The 2018 Deloitte-NASCIO Cybersecurity Study found that while CISOs are gaining a real foothold in state government, there remain key areas where progress can still be made.
Cybersecurity has made strides, establishing the CISO as a key member of IT leadership, but there’s still a ways to go.
Every other year, the National Association of State Chief Information Officers (NASCIO), in partnership with Deloitte, conducts a survey of state information security officials to assess where they are in terms of progress and challenges around cybersecurity in a world where online threats seemingly never stop growing. The 2018 study, States at Risk: Bold Plays for Change, focuses on areas that since the report’s inception in 2010 have remained the top three challenges state CISOs face: funding shortages, limited workforce talent and finding new ways to tackle increasing threats.
At NASCIO’s annual conference this week, Arizona CISO Mike Lettman, Illinois acting CIO and former CISO Kirk Lonbom, and Georgia CISO Stan Gatewood discussed the study’s outcome with its co-author Srini Subramanian, principal with Deloitte, during a session Tuesday afternoon. They tackled those three big problem areas and offered advice for moving forward.
Since the release of NASCIO’s first cybersecurity report, lack of sufficient funding has remained the No. 1 hurdle state CISOs report. This year’s study found that while cybersecurity budgets are growing, it’s at a very slow rate — 27 percent of states report no increase since the 2016 report. More than that, most states allocate just 3 percent of their budget or less to cyber.
Lettman said CISOs must advocate for dedicated security funding, and communicate to state leadership why that is necessary. Be specific about “where you are, where you’re going, what metrics it will take to get there — how are we securing the state?” Lettman said. Those measurable aspects can include number of attacks prevented, cost avoidance for having protections in place and how many people are being protected.
NASCIO’s study found that only about half of states have a line item in their budget specifically for cybersecurity, and Lettman said moving to that model has been key for Arizona. Previously, he said, his agency had to fight for funding year to year, threatening the cyberprojects they had underway. Adding the line item for cyber solved that issue, and gave the governor visibility into where the funding was going.
But, Lettman cautions, there is no need for states to spend more on security than necessary, because eventually there’s a drop in return on investment. “At some point,” he said, “you’re spending $1 million to protect $5,000 in risk.”
One key finding of the study was that most CISOs aren’t considering emerging technologies like artificial intelligence and blockchain when it comes to their planning. Gatewood argued that the foundational day-to-day operations like threat monitoring and risk assessment have to be well in hand before CISOs can move into exploring the use of these more cutting-edge technologies.
Lettman saw this similarly, explaining that because the majority of his team is focused on those daily tasks, he can then look at new tools and assess their practicality for state use.
Lonbom laid out the situation as a spectrum of how security chiefs can either hinder or drive forward innovation in their states. From “security as a stopper,” in which CISOs are likely to label IT initiatives too risky, to “security as an enabler,” where the cyberleader is driving innovation and security is involved early on, Lonbom explained the ways in which many CISOs are evolving in that innovative direction. The key is to be a part of the development process so security is baked in from the beginning of initiatives, rather than an afterthought that puts a halt to potentially impactful projects.
“It’s a losing battle against the private sector" when it comes to cyberstaffing, Gatewood said.
Ninety-four percent of those surveyed reported salary as the leading challenge they face in attracting talent to cybersecurity teams. And 30 state CISOs said there’s a knowledge gap in cyber. That likely stems from the fact that, as Lettman said, it can take 12 months to properly train someone, but they’re then likely to leave for a higher-paid private-sector position, leaving agencies back at the beginning of the training cycle.
Gatewood pointed to Georgia’s new cyber center as a potential solution to the talent gap, which only promises to widen in the coming years. By partnering with academia, in addition to law enforcement, military and other key stakeholders in that project, the state can hopefully create a pipeline for its own workforce.
But, Gatewood added, that attrition to private-sector work “is the way it should be.” What that means is that public-sector security agencies need to develop a system that consistently brings in new staff and trains them well, with the understanding that while many of them will eventually leave, some are truly committed to government work.