State Governments at Risk: State CIOs and Cybersecurity CSG Cybersecurity and Privacy Policy Academy November 2, 2017
About NASCIO National association representing state chief information officers and information technology executives from the states, territories and D.C. NASCIO's mission is to foster government excellence through quality business practices, information management, and technology policy. NASCIO provides members with products and services designed to support the challenging role of the state CIO, stimulate the exchange of information, and promote the adoption of IT best practices and innovations.
Cybersecurity: More than Technology Your Cast Today Amy Tong CIO State of California Mike Hussey CIO State of Utah Doug Robinson Executive Director NASCIO
Budgets for FY 2018 remain cautious 1%. CIOs pressured to find cost savings, driving consolidation, optimization strategies Continued evolution from the owner-operator business model focus on X-As-A-Service and flexible consumption Cybersecurity as a business risk. Ransomware, hacktivism and evolving threats. Enterprise strategy, communication and talent Growing investments in cloud services, data analytics, mobile, digital government services Advocating for IT modernization, agile approaches, procurement reform Continuing IT workforce challenges: retirements, skills gap, recruiting, talent management, workplace innovation
Top Ten: State CIO Priorities for 2017 1. Security 2. Consolidation/Optimization 3. Cloud Services 4. Budget and Cost Control 5. Legacy Modernization 6. Enterprise IT Governance 7. Data Management and Analytics 8. Enterprise Vision and Roadmap for IT 9. Agile and Incremental Software Delivery 10. Broadband/Wireless Connectivity Source: NASCIO State CIO ranking, November 2016
Rationale for IT Consolidation & Unification Reduce diversity and complexity of environment cost savings Economies of scale reduce operational costs Strengthen IT security: enterprise visibility Promote enterprise integration and applications Introduce process standards: ITIL and ITSM Improved support for legacy systems Centralize infrastructure maintenance and upgrades Improve disaster recovery/business continuity Reinvestment of spend to service delivery
State Governments at Risk! States are attractive targets data! More aggressive threats organized crime, ransomware, hacktivism Nation state attacks Critical infrastructure protection: disruption Insider threats employees, contractors Data and services on the move: cloud and mobile Need for continuous training, awareness
One Complexity of the of major state government factors unique with many to agencies that collect and hold a wide variety of personal information government is the inherent openness that is expected of government at all levels. This has created the challenge of balancing that expectation of openness and transparency with the need to Legal mandates requiring the retention of certain types of information Patchwork of state laws governing privacy on a sector-specific basis Increasing need for cross-referencing and data protect integration the across privacy agencies of personal or sensitive data. Pervasive use of technology Tech-savvy state employees and contractors
Emerging trends Top cyber threats across state government
Cyber Disruption: Impacting State Services State governments and the critical infrastructure within the state are at risk from a cybersecurity attack that could disrupt the normal operations of government and impact citizens. Source: NASCIO. This project was supported by Grant No. 2010-DJ-BX-K046 awarded by the Bureau of Justice Assistance.
Business Risks
Who s Responsible for Protecting State Data? Chief Information Officers Information Security Officers Agency Leaders Data Owners Employees Human Resources Legal Departments Third Party Contractors Elected Officials
Unfortunately state officials are often looking at their security incidents in a rear view mirror. After the incident
Cybersecurity involves more than just IT it s a team sport. Protecting data and infrastructure is a core responsibility of state government entities and an investment in risk management. It s a complex ecosystem that requires a roadmap.
The Human Factor
63 percent of confirmed data breaches involve using weak, default or stolen passwords Miscellaneous errors take the No. 1 spot for security incidents - humans! Basic defenses continue to be sorely lacking in many organizations
Humans are the most vulnerable point of any information system, Mr. Wynne said, adding that the vast majority of cyberattacks use social engineering, such as phishing, to trick employees into taking actions detrimental to the company. The education aspect is a critical component because it increases employee resilience to social engineering, he said.
Creating a Culture of Risk Awareness Source: Chief Information Security Officer, Commonwealth of Pennsylvania, 2017 19
Key takeaways #1: Governor-level awareness is on the rise Source: Deloitte-NASCIO 2016 Cybersecurity Study
Key takeaways #1: Governor-level awareness is on the rise How often is the topic of cybersecurity presented or discussed at your agency/office executive leadership meetings?
