Is it resources or know-how that state CISOs lack?
The National Association of State Chief Information Officers (NASCIO) recently published the results of its Government Data, Citizens' Personal Information at Risk: Deloitte-NASCIO Survey.
According to that report, 79 percent of state chief information security officers (CISOs) say they're experiencing stagnant or decreased budgets, while watching both internal and external threats increase.
As the former CISO of the Commonwealth of Pennsylvania, I expected this pronouncement to definitely spark my interest, but it did not surprise me. Prior to my exit as the CISO in March, we had already experienced deep budget cuts and staff reductions – not just in security, but in IT spending overall.
What did surprise me was that, according to the report, "many state CISOs lack the funding, programs and resources to adequately protect vital government data and the personal information of their constituents."
Even with the cuts I saw, I would not have agreed with this conclusion.
Just over six months ago at the 2010 RSA Conference, I sat on a panel with leading state CISOs to share our experiences and successes. My fellow panelists and I all echoed the same theme. We agreed that while the budget crisis was indeed severe, the use of existing operationalized programs, as well as making better use of existing resources, would continue to provide a high level of protection for our resources. It made me wonder if things really had become that dire in the last six months.
Delving deeper into the report, many of the issues outlined, such as the lack of an enterprise CISO role or the absence of needed authority for that position, are, in fact, improving. The survey also highlighted areas that are of particular concern to me, including the notion that states still are “in the early stages of establishing programs and deploying technology” to safeguard critical data.
During the course of my tenure as CISO, I worked closely with the Multi-State Information Sharing and Analysis Center (MS-ISAC), a self-described "collaborative state and local government-focused cybersecurity entity,” which aims to enhance threat prevention, protection, response and recovery throughout the United States.
Since its inception, the MS-ISAC has been providing significant security resources to state and local governments that many have used either to establish or improve their information security programs. MS-ISAC resources were leveraged early on in developing the programs and strategies implemented in the state of Pennsylvania – programs that garnered significant government- and private-sector attention and recognition.
A prime example was the announcement last year from NASCIO that Pennsylvania was selected as a finalist for the association's 2009 Recognition Awards because of its “Application Certification & Accreditation (CA)2 Process for Outstanding Achievement in the Field of Information Security and Privacy.”
The genesis for the (CA)2 Process was a presentation at an MS-ISAC national meeting several years ago. Leveraging existing National Institute of Standards and Technology (NIST) standards and the hard work of dedicated state of Pennsylvania employees, the program was responsible for identifying weaknesses in web-based applications. Had those applications gone live without the (CA)2 process, the potential for exposures of significant amounts of confidential information would have been that much greater.
Even the current Cyber Security Awareness Month leads to yet another example of successful cooperation among state governments. This ongoing initiative of the MS-ISAC develops and makes available to the states, at no charge, advanced awareness programs and educational materials for use.
In the NASCIO survey introduction, it states, "In September 2006, NASCIO conducted a study of state CISOs. Data from that effort highlighted the key needs for sufficient staffing, adequate funding and executive support. More recently, the 2010 Deloitte-NASCIO Cybersecurity Study finds that while state CISOs have done an excellent job at evolving their roles, educating stakeholders and seeking legislative support, they only can do so much with the resources and influence they currently possess."
Harkening back to that March panel of state CISOs, it was agreed that although times were tough, good programs could still be created and maintained by leveraging both effective business-process engineering and integration of shared alerting and monitoring data into these processes. So, what changed?
It seems that Pennsylvania is demonstrating an increased reliance on the expertise of existing vendors and their technical controls.
An example of this can be found by simply reviewing the session agenda for the state's recent Cyber Friday right at the start of October, which revealed two days of presentations by companies already holding contracts with the state. And another interesting point to note: Three of the four CISO panelists at that conference no longer work in state government.
I won't disagree with the premise of the report that cybersecurity is underfunded, and that it is not a new problem.
I think, however, that the overriding theme of state CISOs only being able “to do so much with the resources" may be used by some as justification to spend more money on technical controls.
It is far better to leverage and share data and resources within existing programs, and then use those resources in the development of a sound cybersecurity strategy focused on real risk management, along with the appropriate use of technology and process to address that risk.