State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

Similar documents
Technology Forecast 2018: What State and Local Government Technology Officials Can Expect

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

The Deloitte-NASCIO Cybersecurity Study Insights from

IT Modernization in State Government Drivers, Challenges and Successes. Bo Reese State Chief Information Officer, Oklahoma NASCIO President

THE POWER OF TECH-SAVVY BOARDS:

U.S. Department of Homeland Security Office of Cybersecurity & Communications

Doug Couto Texas A&M Transportation Technology Conference 2017 College Station, Texas May 4, 2017

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

State of South Carolina Interim Security Assessment

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Cybersecurity. Securely enabling transformation and change

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Cyber Resilience. Think18. Felicity March IBM Corporation

Building a Resilient Security Posture for Effective Breach Prevention

STRATEGIC PLAN

State IT in Tough Times: Strategies and Trends for Cost Control and Efficiency

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

ASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 4, 2016

Defense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility

State of the Cyber Training Market January 2018

Department of Management Services REQUEST FOR INFORMATION

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

CLOSING IN FEDERAL ENDPOINT SECURITY

National Initiative for Cyber Education (NICE) and the Cybersecurity Workforce Framework: Attract and Retain the Best in InfoSec.

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

CISO as Change Agent: Getting to Yes

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Rethinking Information Security Risk Management CRM002

MOVING MISSION IT SERVICES TO THE CLOUD

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Securing Digital Transformation

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

GOVERNMENT IT: FOCUSING ON 5 TECHNOLOGY PRIORITIES

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Healthcare IT Modernization and the Adoption of Hybrid Cloud

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

Which Side Are You On?

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Media Kit. California Cybersecurity Institute

Angela McKay Director, Government Security Policy and Strategy Microsoft

A Controls Factory Approach To Operationalizing a Cyber Security Program Based on the NIST Cybersecurity Framework

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Executive Summary and Overview

10 Cloud Myths Demystified

How Your Organization Can Drive Success in the Age of Digital Disruption

CYBERSECURITY RESILIENCE

SOC Summit June 6, Strengthening Capacity in Cyber Talent sans.org/cybertalent

Commonwealth Cyber Declaration

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

The State of Cybersecurity and Digital Trust 2016

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Cybersecurity and the Board of Directors

Security in Today s Insecure World for SecureTokyo

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Implementation Strategy for Cybersecurity Workshop ITU 2016

OUR VISION To be a global leader of computing research in identified areas that will bring positive impact to the lives of citizens and society.

Why you should adopt the NIST Cybersecurity Framework

DIGITAL TRUST Making digital work by making digital secure

5 Challenges to Government IT Modernization: In Brief. Quick tips & facts about IT modernization across federal, state and local governments

Cybersecurity in Higher Ed

Government IT Modernization and the Adoption of Hybrid Cloud

UAE Space Policy Efforts Towards Long Term Sustainability of Space Activities Agenda Item 4; COPUOS June 2017 By: Space Policy and

IT Risk & Compliance Federal

The University of Queensland

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Turning Risk into Advantage

Intelligent Building and Cybersecurity 2016

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

BRING EXPERT TRAINING TO YOUR WORKPLACE.

OA Cyber Security Plan FY 2018 (Abridged)

Oregon Fire Service Conference Enterprise Security Office Update. October 26, 2018

The UK s National Cyber Security Strategy

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

PROTECTING ARIZONA AGAINST CYBER THREATS THE ARIZONA CYBERSECURITY TEAM

The new cybersecurity operating model

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Address C-level Cybersecurity issues to enable and secure Digital transformation

Supporting the Cloud Transformation of Agencies across the Public Sector

Future Shifts in Enterprise Architecture Evolution. IPMA Marlyn Zelkowitz, SAP Industry Business Solutions May 22 nd, 2013

Risk Advisory Academy Training Brochure

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Cybersecurity, safety and resilience - Airline perspective

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Chair, State Government Finance and Policy and Elections Chair, State Government Finance

Transcription:

State Governments at Risk: State CIOs and Cybersecurity CSG Cybersecurity and Privacy Policy Academy November 2, 2017

About NASCIO National association representing state chief information officers and information technology executives from the states, territories and D.C. NASCIO's mission is to foster government excellence through quality business practices, information management, and technology policy. NASCIO provides members with products and services designed to support the challenging role of the state CIO, stimulate the exchange of information, and promote the adoption of IT best practices and innovations.

