Only 24 percent of chief information security officers are very confident in their states’ ability to guard data against external threats.
SAN DIEGO — A new survey from NASCIO and Deloitte released today at the 2012 NASCIO Annual Conference that assesses the state of cybersecurity across the nation found that only 24 percent of chief information security officers (CISOs) are very confident in their states’ ability to guard data against external threats.
“We saw about 70 percent of CISOs say they saw a breach in their state,” said Michigan CISO Dan Lohrmann, “but my guess is that number is low.”
He said a breach won’t necessarily make headlines; it can be something as simple as someone posting an unwanted story on your website. “My guess is it’s more like 90 percent.”
The goal of the survey, States at Risk: Facing Escalating Threats and Resource Constraints, was to get a sense of cybersecurity across the nation — how states compared with one another, with national data and to two years ago, said Kristen Miller, a principal with Deloitte. “Are we progressing, are we status quo or are we regressing?” she said. “How can we turn these insights into action, so when CISOs are back in their states, they can continue to be proactive in defining their strategy going forward.”
When CISOs were asked about the importance of cybersecurity, 92 percent said it is of high importance, and more than three-quarters of respondents said they have the executive support needed in cybersecurity — but Lohrmann noted the budgets for cybersecurity are lacking, so “something’s a bit off,” he said. “No one wants to raise their hand and say, ’I’m against cybersecurity,’ but are [CISOs] really getting what they need?”
At the annual meeting, NASCIO state-level executives took their own poll on the subject, the findings of which closely matched those in the official report. Only 27 percent said they had both commitment and adequate funding, while 66 percent said there was commitment but inadequate funding. Six percent said they had no commitment, and 2 percent were unsure.
Getting that buy-in, Lohrmann said, starts at the top. “Getting the governor’s support is essential,” he said. “In Michigan, having Gov. [Rick] Snyder’s support has been imperative.” Michigan has combined physical and cybersecurity, and has seen some improvements in service and efficiency in doing so.
What it comes down to, said Pennsylvania CISO Erik Avakian, is that security must be aligned with the business stakeholders in state government to get that buy-in. As for ways to do that, Suzanne Shaw, assistant attorney general for the state of Washington, says you must identify a receptive audience within state government. “And hopefully some things will trickle up,” she said, adding that building relationships also is key. “It’s always a two-way street built on earned and mutual trust, and that’s something that comes over time.”
Lohrmann echoed that sentiment, adding that partnerships nationwide are also essential. “You’ve got to look at what others are doing around the country,” he said. “Working with states, the Multi-State ISAC [Information Security and Analysis Center] are key to building those national-level collaborations.”
As for funding, when comparing the 2010 budget information with the 2012 information, Deloitte Principal Srini Subramanian said the percentage of IT budget that’s given to cybersecurity was changed in 2012 to reflect reality. “Most of the CISOs were within 1 to 3 percent of IT budget [in 2010],” he said, “but they all came back and said it was really closer to the 1 percent range.”
If you compare government cybersecurity funding to what private industry is doing, Avakian said, “1 percent is far, far lower than what the private sector is doing — they’re increasing what they’re doing in cybersecurity.”
When it comes to obtaining funding, Lohrmann suggests to “go where the money is” rather than just say “We need X dollars for security.” If CISOs make sure security is engaged in key projects across the state, additional funding will come in through those avenues. “Surely some enterprisewide security funding needs to be done,” he said, “but security should be at the table for all those key projects your state is doing.”
According to the report, 82 percent of CISOs are responsible for cybersecurity measurement and reporting, and the fact that only 8 percent of CISOs were actually measuring and reporting on effectiveness was alarming for Avakian. “That plays a big role in why I think CISOs don’t get the funding they need,” he said. “Enable CISOs to report consistently and that will enable the funding to come eventually.”
The report itself also provides some approaches that states could try to improve the situation, such as assess and communicate security risks, better articulate risks and audit findings with stakeholders and make better security an enabler of the use of emerging technologies, to name just a few. To read more suggestions on how to mitigate risks and move forward on cybersecurity programs and objectives, read the full report at www.nascio.org.
Image from Shutterstock