state governments at risk: state cios and cybersecurityknowledgecenter.csg.org › kc › system ›...
TRANSCRIPT
State Governments at Risk: State CIOs and Cybersecurity
CSG Cybersecurity and Privacy Policy AcademyNovember 2, 2017
About NASCIO National association representing state chief information officers and
information technology executives from the states, territories and D.C.
NASCIO's mission is to foster government excellence through quality business practices, information management, and technology policy.
NASCIO provides members with products and services designed to support the challenging role of the state CIO, stimulate the exchange of information, and promote the adoption of IT best practices and innovations.
Cybersecurity: More than Technology
Your Cast Today
Mike HusseyCIOState of Utah
Amy TongCIOState of California
Doug RobinsonExecutive DirectorNASCIO
Budgets for FY 2018 remain cautious – 1%. CIOs pressured to find cost savings, driving consolidation, optimization strategies
Continued evolution from the owner-operator business model –focus on X-As-A-Service and flexible consumption
Cybersecurity as a business risk. Ransomware, hacktivism and evolving threats. Enterprise strategy, communication and talent
Growing investments in cloud services, data analytics, mobile, digital government services
Advocating for IT modernization, agile approaches, procurement reform
Continuing IT workforce challenges: retirements, skills gap, recruiting, talent management, workplace innovation
1. Security2. Consolidation/Optimization3. Cloud Services4. Budget and Cost Control5. Legacy Modernization6. Enterprise IT Governance7. Data Management and Analytics8. Enterprise Vision and Roadmap for IT9. Agile and Incremental Software Delivery10. Broadband/Wireless Connectivity
Top Ten: State CIO Priorities for 2017
Source: NASCIO State CIO ranking, November 2016
Reduce diversity and complexity of environment – cost savings
Economies of scale – reduce operational costs
Strengthen IT security: enterprise visibility
Promote enterprise integration and applications
Introduce process standards: ITIL and ITSM
Improved support for legacy systems
Centralize infrastructure maintenance and upgrades
Improve disaster recovery/business continuity
Reinvestment of spend to service delivery
Rationale for IT Consolidation & Unification
State Governments at Risk! States are attractive targets – data!
More aggressive threats – organized crime, ransomware, hacktivism
Nation state attacks
Critical infrastructure protection: disruption
Insider threats – employees, contractors
Data and services on the move: cloud and mobile
Need for continuous training, awareness
Complexity of state government with many agencies that collect and hold a wide variety of personal information
Legal mandates requiring the retention of certain types of information
Patchwork of state laws governing privacy on a sector-specific basis
Increasing need for cross-referencing and data integration across agencies
Pervasive use of technology Tech-savvy state employees and contractors
One of the major factors unique to government is the inherent openness that is expected of government at all levels. This has created the challenge of balancing that expectation of openness and transparency with the need to protect the privacy of personal or sensitive data.
Top cyber threats across state government
Emerging trends
Cyber Disruption: Impacting State Services
“State governments and the critical infrastructure within the state are at risk from a cybersecurity attack that could disrupt the normal operations of government and impact citizens. “
Source: NASCIO. This project was supported by Grant No. 2010-DJ-BX-K046 awarded by the Bureau of Justice Assistance.
Business Risks
Who’s Responsible for Protecting State Data?
Chief Information Officers Information Security Officers Agency Leaders Data Owners Employees Human Resources Legal Departments Third Party Contractors Elected Officials
Unfortunately state officials are often looking at their security incidents in a rear view mirror. After the incident…
Cybersecurity involves more than just IT – it’s a team sport.
Protecting data and infrastructure is a core responsibility of state government entities and an
investment in risk management.
It’s a complex ecosystem that requires a roadmap.
The Human Factor
63 percent of confirmed data breaches involve using weak, default or stolen passwords
‘Miscellaneous errors’ take the No. 1 spot for security incidents - humans!
Basic defenses continue to be sorely lacking in many organizations
“Humans are the most vulnerable point of any information system, Mr. Wynne said, adding that the vast majority of cyberattacks use social engineering, such as phishing, to trick employees into taking actions detrimental to the company.“The education aspect is a critical component because it increases employee resilience to social engineering,” he said.
19
Creating a “Culture of Risk Awareness”
Source: Chief Information Security Officer, Commonwealth of Pennsylvania, 2017
Key takeaways#1: Governor-level awareness is on the rise
Source: Deloitte-NASCIO 2016 Cybersecurity Study
How often is the topic of cybersecurity presented or discussed at your agency/office executive leadership meetings?