Cybersecurity: More than Technology Your Cast Today Amy Tong CIO State of California Mike Hussey CIO State of Utah Doug Robinson Executive Director NASCIO

Budgets for FY 2018 remain cautious 1%. CIOs pressured to find cost savings, driving consolidation, optimization strategies Continued evolution from the owner-operator business model focus on X-As-A-Service and flexible consumption Cybersecurity as a business risk. Ransomware, hacktivism and evolving threats. Enterprise strategy, communication and talent Growing investments in cloud services, data analytics, mobile, digital government services Advocating for IT modernization, agile approaches, procurement reform Continuing IT workforce challenges: retirements, skills gap, recruiting, talent management, workplace innovation

Top Ten: State CIO Priorities for 2017 1. Security 2. Consolidation/Optimization 3. Cloud Services 4. Budget and Cost Control 5. Legacy Modernization 6. Enterprise IT Governance 7. Data Management and Analytics 8. Enterprise Vision and Roadmap for IT 9. Agile and Incremental Software Delivery 10. Broadband/Wireless Connectivity Source: NASCIO State CIO ranking, November 2016

Rationale for IT Consolidation & Unification Reduce diversity and complexity of environment cost savings Economies of scale reduce operational costs Strengthen IT security: enterprise visibility Promote enterprise integration and applications Introduce process standards: ITIL and ITSM Improved support for legacy systems Centralize infrastructure maintenance and upgrades Improve disaster recovery/business continuity Reinvestment of spend to service delivery

State Governments at Risk! States are attractive targets data! More aggressive threats organized crime, ransomware, hacktivism Nation state attacks Critical infrastructure protection: disruption Insider threats employees, contractors Data and services on the move: cloud and mobile Need for continuous training, awareness

One Complexity of the of major state government factors unique with many to agencies that collect and hold a wide variety of personal information government is the inherent openness that is expected of government at all levels. This has created the challenge of balancing that expectation of openness and transparency with the need to Legal mandates requiring the retention of certain types of information Patchwork of state laws governing privacy on a sector-specific basis Increasing need for cross-referencing and data protect integration the across privacy agencies of personal or sensitive data. Pervasive use of technology Tech-savvy state employees and contractors

Emerging trends Top cyber threats across state government

Cyber Disruption: Impacting State Services State governments and the critical infrastructure within the state are at risk from a cybersecurity attack that could disrupt the normal operations of government and impact citizens. Source: NASCIO. This project was supported by Grant No. 2010-DJ-BX-K046 awarded by the Bureau of Justice Assistance.

Business Risks

Who s Responsible for Protecting State Data? Chief Information Officers Information Security Officers Agency Leaders Data Owners Employees Human Resources Legal Departments Third Party Contractors Elected Officials

Unfortunately state officials are often looking at their security incidents in a rear view mirror. After the incident

Cybersecurity involves more than just IT it s a team sport. Protecting data and infrastructure is a core responsibility of state government entities and an investment in risk management. It s a complex ecosystem that requires a roadmap.

The Human Factor

63 percent of confirmed data breaches involve using weak, default or stolen passwords Miscellaneous errors take the No. 1 spot for security incidents - humans! Basic defenses continue to be sorely lacking in many organizations

Humans are the most vulnerable point of any information system, Mr. Wynne said, adding that the vast majority of cyberattacks use social engineering, such as phishing, to trick employees into taking actions detrimental to the company. The education aspect is a critical component because it increases employee resilience to social engineering, he said.

Creating a Culture of Risk Awareness Source: Chief Information Security Officer, Commonwealth of Pennsylvania, 2017 19

Key takeaways #1: Governor-level awareness is on the rise Source: Deloitte-NASCIO 2016 Cybersecurity Study

Key takeaways #1: Governor-level awareness is on the rise How often is the topic of cybersecurity presented or discussed at your agency/office executive leadership meetings?

