governments’ portfolios of valuable citizen data and the critical infrastructure they manage and protect.
Technology and data are transforming how state and local governments make decisions and deliver services. Citizen expectations for smart, online government services have powered a digital revolution in statehouses and city halls. “Smart” IoT-enabled public infrastructure will help governments provide unprecedented services, public safety, and economic opportunity. But a 21st-century government infrastructure must be protected with equally modern cybersecurity defenses, just like a thriving downtown requires expertly trained and well-funded police and fire departments. It’s time for state and local leaders to rally support around a well-resourced cybersecurity strategy.
This is hardly breaking news to government IT staff. State and local government IT leaders have been the loudest proponents of cybersecurity prioritization, where it has routinely ranked No. 1 on surveys of government CIOs. The National Association of State Chief Information Officers (NASCIO) outlined its top 10 policy and technology priorities for 2019, and security and risk management topped the list. Likewise, e.Republic’s* 2018 Digital Cities Survey of city government IT leaders once again returned cybersecurity as the No. 1 priority. And in their survey of county government IT priorities? Cybersecurity ranked No. 1 — for the fifth year in a row.
The good news is that the hard work to bring state and local government cybersecurity practices up to speed is underway. The National Governors Association has an ongoing initiative to prioritize cybersecurity, resulting in best practices and information sharing. Similarly, the National Conference of State Legislatures has a task force on cybersecurity ready to educate incoming elected officials. Many state and local governments have made progress, hiring chief information security officers (CISOs), enacting risk-based, data-driven cybersecurity practices, and investing in best-of-breed technology.
The bad news is that while many leaders have stepped up on the issue of cybersecurity, the threats and risks to government have only increased, outpacing progress and funding. Incoming leaders must establish a strategic, long-term plan to make cybersecurity a core competency within their governments.
According to a recent study of top IT security officers in 50 states, nearly half of states don’t have a separate cybersecurity budget and of those that do, more than a third have seen static or even reduced budgets over time. It’s clear that state and local government IT leaders often lack the funding to truly bolster their security posture.
In the bi-annual NASCIO/Deloitte cybersecurity survey, a lack of budget has been the No. 1 issue of state government CISOs every year since the survey began in 2010. According to the 2018 survey, the majority of states spend 1 to 2 percent of their IT budgets on cybersecurity, while a look at federal agencies saw cybersecurity receiving between 5 and 25 percent of overall IT spend. A 2017 Forrester report on U.S. private-sector cybersecurity budgets found a benchmark of 28 percent of overall IT spend.
These budget comparisons back up what state and local IT leaders have been red flagging for the better part of the last decade: cybersecurity is detrimentally underfunded at the state and local level. It’s time to provide them with the funding they need to do their jobs.
A related challenge is filling cybersecurity staff positions. This problem isn’t unique to government. If you were to ask 100 CISOs across every sector, from anywhere in the world, they would list acute problems finding and keeping cybersecurity talent as a top concern. A report from Cybersecurity Ventures estimates the global cybersecurity labor shortage will hit 3.5 million unfilled jobs by 2021.
What can governors and mayors do? First, as previously mentioned, properly fund your cybersecurity efforts. There’s no question that you’re going to need to pay more for cybersecurity talent in the short term, or you’ll risk losing prospects or current employees. Underfunded cybersecurity budgets lead to non-competitive salaries in a hot market for talent.
Next, figure out a long-term talent pipeline that will not only serve your government’s needs, but the many businesses, academic institutions, and nonprofits in your region that are also hungry to fill these roles. Answers need not look the same everywhere, but encourage your CIOs and CISOs to identify potential talent pipelines and then use your abilities as governor, as mayor, as county supervisor, to make your state, city and region a hive of cybersecurity talent.
In Georgia, outgoing Gov. Nathan Deal, Augusta Mayor Hardie Davis Jr., and local academic institutions championed efforts to create the Georgia Cyber Center, which will serve as the epicenter of Georgia’s efforts to become a leader in cybersecurity technologies and “train the next generation of professionals through education and real-world practice.” In California, the annual Mayor’s Cyber Cup competition inspires high school students to consider pursuing careers in cybersecurity. Looking inward for talent, the federal government has recently announced a program aimed at reskilling current federal government employees with cybersecurity skills that qualify them for entry-level cybersecurity roles. Private-sector partners are also stepping up to provide innovative training programs, including courses for veterans.
State and local leaders have big jobs to do and long priority lists for 2019. However, the duty to protect citizens and critical infrastructure has always fallen heavily on the backs of state and local leaders — that duty to protect has shifted quickly towards the digital environment and leaders must respond by making cybersecurity a top priority. Adequate budgets and fostering a long-term pool of cybersecurity talent should be the focus for 2019.
*e.Republic is Government Technology's parent company.