State Governments at Risk: State CIOs and Cybersecurity

CSG Cybersecurity and Privacy Policy AcademyNovember 2, 2017

About NASCIO National association representing state chief information officers and

information technology executives from the states, territories and D.C.

NASCIO's mission is to foster government excellence through quality business practices, information management, and technology policy.

NASCIO provides members with products and services designed to support the challenging role of the state CIO, stimulate the exchange of information, and promote the adoption of IT best practices and innovations.

Cybersecurity: More than Technology

Your Cast Today

Mike HusseyCIOState of Utah

Amy TongCIOState of California

Doug RobinsonExecutive DirectorNASCIO

Budgets for FY 2018 remain cautious – 1%. CIOs pressured to find cost savings, driving consolidation, optimization strategies

Continued evolution from the owner-operator business model –focus on X-As-A-Service and flexible consumption

Cybersecurity as a business risk. Ransomware, hacktivism and evolving threats. Enterprise strategy, communication and talent

Growing investments in cloud services, data analytics, mobile, digital government services

Advocating for IT modernization, agile approaches, procurement reform

Continuing IT workforce challenges: retirements, skills gap, recruiting, talent management, workplace innovation

1. Security2. Consolidation/Optimization3. Cloud Services4. Budget and Cost Control5. Legacy Modernization6. Enterprise IT Governance7. Data Management and Analytics8. Enterprise Vision and Roadmap for IT9. Agile and Incremental Software Delivery10. Broadband/Wireless Connectivity

Top Ten: State CIO Priorities for 2017

Source: NASCIO State CIO ranking, November 2016

Reduce diversity and complexity of environment – cost savings

Economies of scale – reduce operational costs

Strengthen IT security: enterprise visibility

Promote enterprise integration and applications

Introduce process standards: ITIL and ITSM

Improved support for legacy systems

Centralize infrastructure maintenance and upgrades

Improve disaster recovery/business continuity

Reinvestment of spend to service delivery

Rationale for IT Consolidation & Unification

State Governments at Risk! States are attractive targets – data!

More aggressive threats – organized crime, ransomware, hacktivism

Nation state attacks

Critical infrastructure protection: disruption

Insider threats – employees, contractors

Data and services on the move: cloud and mobile

Need for continuous training, awareness

Complexity of state government with many agencies that collect and hold a wide variety of personal information

Legal mandates requiring the retention of certain types of information

Patchwork of state laws governing privacy on a sector-specific basis

Increasing need for cross-referencing and data integration across agencies

Pervasive use of technology Tech-savvy state employees and contractors

One of the major factors unique to government is the inherent openness that is expected of government at all levels. This has created the challenge of balancing that expectation of openness and transparency with the need to protect the privacy of personal or sensitive data.

Top cyber threats across state government

Emerging trends

Cyber Disruption: Impacting State Services

“State governments and the critical infrastructure within the state are at risk from a cybersecurity attack that could disrupt the normal operations of government and impact citizens. “

Source: NASCIO. This project was supported by Grant No. 2010-DJ-BX-K046 awarded by the Bureau of Justice Assistance.

Business Risks

Who’s Responsible for Protecting State Data?

Chief Information Officers Information Security Officers Agency Leaders Data Owners Employees Human Resources Legal Departments Third Party Contractors Elected Officials

Unfortunately state officials are often looking at their security incidents in a rear view mirror. After the incident…

Cybersecurity involves more than just IT – it’s a team sport.

Protecting data and infrastructure is a core responsibility of state government entities and an

investment in risk management.

It’s a complex ecosystem that requires a roadmap.

The Human Factor

63 percent of confirmed data breaches involve using weak, default or stolen passwords

‘Miscellaneous errors’ take the No. 1 spot for security incidents - humans!

Basic defenses continue to be sorely lacking in many organizations

“Humans are the most vulnerable point of any information system, Mr. Wynne said, adding that the vast majority of cyberattacks use social engineering, such as phishing, to trick employees into taking actions detrimental to the company.“The education aspect is a critical component because it increases employee resilience to social engineering,” he said.

19

Creating a “Culture of Risk Awareness”

Source: Chief Information Security Officer, Commonwealth of Pennsylvania, 2017

Key takeaways#1: Governor-level awareness is on the rise

Source: Deloitte-NASCIO 2016 Cybersecurity Study

How often is the topic of cybersecurity presented or discussed at your agency/office executive leadership meetings?

