State CISOs must cooperate more with locals on threats, report says
Andrew Brookes/Getty Images
Stronger collaboration among the public, private and academic sectors can strengthen overall cybersecurity and feed the talent pipeline, according to NASCIO’s biennial report.
State chief information security officers should focus on building relationships with local governments and other institutions to bolster cybersecurity and ward off threats, according to a new report.
By doing so, the biennial report from the National Association of State Chief Information Officers and Deloitte says, states can fortify resilience more broadly, especially as local governments are a major threat vector. It also argues for greater collaboration with academic institutions at all levels.
The report, based on a survey of CISOs from 50 states and three territories, found that just 35% of respondents said they have had strong collaboration with local government entities during the past year, compared to 58% that said they have had limited collaboration.
Srini Subramanian, a principal in Deloitte’s cyber practice and a report co-author, said the best way to boost cooperation on cybersecurity between the various levels of government is to increase funding to support common goals, something the federal government has done with the $1 billion set aside over four years through its cybersecurity grant program.
The State and Local Cybersecurity Grant Program, which observers agree could help foster greater collaboration, requires states to allocate at least 80% of their funding to local and rural communities. They can also provide localities with “items, services, capabilities, or activities on a state-wide basis” instead of cash, with those governments’ permission. Subramanian said the latter is the most viable option.
“It is much more efficient to enable a cyber service at an enterprise level or whole-of-state level and for the local government to subscribe to it,” he said. “They can still manage, they can still have autonomy on how they respond to their particular locality’s issues, and who gets notified when there is a problem and how they respond. That can still be localized, and they can have a level of autonomy that is required to do that.”
In parallel to fostering greater partnerships with local governments, the report also calls on state CISOs to deal with the talent gap in the cybersecurity workforce. Half of those surveyed said a lack of trained cyber professionals is one of the top five barriers they face in addressing cybersecurity challenges. The number of people in these jobs has remained about the same as the last version of the survey in 2020, even as the need for skilled talent grows.
The report calls for state governments to “compete effectively” with the private sector and the federal government for workers, especially in areas like remote work.
Subramanian said they should move toward an “ecosystem model” where states, universities and the private sector work together to foster talent development. That can include embracing new work models and encouraging pathways into government from educational institutions, he said.
“Imagine a model where a public higher education institution is doing a cyber program,” Subramanian said. “And while they're in there, as interns or as student workers, they are delivering some services or collaborating with the private sector or the state government. Some of them may decide to work for the state or for the private sector, but there is a [talent] supply chain model with public higher ed.”
The COVID-19 pandemic presented numerous challenges for CISOs, who were forced to deal with a host of security risks and the need to digitize citizen-facing services and back-office workflows after they sent thousands of employees into remote work. The report calls for CISOs to embrace emerging technologies like artificial intelligence and machine learning in a bid to further digitize and streamline government services delivery.
To make sure that cybersecurity remains top-of-mind for elected officials, the report also urged CISOs and chief information officers to push for cybersecurity as a separate line-item in state budgets, rather than just as a section of the overall IT or technology spend.
And while it can be challenging to further centralize services and push cybersecurity to the forefront, Subramanian said the pandemic showed what is possible, especially if elected officials become more educated on what is feasible and draw lessons from the success of remote work and the embrace of VPNs, among others.
“Cyber is an area where a non-event is a success, where business as usual is a success,” he said. “But business as usual also means that the business leaders don't quite appreciate the value of what happens behind the scenes for the business, digital modernization and digital services to happen as usual. So that level of education at the governor, cabinet secretary level and the legislator level, is a very important aspect of it.”