NASCIO has released its biennial study of state-level cybersecurity and while the pandemic has brought new threats, the report’s author says there has never been a better moment for CISOs to show their importance.
NASCIO's biennial study on cybersecurity looks to assess governments’ ongoing progress in areas like cyber staff retainment, budgeting, and operations. The 2020 findings were released in conjunction with the National Association of State Chief Information Officers (NASCIO) annual conference during a session Wednesday morning.
This year’s report, which brings together insights from 51 U.S. states and territories via conversations with CISOs and risk managers, argues that there has never been a better moment for cybersecurity leaders to show the "imperative" role of cybersecurity in government.
"I think that COVID has created a real opportunity," said Deloitte principal Srini Subramanian, who has co-authored every NASCIO cyber study since the series began in 2010. Subramanian explained that, despite the challenges posed by the novel coronavirus, CISOs should look to rebound and turn this year’s struggles into opportunities for growth.
As more and more states look to make teleworking arrangements permanent and a distributed workforce becomes part of the status quo, cybersecurity is going to be crucial to supporting that workforce, said Subramanian.
That means that, while COVID-19's financial impact may hammer other sectors of government, cybersecurity may actually see an increase in investment due to the precarious environment many agencies find themselves in, he said.
"Yes, there is a larger issue of constrained budgets overall — but I think that cybersecurity will get a higher priority in terms of getting funding. Because otherwise governments are going to have bigger troubles," Subramanian said.
The cyber-related struggles that have come with COVID-19 illustrate the need for states to adopt a centralized approach to cybersecurity, the report argues. However, that approach — in which services are shared and policy is standardized across all agencies — hasn’t yet gained the traction many had hoped for.
According to NASCIO’s report, some 40 percent of governments still use a federated model — in which a certain percentage of services are shared and others are provided by individual agencies — and about 10 percent use a decentralized model, in which agencies provide their own services.
Like with other areas of IT, centralizing cybersecurity is believed to help avoid risk and reduce redundancy and waste. The report argues that greater centralization also promises to increase agency adoption of enterprise critical services, such as threat monitoring, risk assessments, and identity and access management, which currently are not seeing adequate levels of adoption.
The study also encourages governments to pursue a "whole-of-state" approach when it comes to cybersecurity.
Something of a new concept, whole-of-state asks governments to broaden their scope of concern beyond state agencies. By pursuing initiatives to collaborate with both the private sector and other levels of government, including "local, city and county governments, legislative and judicial branches of government, and public higher education," states can respond to threats against their own agencies — while also offering support to entities, like local governments, that may not have the same level of resources or awareness.
While there are obviously things for governments to be hopeful about when it comes to cyber, the report also offers insights into a number of ongoing challenges that governments continue to struggle with.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.