#1: Governor-level awareness is on the rise

Key takeaways

Key takeaways#2: Cybersecurity is becoming part of the fabric of

government operations

Top five cybersecurity initiatives for 2016

#2: Cybersecurity is becoming part of the fabric of government operations

Key takeaways

Source: NASCIO 2017 State CIO Survey

Top five barriers in addressing cybersecurity challenges

#3: A formal strategy can lead to more resourcesKey takeaways

Key takeaways#3: A formal strategy can lead to more resources

“…managing cyber risks can provide a competitive advantage for Connecticut businesses, a more secure living environment for Connecticut residents and better stewardship of information and services by Connecticut state and local governments…”

- Connecticut Cybersecurity Strategy, 2017

Source: State of Connecticut, 2017

State of Illinois

Key Objectives of Goal 4:

• Establish the Enterprise Information & Cyber Security Program

• Embrace a Common Cybersecurity Framework

• Enact Effective Enterprise-Wide Security Policies

• Improve Security through Transformation

Source: State of Illinois, 2017

Cybersecurity Maturity in the

States is Improving

Risk Based Strategies are

Being Adopted Source: NASCIO 2017 State CIO Survey

“Data classification is the exercise required to categorize data according to its value, and sensitivity. Until a state has its data classified, there is no way to adequately protect it, or even to understand how much protection is adequate. “

Data is the currency of state government.

Data is at risk.

INTERACTIVE TECHNOLOGY SPONSORS

Which is most important in managing data security?

0%

21%

29%

50%

The best technology

Experienced people

Proven processes

Classifying your data

Develop a strategy to protect data. Use the NIST Cybersecurity Framework as a roadmap

Conduct a risk assessment and allocate resources accordingly. Where is your data? How would you classify the data in terms of risk?

Implement continuous vulnerability and threat mitigation practices

Limit data collection, control access, consider data loss prevention

Create a culture of risk awareness. Educate and test employees

Use a Risk-Based Strategy and Take Action

The Talent Crisis

The Talent Crisis

There is a shortage of qualified cyber-workers

1.5M cybersecurity workforce shortage by 2020

The shortage stems from a variety of factors, such as:– high experience requirements;– an aging security workforce;– a lack of interest from high schoolers,

technical school and college-level students

34Source: Chief Information Security Officer, State of Georgia, 2017

Top three human resources factors that negatively impact the CISO’s ability to develop, support, and maintain cybersecurity workforce

Talent crisis continues

Top three factors that CISOs employ to attract and retain cybersecurity talent

Talent crisis continues

State IT Workforce

Source: NASCIO 2017 State CIO Survey

Michigan Cyber Civilian Corps (MiC3)

Trained cyber professionals who volunteer to provide expert assistance in times of cyber emergency

Currently there are 63 members Michigan plans to increase

membership to 200 volunteers by the end of 2018

2017

What Do We Know? Patterns of Success

Enterprise Leadership and Governance

Statewide Cybersecurity Framework & Controls

Cybersecurity Culture: A Team Sport

Know the Risks, Assess the Risks, Measure

Communicating the Risks: Training

Invest: Deploy Security Technologies

Looking Forward…Action Needed

States must organize for success – think enterprise

Threat information sharing is essential

Focus on detection and response planning

Invest in continuous awareness and training

Collaborate on a cyber disruption plan

Talent pipeline: advocate for cybersecurity degrees

Emerging technologies: threats and opportunities

Crisis communication…you will be breached!

Does your state government support a “culture of information security” with a governance structure of state leadership and all key stakeholders?

Has your state conducted a risk assessment? Is data classified by risk? Critical infrastructure reviewed? Are security metrics available?

Has your state implemented an enterprise cybersecurity framework that includes policies, control objectives, practices, standards, and compliance? Is the NIST Cybersecurity Framework a foundation?

Has your state invested in enterprise solutions that provide continuous cyber threat detection, mitigation and vulnerability management? Has the state deployed advanced cyber threat analytics?

Have state employees and contractors been trained for their roles and responsibilities in protecting the state’s assets?

Does your state have a cyber disruption response plan? A crisis communication plan focused on cybersecurity incidents?

NASCIO’s Cybersecurity Call to ActionKey Questions for State Leaders