AUSTIN, Texas — Cybersecurity was perhaps the most consistent thread running through all the programming at the annual NASCIO conference this week. It’s on the minds of state CIOs, and many have well-developed strategies to protect state IT systems and constituent data, combat current threats and build strong cyberdefenses.
Here’s a look at a few state programs:
“We can’t talk about cyber without talking about ice cream,” said Arizona CIO Morgan Reed. With that, he kicked off the Cyber Risk Management session on Tuesday, Oct. 3. The ice cream reference was a nod to Arizona Gov. Doug Ducey, the ice cream titan who grew Cold Stone Creamery from three stores in Arizona to 1,400 across the country before taking a turn toward public office. Ducey’s charge to his appointees is to run government at the speed of business. And when it comes to cybersecurity, they’re off to a good start.
Reed was joined by Arizona Chief Information Security Officer (CISO) Mike Lettman on a standing-room-only panel to share their approach to cyber using RiskSense, a multi-channel tool that provides both high-level and granular visibility via user-friendly dashboards, into agency vulnerabilities across the cyberspectrum. The discovery process has been illuminating. In one example, Lettman revealed that the state actually had 600 more websites than had first been reported internally. It’s tough to manage risk around assets you’re not even aware you have.
Reed and Lettman described a competitive environment when it comes to cyber, as high-level state leaders can see how agencies stack up compared to one another. And while nobody wants to land on the list of most vulnerable agencies, the state works to foster cooperation between agencies to bring the state’s overall risk down and be as prepared as possible for emerging threats. Their processes got a real-world test earlier this year when WannaCry hit. A RiskSense report revealed nearly 1,500 points of exposure in Arizona on a Sunday night, agencies were notified on Monday of what they needed to patch, and that exposure was eliminated by the next business day.
There will be a 1.5 million shortage of people in the cyberworkforce by 2020, Georgia Chief Information Security Officer (CISO) Stanton Gatewood told attendees at one of the final sessions of NASCIO’s annual conference Wednesday morning.
Georgia is taking a big step toward narrowing that gap with its Cybersecurity Workforce Academy, which launched in January of this year and will eventually offer courses through the Georgia Cyber Innovation and Training Center in Augusta when it opens in 2018.
Stanton cites cyberworkforce development as the solution to that coming staffing problem, which is created by factors such as the aging security workforce, lack of interest from high school and higher education students and, not least of all, the high experience called for in cyberjob applications. “Requirements are through the roof,” Stanton said.
The state’s cyberacademy offers short, intense courses of less than a week for “full-blown immersion training” to enable a new workforce of professionals who understand the complexity of layers of defense, situational awareness and preparedness.
Kirk Lonbom is currently wearing two hats in Illinois: He’s been the state’s chief information security officer for the past two years, and is also interim CIO since the announcement last month that Hardik Bhatt would leave his post for a public-sector-focused position at Amazon.
Lonbom detailed the state’s efforts to contain risks associated with employee behaviors, like clicking on links sent via legitimate-looking emails, or phishing, identified as the No. 1 cyberthreat by the U.S. Department of Homeland Security. Awareness training, he said, can reduce the threat by up to 70 percent.
Illinois passed HB 2371, an amendment to the Data Security on State Computers Act, which mandates awareness training for state employees. Describing the training effort as “low cost” and “high benefit,” he added that estimates peg the cost avoidance achieved at $9 million per year. In 2017, 47,000 staff members have participated in the training.
“Creating a culture of cyber-risk awareness is a big part of our strategy,” he said.
And that strategy is far-reaching. Lonbom left the group with the five overarching goals guiding cybersecurity efforts in Illinois: protect state information and systems; reduce cyber-risk; best-in-class cybersecurity capabilities; enterprise approach to cybersecurity; and a cybersecure Illinois.
Michigan is looking beyond state staff to boost its cybertalent and work to narrow the coming gaps. The MiC3 “cybercivilian corps” enlists volunteer cybercrime fighters from across industries to help the state tackle security issues. The program is helping to create what CISO Rajiv Das called “a workable cyberecosystem,” with the goal of helping businesses statewide.
At quarterly events, volunteers take part in trainings to help prepare them to bolster government’s cybersecurity efforts in the event of a cyberemergency. While the current membership totals 64, Das said the goal is to reach 200 by the end of 2018.
Michigan this year also began piloting a CISO-as-a-service program with nine local governments, with the idea of lending expertise to small jurisdictions that don’t have the resources for a full-time security officer but are still exposed to the same risks as their larger neighbors. Pilots are currently underway with seven counties and two townships, and they hope to eventually expand the program to all 243 local governments in the state.
While other cyberleaders at NASCIO pointed to the problem of the human factor, Pennsylvania CISO Erik Avakian addressed it directly: “This not a cyberproblem,” he said. “This is a business problem.”
Avakian sees a disconnect between IT security and business. If the agencies who direct funding don’t see a correlation between what they pay for and what they get back from employee cybertraining, less of that training is likely to happen. But as many CISOs pointed out, end users are the first line of defense against breaches, and all it takes is one click in one wrong email to set off an attack.
To that end, Pennsylvania started small about four years ago with in-house phishing programs, or what Avakian called “social engineering exercises” with its 80,000 state employees. If a staff member clicks on a “bad” link in a phishing email sent by the state, they are redirected to a page that offers tangible feedback for avoiding real phishing schemes in the future.
Pennsylvania has since expanded the program with a third-party software-as-a-service tool, which Avakian recommends adding as a piece of an overall training program to help make employees part of the solution, rather than the source of a problem.