IT leaders in the public sector are having to deal with an increasing number of cybersecurity threats. Although President Trump issued executive order 13800 (EO 13800) ‘Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure’ on May 11, 2017, we have yet to see any policy or strategy implemented.
Within the US there is no unified law regulating cybersecurity. Until the White House puts into effect a uniform plan, IT leaders must administer their own state cybersecurity legislation. To complicate matters, support for IT development projects remains scarce, as local governments compete for cybersecurity funding.
The National Association of State Chief Information Officers (NASCIO), a nonprofit, 501(c)3 association that represents the interests of state chief information officers, IT executives, and managers – from the states, territories, and the District of Columbia – hosted its annual conference on October 3, and information security was a prevalent topic of discussion.
Many state CIOs are responding proactively to data security challenges by implementing cyber policies and breach deterrent strategies. The following five states present their approach to tackling cybersecurity.
Arizona embraces technology to map out its cybersecurity framework
Arizona Governor Doug Ducey is the former CEO of Cold Stone Creamery. From ice cream giant to government official, he is now taking practical measures to protect Arizona’s IT security footprint. In one day Arizona can experience 3,000 Trojan malware attempts, 50 structured query language (SQL) injections, and the launch of 15 investigations – not to mention 100,000 SPAM emails.
Chief Information Security Officer (CISO) Mike Lettman revealed that throughout Arizona, “appalling” security vulnerabilities and system redundancies threaten information security. He spoke of the importance of mapping the threat environment and the state’s efforts to tactfully deal with cyber threats.
“We have gaps in security at every agency and I’m sure that most states around the country have the exact same situation. We had inefficiencies in security in the form of duplication in every agency.” Local and state agencies are now working together toward a successful information security management system protocol.
Arizona’s agencies are starting to use technology to streamline cybersecurity processes. Lettman enlisted RiskSense to help manage cyber risks. The RiskSense dashboard and other tools have helped Arizona to improve its threat detection and prioritization.
RiskSense revealed that Arizona had 600 more websites than it had first internally reported. Whether at the state, local, or Federal level, agencies cannot afford to miscalculate their risk assets. RiskSense also detected 1,500 points of exposure when WannaCry hit.
Georgia is addressing the impending cybersecurity workforce shortage
Analysts from Frost & Sullivan predict that there will be a shortage of 1.5 million cybersecurity professionals by 2020. There are a number of factors driving this shortage. Georgia CISO Stanton Gatewood cites an aging security workforce, a lack of interest from students, and the high skill and experience levels needed.
Georgia is trying to fill this gap. In January, it launched the Cybersecurity Workforce Academy, which offers short-term, immersive courses for individuals to better understand cybersecurity professions. Topics include cyber defence, cyber threat awareness, and cyber preparedness. In 2018, the state will also offer courses through the Georgia Cyber Innovation and Training Center in Augusta.
Illinois launched a state-wide initiative for a cyber secure infrastructure
According to the IBM X-Force 2016 Cyber Security Intelligence Index, 60% of data breaches occur due to a lack of cybersecurity awareness among employees, contractors, and consultants. Illinoise State CISO and Interim CIO Kirk Lonbom is taking action to prevent cyber attacks such as phishing – the number one cyber threat according to the US Department of Homeland Security.
Lonbom believes that a culture steeped in cyber risk awareness will reduce risk and protect private data. In March, Illinois launched a state-wide initiative to consolidate policies and create a straightforward cyber strategy that will protect data and IT infrastructure. The strategy will:
- Protect information and systems
- Reduce cyber risk
- Procure best-in-class cybersecurity capabilities
- Take an enterprise approach to cybersecurity
- Build and maintain a cyber secure Illinois
Illinois passed HB 2371, an amendment to the Data Security on State Computers Act, which requires that state employees undergo cybersecurity awareness training annually. So far in 2017, 47,000 staff members have fulfilled the training, which is fulfilled by the Department of Innovation and Technology. Lonbom asserts that it is a low-cost yet high-benefit method; he estimated that awareness, preparedness, and business continuity training will help to save $9 million annually.
Michigan enlists cybercrime fighters to ensure information security
(MiC3) – a team of highly trained, volunteer information security professionals from the public and private sectors. Michigan CISO Rajiv Das sees the cybercrime fighters as part of a larger vision to create a workable “cyberecosystem” protecting businesses state-wide. There are currently 64 members; by the end of 2018, Das intends to expand the Corps to 200 members. MiC3 requires that volunteers have at least two years of experience working in information security, and basic certification, e.g. ANSI-certified/DOD 8570 compliant certifications; Security+, C|EH, CISSP or GIAC certifications are strongly preferred. Participants benefit from training and certification opportunities.
Smaller jurisdictions within Michigan are also benefitting from a “CISO-as-a-service” pilot program, which provides cybersecurity expertise to local government agencies where a full-time information security officer is unaffordable. Michigan started the program this year with nine local governments – seven counties plus two townships. Since smaller agencies are susceptible to as many data breach risks as larger ones, the organization hopes to expand the program to all 243 local governments.
Pennsylvania tackles cybersecurity as a matter of business, not IT
The CISO of Pennsylvania, Erik Avakian, believes that there is a disconnect between business and IT security. Cyber problems are now business problems. The paradigm shift should compel senior management to become extra supportive of cybersecurity initiatives. Avakian believes that unless funding agencies see the correlation between the cost of training and the benefits, less money will be invested in training.
As end users are the first line of defense against data breaches, four years ago Pennsylvania began in-house phishing awareness programs to train its 80,000 state employees. One such exercise includes sending “fake phishing” emails to staff members. When an employee clicks the “bad” link in an email, they are redirected to a phishing information website offering cautionary feedback and tips to avoid phishing schemes.
Pennsylvania is systematically expanding its cybersecurity awareness program by using a third-party software-as-a-service tool. Avakian recommends adding this to the training program.
Threats to information security are ever-present and growing
Whether your organization is public or private, it is important to protect the private data that you maintain. Mandatory compliance to EU GDPR is forthcoming – on May 25, 2018, any US organization that processes the personal data of EU residents must adhere to the EU GDPR.
The GDPR’s implications for international businesses in the US cannot be overstated. Instilling controls to secure personal data and honoring individuals’ rights are just two parts of the GDPR initiative.
If you are ready to start your GDPR program, experience a comprehensive introduction to the GDPR, and gain an understanding of the implications and legal requirements for US organizations in the upcoming Certified EU General Data Protection Regulation Foundation (GDPR) Training Course.
The one-day introductory training course takes place at the Boston Marriott Newton Hotel. The course takes place on November 28, 2017 from 9:00 am – 5:00 pm, at the Marriott in Boston, MA. Upon completed, you will achieve the EU GDPR Foundation (EU GDPR F) qualification. Exam included in course.