#1: Governor-level awareness is on the rise
Key takeaways
Key takeaways#2: Cybersecurity is becoming part of the fabric of
government operations
Top five cybersecurity initiatives for 2016
#2: Cybersecurity is becoming part of the fabric of government operations
Key takeaways
Source: NASCIO 2017 State CIO Survey
Top five barriers in addressing cybersecurity challenges
#3: A formal strategy can lead to more resourcesKey takeaways
Key takeaways#3: A formal strategy can lead to more resources
“…managing cyber risks can provide a competitive advantage for Connecticut businesses, a more secure living environment for Connecticut residents and better stewardship of information and services by Connecticut state and local governments…”
- Connecticut Cybersecurity Strategy, 2017
Source: State of Connecticut, 2017
State of Illinois
Key Objectives of Goal 4:
• Establish the Enterprise Information & Cyber Security Program
• Embrace a Common Cybersecurity Framework
• Enact Effective Enterprise-Wide Security Policies
• Improve Security through Transformation
Source: State of Illinois, 2017
Cybersecurity Maturity in the
States is Improving
Risk Based Strategies are
Being Adopted Source: NASCIO 2017 State CIO Survey
“Data classification is the exercise required to categorize data according to its value, and sensitivity. Until a state has its data classified, there is no way to adequately protect it, or even to understand how much protection is adequate. “
Data is the currency of state government.
Data is at risk.
INTERACTIVE TECHNOLOGY SPONSORS
Which is most important in managing data security?
0%
21%
29%
50%
The best technology
Experienced people
Proven processes
Classifying your data
Develop a strategy to protect data. Use the NIST Cybersecurity Framework as a roadmap
Conduct a risk assessment and allocate resources accordingly. Where is your data? How would you classify the data in terms of risk?
Implement continuous vulnerability and threat mitigation practices
Limit data collection, control access, consider data loss prevention
Create a culture of risk awareness. Educate and test employees
Use a Risk-Based Strategy and Take Action
The Talent Crisis
The Talent Crisis
There is a shortage of qualified cyber-workers
1.5M cybersecurity workforce shortage by 2020
The shortage stems from a variety of factors, such as:– high experience requirements;– an aging security workforce;– a lack of interest from high schoolers,
technical school and college-level students
34Source: Chief Information Security Officer, State of Georgia, 2017
Top three human resources factors that negatively impact the CISO’s ability to develop, support, and maintain cybersecurity workforce
Talent crisis continues
Top three factors that CISOs employ to attract and retain cybersecurity talent
Talent crisis continues
State IT Workforce
Source: NASCIO 2017 State CIO Survey
Michigan Cyber Civilian Corps (MiC3)
Trained cyber professionals who volunteer to provide expert assistance in times of cyber emergency
Currently there are 63 members Michigan plans to increase
membership to 200 volunteers by the end of 2018
2017
What Do We Know? Patterns of Success
Enterprise Leadership and Governance
Statewide Cybersecurity Framework & Controls
Cybersecurity Culture: A Team Sport
Know the Risks, Assess the Risks, Measure
Communicating the Risks: Training
Invest: Deploy Security Technologies
Looking Forward…Action Needed
States must organize for success – think enterprise
Threat information sharing is essential
Focus on detection and response planning
Invest in continuous awareness and training
Collaborate on a cyber disruption plan
Talent pipeline: advocate for cybersecurity degrees
Emerging technologies: threats and opportunities
Crisis communication…you will be breached!
Does your state government support a “culture of information security” with a governance structure of state leadership and all key stakeholders?
Has your state conducted a risk assessment? Is data classified by risk? Critical infrastructure reviewed? Are security metrics available?
Has your state implemented an enterprise cybersecurity framework that includes policies, control objectives, practices, standards, and compliance? Is the NIST Cybersecurity Framework a foundation?
Has your state invested in enterprise solutions that provide continuous cyber threat detection, mitigation and vulnerability management? Has the state deployed advanced cyber threat analytics?
Have state employees and contractors been trained for their roles and responsibilities in protecting the state’s assets?
Does your state have a cyber disruption response plan? A crisis communication plan focused on cybersecurity incidents?
NASCIO’s Cybersecurity Call to ActionKey Questions for State Leaders