Adopting standard language helps move cybersecurity progress along.
In 2014, the National Institute of Standards and Technology made headway advancing its “cybersecurity framework,” a road map for governments at all levels to better protect valuable cyber-resources. Although state and local agencies are paying attention to cybersecurity, few use the same terms in the same way, making it tough to benchmark cybersecurity against peers. States like Pennsylvania and Virginia now map their cyberprograms to the NIST framework, helping them to identify risks, priorities and gaps, and address them.
“I want to make sure to use this as a way to see how secure our environment is with all the different pieces and parts,” Virginia CISO Mike Watson told Government Technology in October. “Adopting a standard language is really the first step in being able to do that.”
And there were plenty of reasons for organizations of all types to hone their cybersecurity defenses. Fallout from the 2013 Target breach affecting millions of holiday shoppers spilled into 2014, raising the profile of Payment Card Industry (PCI) compliance and infrastructure protections to secure personally identifiable information. The spring discovery of Heartbleed, a bug targeting online encryption software OpenSSL, had Canada’s Revenue Agency pulling its site offline to safeguard taxpayer data.
Security concerns drove growth of the government chief security officer this year, especially in state government, and somewhat at the local level. And competition for cybertalent had governments across the board getting creative with recruitment and training. Massachusetts hosted a “Cyber Aces” event in May, pitting cybersavvy contestants against each other in a high-stakes digital defense simulation. Winners were invited to a career fair to fill public- and private-sector IT vacancies. Indicative of a growing trend, Delaware boasts a 99 percent completion rate on cybersecurity training for executive branch employees.