Staying on top of the threat means understanding its different dimensions, including how risk levels and privacy play in, and making security a priority for top leadership and officials beyond the IT department, said speakers at Government Technology’s Sept. 28 Massachusetts Digital Government Summit.
There are many challenges to tackle, with smaller localities having limited funding to level against the challenge and everyone looking for more cyber talent. Massachusetts officials dug into the issues, discussing recruitment hurdles, the far-reaching effects of incident planning, strategies for maximizing resources and how the commonwealth is considering new federal cyber grants.
SPOTLIGHTING PRIVACY, RISK
Many states are thinking about cybersecurity in a new way. Massachusetts changed its CISO role to a chief information security and risk officer, reflecting an increasing awareness that it’s impossible to close all vulnerabilities and achieve full security. Instead, government needs to best estimate the amounts of risks it faces, or which are associated with different approaches and activities, and find ways to reduce those to a level its comfortable with.
“We’re not going to be able to address every vulnerability we have …. So, we need to think about it a different way,” said Cabinet Secretary and CIO Curtis Wood. “We’re really moving into creating a risk appetite and building it into our security approach or apparatus — our day-to-day business operation.”
The commonwealth has also been striving to adopt a privacy mindset and conduct privacy risk assessments when considering operations or new procurements.
“Too often either the business goes out and buys an application that doesn’t have a clue, or the IT people buy an application and don’t have a clue,” Wood said. “... Our biggest asset [in government] is our people’s data. Everyone wants it. So we need to think about it that way; it’s our duty to protect it — not only statutorily, but ethically.”
Privacy efforts are early stage but could lead to new terms and conditions in vendor contracts, and other changes, Wood said. He aims to see privacy, risk and security considered jointly, rather than as separate concerns.
Jule Pattison-Gordon
INCIDENT PLANNING AND EXECUTIVE BUY-IN
Governments of all sizes need cyber incident response plans, both because having an established plan will help guide them when an emergency strikes and because the act of creating one will bring more parties to the table and illuminate strategies and weaknesses, said Stephanie Helm, director of the MassCyberCenter, a state agency.
“Planning allows you to really do a deep examination of what problem you’re trying to solve,” Helm said. “You study that problem as part of your planning process and it educates you — and people involved in the planning — about the nature of what you’re trying to address.”
Even if an unanticipated, unplanned-for emergency strikes, officials likely could pull elements from other existing plans to help guide them, she said.
IT departments can also use the plan-creation process to bring other agencies into the discussion, Helm said. This can be key — Wood also said that cybersecurity cannot just be the IT office’s job, but takes a cross-organization effort.
Running a tabletop exercise, even just for an hour during a staff meeting, can prompt non-IT officials to realize how cyber incidents would impact them and bring everyone together in finding solutions, said Helm, who urged making such exercises a regular occurrence.
AFFORDABLE CYBER: SHARED RESOURCES
Investing in cyber improvements can be challenging for smaller governments with tight budgets, but some small organizations have been banding together to acquire shared resources that they could not afford individually.
Panelist Matt Thibault, director of cybersecurity, public sector, for AT&T, said he’s seen school districts and counties jointly hire experts and save money further by retaining them only for shorter periods rather than full time, such as a shared forensic analyst to support them on weekends. Such trends have been playing out in Massachusetts, too, where seven communities allied to share resources, Helm said.
“Every town in Massachusetts ought to be looking at, ‘Do I want to go it alone? Or do I want to engage with my neighbors and my partners?’” Helm said.
Improving cybersecurity doesn’t always take direct monetary investment either, but can come from changes to policies and procedures, noted panelist Chris Daggett, director of managed services and security at HUB Tech.
But any entity looking to improve their cyber outcomes should start by getting an assessment of their current cyber posture and vulnerabilities so they know where they need to progress, Thibault said.
STATE AND LOCAL CYBER GRANTS
Any discussion of cyber resources raises the question of the State and Local Cybersecurity Grant Program. The federal government dropped the Notice of Funding Opportunity (NOFO) earlier this month, and Massachusetts expects $3 million, to which the state must add a 10 percent match, Wood told GovTech.
At least 80 percent of the money must go to local government, and Wood said potential applicants include Massachusetts’ 351 municipalities as well as other entities like individual school districts.
Divvying funds up among so many players may mean that everyone’s left with an impractically small amount: “Giving people 58 bucks, or 1,000 bucks, is not really going to solve what we’re trying to do,” Wood said.
Instead, he’s in favor of taking a “statewide approach” that might deliver more impact, but said municipalities need to weigh in before any decision is reached.
“It’s not a lot of money,” Wood said, “but it reinforces the criticality and importance of [cybersecurity].”
Before applying for the funds, states must create a cybersecurity planning committee composed of key stakeholders and which will be responsible for creating a plan guiding the money’s use. Massachusetts had held off on committee-creation to wait for the NOFO and additional federal clarifications.
Sept. 29 marks the first internal meeting aimed at determining the commonwealth’s plans for the first year of the grant.
Details Massachusetts still needs to resolve include how it will structure the process for municipalities to request shares of the funding and whether the state will handle the fund match for all years of the grant program or sometimes have municipalities contribute.
The commonwealth might ask for a year’s delay, and use the interim time to develop its plan, invest in assessments and otherwise get ready to use the funds. It has until mid-November to decide.
“We need to figure out if we’re ready to do something in year one,” Wood said.
WORKFORCE: ‘DEMYSTIFYING’ THE JOB
Alongside money is cybersecurity’s other perennial problem: workforce.
Cybersecurity has an image problem that’s adding to recruitment struggles, speakers said. Popular portrayals of the job are often misleading, deterring well-suited potential recruits while drawing in other applicants who come expecting a different kind of environment.
The stereotypical image of a cybersecurity expert doesn’t always encompass the full variety of roles and activities that fall under the cybersecurity umbrella, scaring away people who aren’t computer science majors or who “don’t want to be scrubbing through log data all day,” said Thibault. He recommended efforts to “demystify” cybersecurity, starting before high school.
On the flip side are jobseekers enticed by visions from TV, said Wood, speaking in part from his experience teaching college students.
“Cybersecurity really sounds cool …. A lot of people say, ‘I want to be in cybersecurity,’ and they have no idea what it means,” Wood said. “On TV, people get these big screens. They think it’s all like that, and it’s not. “
Explaining the job isn’t the only factor at play as the state looks to tackle its cyber talent gaps. Mentorships, internships and improving pay are all part of how the commonwealth is looking at improving its cyber recruitment and talent pipeline, Wood said.