Key takeaways #2: Cybersecurity is becoming part of the fabric of government operations

Key takeaways #2: Cybersecurity is becoming part of the fabric of government operations Top five cybersecurity initiatives for 2016

Source: NASCIO 2017 State CIO Survey

Key takeaways #3: A formal strategy can lead to more resources Top five barriers in addressing cybersecurity challenges

Key takeaways #3: A formal strategy can lead to more resources

managing cyber risks can provide a competitive advantage for Connecticut businesses, a more secure living environment for Connecticut residents and better stewardship of information and services by Connecticut state and local governments - Connecticut Cybersecurity Strategy, 2017 Source: State of Connecticut, 2017

State of Illinois Key Objectives of Goal 4: Establish the Enterprise Information & Cyber Security Program Embrace a Common Cybersecurity Framework Enact Effective Enterprise-Wide Security Policies Improve Security through Transformation Source: State of Illinois, 2017

Cybersecurity Maturity in the States is Improving Risk Based Strategies are Being Adopted Source: NASCIO 2017 State CIO Survey

Data is the currency of state government. Data is at risk. Data classification is the exercise required to categorize data according to its value, and sensitivity. Until a state has its data classified, there is no way to adequately protect it, or even to understand how much protection is adequate.

INTERACTIVE TECHNOLOGY SPONSORS Which is most important in managing data security? Classifying your data 50% Proven processes 29% Experienced people 21% The best technology 0%

Use a Risk-Based Strategy and Take Action Develop a strategy to protect data. Use the NIST Cybersecurity Framework as a roadmap Conduct a risk assessment and allocate resources accordingly. Where is your data? How would you classify the data in terms of risk? Implement continuous vulnerability and threat mitigation practices Limit data collection, control access, consider data loss prevention Create a culture of risk awareness. Educate and test employees

The Talent Crisis The Talent Crisis

There is a shortage of qualified cyber-workers 1.5M cybersecurity workforce shortage by 2020 The shortage stems from a variety of factors, such as: high experience requirements; an aging security workforce; a lack of interest from high schoolers, technical school and college-level students Source: Chief Information Security Officer, State of Georgia, 2017 34

Talent crisis continues Top three human resources factors that negatively impact the CISO s ability to develop, support, and maintain cybersecurity workforce

Talent crisis continues Top three factors that CISOs employ to attract and retain cybersecurity talent

State IT Workforce

Source: NASCIO 2017 State CIO Survey

Michigan Cyber Civilian Corps (MiC3) 2017 Trained cyber professionals who volunteer to provide expert assistance in times of cyber emergency Currently there are 63 members Michigan plans to increase membership to 200 volunteers by the end of 2018

What Do We Know? Patterns of Success Enterprise Leadership and Governance Statewide Cybersecurity Framework & Controls Cybersecurity Culture: A Team Sport Know the Risks, Assess the Risks, Measure Communicating the Risks: Training Invest: Deploy Security Technologies

Looking Forward Action Needed States must organize for success think enterprise Threat information sharing is essential Focus on detection and response planning Invest in continuous awareness and training Collaborate on a cyber disruption plan Talent pipeline: advocate for cybersecurity degrees Emerging technologies: threats and opportunities Crisis communication you will be breached!

NASCIO s Cybersecurity Call to Action Key Questions for State Leaders Does your state government support a culture of information security with a governance structure of state leadership and all key stakeholders? Has your state conducted a risk assessment? Is data classified by risk? Critical infrastructure reviewed? Are security metrics available? Has your state implemented an enterprise cybersecurity framework that includes policies, control objectives, practices, standards, and compliance? Is the NIST Cybersecurity Framework a foundation? Has your state invested in enterprise solutions that provide continuous cyber threat detection, mitigation and vulnerability management? Has the state deployed advanced cyber threat analytics? Have state employees and contractors been trained for their roles and responsibilities in protecting the state s assets? Does your state have a cyber disruption response plan? A crisis communication plan focused on cybersecurity incidents?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback