IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

NH ‘Enshrines’ Cybersecurity Advisory Committee into Law

The council has been evolving since its launch via executive order in 2016, and a new law ensures the entity sticks around long-term. CIO Denis Goulet explains how the council vets policy ideas and engages with agencies.

The New Hampshire flag.
Shutterstock/Salah Ait Mokhtar
State cybersecurity and tech officials often struggle to get other agencies to see cybersecurity policies the way they do — i.e., as measures making everyone safer, rather than just more regulatory hoops to jump through.

New Hampshire leaders sought to tackle the disconnect by leveraging a Cybersecurity Advisory Committee (CAC), originally established in 2011 and bolstered via a 2016 executive order. The organization has evolved over the years and proved itself valuable enough that the state recently fixed it into law. The legislative move gives the body a greater longevity, ensuring that a future governor cannot simply revoke the executive order backing it, state CIO Denis Goulet told Government Technology.

“We now know how to operate the CAC, so I felt like it was safe to enshrine it in statute,” he said.

PUTTING CYBERSECURITY AND BUSINESS IN CONVERSATION


The CAC is focused on promoting a more positive, informed cybersecurity culture through state government and developing polices that are more attuned to various agencies’ business realities. The committee regularly convenes representatives from different departments to get their feedback about in-development cybersecurity proposals, allowing the group to make better recommendations about what should become law.

“It’s an integral part of our cybersecurity governance process now,” Goulet said. “Particularly what we’re looking for is feedback from the agencies relative to our baseline cyber posture that would be built into any policy we’re trying to implement, because what we don’t want to do is unknowingly stop legitimate business activity with our cyber policy.”

During his more than six years as CIO, Goulet has seen the CAC evolve from its earlier form as a committee that met ad hoc and only with members of executive branch agencies to a more established body with an expansive membership.

New Hampshire CISO Dan Dister currently chairs the committee, where he meets with members of state emergency management, the secretary of state’s office, state National Guard and agencies from across executive, judicial and legislative branches.

CAC’s early days saw some agencies assign whichever staff member drew the proverbial short straw to be their representative in the committee meetings. But the group has worked to be taken more seriously and has had time to prove its impact. The CAC now pushes for agencies to send personnel who have enough influence to make changes and whose positions give them insights into their unit’s cyber postures.

“We want somebody who has the juice to get to agency leadership and make decisions on that level,” Goulet said. “I tell the other commissioners and executive directors in the state that you want somebody on the CAC, because we’ll make decisions that affect you.”

New Hampshire has been working to streamline its approach to cybersecurity oversight by establishing a minimum set of common security requirements across all state agencies, Goulet explained. Conversations with different offices helped cyber policymakers recognize where they needed to tailor their approach. For example, they learned not to simply block all state personnel from visiting “really inappropriate” websites, but to instead give an exemption to the attorney general’s office whose staff may need to access such sites in the course of investigative work.

These kinds of efforts and heavy emphasis on communication have helped push agencies to see cybersecurity as a collaborative effort with IT, Goulet said.

“The nature of how we interact with the committee is way more collaborative and less ‘we/they,’ because it’s not [seen as] us trying to do it to them, but they know, it’s us trying to work together to protect state data and the state continuity of government,” Goulet said.

That buy-in has helped the CAC pass strict policies while generating little pushback, Goulet said, such as a sweeping rule barring employees from doing anything on a state-owned device other than strictly state business.

DATA GOVERNANCE IS THE NEW CYBERSECURITY


The CAC worked over the years to change agencies’ thinking on cybersecurity, and IT officials are now regarding data governance as the next frontier for such culture campaigns.

Many agencies view data governance rules the way they used to view cyber: as burdens imposed on them externally by the IT department, rather than as important business practices for maintaining smooth-running operations.

“Data governance is a lot like cyber, in the sense that if you don’t do it, right, people are just going to look at it as an inconvenience and try to do everything they can to get around it instead of being part of the solution,” Goulet said.

Goulet said New Hampshire officials are now looking to the committee-based approach to generate traction. They’ve considered creating a CAC-like counterpart dedicated to promoting data governance awareness and communication, but currently are testing out simply expanding the Cybersecurity Advisory Council’s scope to encompass the new topic.

This latter effort is in its early stages, with the CAC recently holding its third monthly meeting on the new topic.
Jule Pattison-Gordon is a staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.


Special Projects
Sponsored Articles
  • Sponsored
    How the convergence of security and networking is accelerating government agencies journey to the cloud.
  • Sponsored
    How the State of Washington teamed with Deloitte to move to a Red Hat footprint within 100 days.
  • Sponsored
    The State of Michigan’s Department of Technology, Management, and Budget (DTMB) reduced its application delivery times to get digital services to citizens faster.

  • Sponsored
    Like many governments worldwide, the City and County of Denver, Colorado, had to act quickly to respond to the COVID-19 pandemic. To support more than 15,000 employees working from home, the government sought to adapt its new collaboration tool, Microsoft Teams. By automating provisioning and scaling tasks with Red Hat Ansible Automation Platform, an agentless, human-readable automation tool, Denver supported 514% growth in Teams use and quickly launched a virtual emergency operations center (EOC) for government leaders to respond to the pandemic.