NASCIO’s biennial study on cybersecurity looks to assess governments’ ongoing progress in areas like cyber staff retainment, budgeting, and operations. The 2020 findings were released in conjunction with the National Association of State Chief Information Officers (NASCIO) annual conference during a session Wednesday morning.
This year’s report, which brings together insights from 51 U.S. states and territories via conversations with CISOs and risk managers, argues that there has never been a better moment for cybersecurity leaders to show the “imperative” role of cybersecurity in government.
“I think that COVID has created a real opportunity,” said Deloitte principal Srini Subramanian, who has co-authored every NASCIO cyber study since the series began in 2010. Subramanian explained that, despite the challenges posed by the novel coronavirus, CISOs should look to rebound and turn this year’s struggles into opportunities for growth.
MAKING THE BEST OUT OF THE SITUATION
As more and more states look to make teleworking arrangements permanent and a distributed workforce becomes part of the status quo, cybersecurity is going to be crucial to supporting that workforce, said Subramanian.
That means that, while COVID-19’s financial impact may hammer other sectors of government, cybersecurity may actually see an increase in investment due to the precarious environment many agencies find themselves in, he said.
“Yes, there is a larger issue of constrained budgets overall — but I think that cybersecurity will get a higher priority in terms of getting funding. Because otherwise governments are going to have bigger troubles,” Subramanian said.
PUSH FOR CENTRALIZATION
The cyber-related struggles that have come with COVID-19 illustrate the need for states to adopt a centralized approach to cybersecurity, the report argues. However, that approach — in which services are shared and policy is standardized across all agencies — hasn’t yet gained the traction many had hoped for.
According to NASCIO’s report, some 40 percent of governments still use a federated model — in which a certain percentage of services are shared and others are provided by individual agencies — and about 10 percent use a decentralized model, in which agencies provide their own services.
Like with other areas of IT, centralizing cybersecurity is believed to help avoid risk and reduce redundancy and waste. The report argues that greater centralization also promises to increase agency adoption of enterprise critical services, such as threat monitoring, risk assessments, and identity and access management, which currently are not seeing adequate levels of adoption.
EMBRACING A WHOLE-OF-STATE APPROACH
The study also encourages governments to pursue a “whole-of-state” approach when it comes to cybersecurity.
Something of a new concept, whole-of-state asks governments to broaden their scope of concern beyond state agencies. By pursuing initiatives to collaborate with both the private sector and other levels of government, including “local, city and county governments, legislative and judicial branches of government, and public higher education,” states can respond to threats against their own agencies — while also offering support to entities, like local governments, that may not have the same level of resources or awareness.
CHALLENGES TO PROGRESS
While there are obviously things for governments to be hopeful about when it comes to cyber, the report also offers insights into a number of ongoing challenges that governments continue to struggle with.
- Workforce Retention: One of the biggest challenges for state-level cybersecurity continues to be attracting and retaining a substantial and consistent workforce, the report says. “Inadequate cybersecurity staffing” is still listed as a “top barrier” for CISOs to overcome, with “state salary rates” being one of the primary reasons for this. The salaries for state workers being what they are, governments should attract talent with the promise of steady, consistent work, and the opportunity to serve, the report says.
- Budgets: While there exists an opportunity to seek increased investment in cybersecurity, the current reality is that states still lag far behind federal agencies and financial services companies when it comes to prioritizing cyber in IT budgets. According to the report, there has been no real progress in this area since 2018: a majority of states still do not have a budget line item for cybersecurity and most allocate less than 3 percent of their overall IT budget on security (for reference, federal agencies typically spend 16 percent and financial companies approximately 10 percent). Dedicated funding doesn’t just translate into more resources; it also gives cybersecurity more visibility politically, which allows for a broader conversation about resources and investment in the future.
- Cyberattacks: Cybercriminals have become more powerful in recent years, growing in sophistication and prevalence, according to the report. In particular, this year governments ranked financial fraud as a leading cause of data breaches — with the rate rising substantially from just 10 states in 2018 to 30 states in 2020. This is undoubtedly due to the flurry of hacker activity targeting unemployment benefits that hampered states throughout the summer months. A number of recent cyberattacks on prominent third-party vendors also likely contributed to the relative decline of confidence in them, with the report showing that 81 percent of states say they are somewhat or not very confident in their third-party partnerships.
OPPORTUNITIES FOR GROWTH
- Pursuing emergent tech: Another area that has not seen the kind of focus it deserves is emergent technology, according to the report. NASCIO has encouraged cyber leaders to take on the role of “enabler of innovation,” giving them a leadership role in government digitization efforts. By embracing technologies like IoT, artificial intelligence and smart solutions, CISOs may be able to drive increased spending to cybersecurity and also enlarge the CISO’s overall role as an arbiter of modernization and change, the report argues.
- Helping local governments: As mentioned above, part of embracing the whole-of-state model means looking for opportunities to collaborate and give aid to local governments, where necessary. “Many state CISOs see increased engagement with local governments as strengthening the state’s overall cyber posture, and they have made it a top priority,” the report states. However, only 27 percent of states offered cyber services to local governments over the past year — a rate that could be expanded, the report says. Such services, including those related to security management operations, incident response and risk management offerings, help increase overall security throughout a given state.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.