Save Money, Build Talent, and Defend Communities is a new guidebook from the Center for Long-Term Cybersecurity (CLTC) at UC Berkeley, and it delves into cybersecurity programming cost and return on investment, maps efforts across states, and defines various aspects of whole-of-state cybersecurity efforts. But the publication focuses most on three types of organizations: cyber clinics, regional security operations centers (RSOCs) and state cyber corps.
“Because whole-of-state cyber is a wide umbrella of things, it was going to be quite impossible to map all of the different components,” said author Grace Menna, a senior fellow and researcher at the CLTC.
The guidebook was originally intended to be a 10-page brief. The resulting 46 pages are a combination of direct input from dozens of states and open source research done over a period of about five months. Key findings include the variability of programs, the importance of volunteer-based services and the challenges of quantifying their impact.
Menna said it was designed to help policymakers understand the ecosystem of volunteer-based cyber resilience programs. Officials including CIOs, CISOs and legislators have said that they often hear about promising initiatives but lack basic information about how they worked, who ran them or whether they produced measurable returns.
As to financial impact, research revealed that cyber clinics have an economic value of anywhere between $12,000 and $150,000 per year and provide workforce development for students. RSOCs provide millions in return — up to $2.6 million — alongside student training, and state cyber corps provide up to $7.5 million, taking advantage of volunteers who are usually professional technologists. Each offers various services, aligned to the level of expertise of the group.
There are at least 45 cybersecurity clinics across 29 states. Located in universities, faculty oversee computer science and cybersecurity students who help local clients develop long-term cyber defense, increase resilience and expand capacity. They may provide risk assessments, policy templates, ransomware training or help with industry certification readiness. Maryland recently announced a grant program that will help fund these clinics as part of a workforce-readiness initiative.
RSOCs, which can be found in five states, are specialized security operations centers focused on a specific geographic region, and they are also based in colleges and universities. They provide cybersecurity support for public entities, provide students with live training, and track data and insights for public entities. The University of Oregon named theirs a Teaching Security Operations Center.
Cyber corps, whether civilian or based within state guard units, use expert-level IT and cyber volunteers to aid local governments, critical infrastructure providers and other organizations. These are active in six states and are more than 900 volunteers strong. Because the volunteers are already credentialed professionals, they offer a range of services from education and training to incident response and recovery. One of the benefits of this model, Menna noted, is that volunteers expand their support networks in a fast-paced industry.
“I would say that in our experience, state cyber corps tend to have the most authority to do actual hands on keyboard for systems that are publicly owned,” Menna said. “University cyber clinic students almost never have hands on keyboard. They’re making recommendations, going through risk assessments and working in concert with the beneficiary organizations themselves, but they’re not necessarily going in to fix security risks.”
There is overarching value in the programming, according to her findings. It goes beyond finance, as these volunteer efforts help communities prepare and be resilient in the face of constant cyber threats, build career pipelines for students, and give professionals an avenue to volunteer in their own communities.
“These programs are kind of gifts that keep on giving,” Menna said. “They catch folks at all points of the life cycle, which is really, really beautiful to see.”