Key takeaways #2: Cybersecurity is becoming part of the fabric of government operations
Key takeaways #2: Cybersecurity is becoming part of the fabric of government operations Top five cybersecurity initiatives for 2016
Source: NASCIO 2017 State CIO Survey
Key takeaways #3: A formal strategy can lead to more resources Top five barriers in addressing cybersecurity challenges
Key takeaways #3: A formal strategy can lead to more resources
managing cyber risks can provide a competitive advantage for Connecticut businesses, a more secure living environment for Connecticut residents and better stewardship of information and services by Connecticut state and local governments - Connecticut Cybersecurity Strategy, 2017 Source: State of Connecticut, 2017
State of Illinois Key Objectives of Goal 4: Establish the Enterprise Information & Cyber Security Program Embrace a Common Cybersecurity Framework Enact Effective Enterprise-Wide Security Policies Improve Security through Transformation Source: State of Illinois, 2017
Cybersecurity Maturity in the States is Improving Risk Based Strategies are Being Adopted Source: NASCIO 2017 State CIO Survey
Data is the currency of state government. Data is at risk. Data classification is the exercise required to categorize data according to its value, and sensitivity. Until a state has its data classified, there is no way to adequately protect it, or even to understand how much protection is adequate.
INTERACTIVE TECHNOLOGY SPONSORS Which is most important in managing data security? Classifying your data 50% Proven processes 29% Experienced people 21% The best technology 0%
Use a Risk-Based Strategy and Take Action Develop a strategy to protect data. Use the NIST Cybersecurity Framework as a roadmap Conduct a risk assessment and allocate resources accordingly. Where is your data? How would you classify the data in terms of risk? Implement continuous vulnerability and threat mitigation practices Limit data collection, control access, consider data loss prevention Create a culture of risk awareness. Educate and test employees
The Talent Crisis The Talent Crisis
There is a shortage of qualified cyber-workers 1.5M cybersecurity workforce shortage by 2020 The shortage stems from a variety of factors, such as: high experience requirements; an aging security workforce; a lack of interest from high schoolers, technical school and college-level students Source: Chief Information Security Officer, State of Georgia, 2017 34
Talent crisis continues Top three human resources factors that negatively impact the CISO s ability to develop, support, and maintain cybersecurity workforce
Talent crisis continues Top three factors that CISOs employ to attract and retain cybersecurity talent
State IT Workforce
Source: NASCIO 2017 State CIO Survey
Michigan Cyber Civilian Corps (MiC3) 2017 Trained cyber professionals who volunteer to provide expert assistance in times of cyber emergency Currently there are 63 members Michigan plans to increase membership to 200 volunteers by the end of 2018
What Do We Know? Patterns of Success Enterprise Leadership and Governance Statewide Cybersecurity Framework & Controls Cybersecurity Culture: A Team Sport Know the Risks, Assess the Risks, Measure Communicating the Risks: Training Invest: Deploy Security Technologies
Looking Forward Action Needed States must organize for success think enterprise Threat information sharing is essential Focus on detection and response planning Invest in continuous awareness and training Collaborate on a cyber disruption plan Talent pipeline: advocate for cybersecurity degrees Emerging technologies: threats and opportunities Crisis communication you will be breached!
NASCIO s Cybersecurity Call to Action Key Questions for State Leaders Does your state government support a culture of information security with a governance structure of state leadership and all key stakeholders? Has your state conducted a risk assessment? Is data classified by risk? Critical infrastructure reviewed? Are security metrics available? Has your state implemented an enterprise cybersecurity framework that includes policies, control objectives, practices, standards, and compliance? Is the NIST Cybersecurity Framework a foundation? Has your state invested in enterprise solutions that provide continuous cyber threat detection, mitigation and vulnerability management? Has the state deployed advanced cyber threat analytics? Have state employees and contractors been trained for their roles and responsibilities in protecting the state s assets? Does your state have a cyber disruption response plan? A crisis communication plan focused on cybersecurity incidents?