For funding, Colorado cybersecurity chief says strategy first

Despite increasing alarm about cyberattacks in government, many states are still struggling to boost spending on basic cybersecurity programs. Colorado’s chief information security officer says it’s possible to turn things around quickly, though.

The state hired Debbi Blyth as CISO in 2014, and with support from leadership at Colorado’s Office of Information Technology (OIT) she helped transform the state’s bare-bones cybersecurity budget into a $9.6 million threat detection and prevention program with tools spread across departments. 

She did this by tackling one of the state’s key challenges: Colorado’s cybersecurity budget at the time only amounted to $6,000 — a figure that reflected hesitancy by state leaders to invest in a fairly uncharted category of infrastructure. Even if they understood the need to fix the government’s weaknesses, they were undecided on where to start.

Like many governments today, Colorado had not articulated a specific strategy for cybersecurity. It didn’t have concrete goals or the tools to track progress. Blyth, who had been hired away from the outsourcing company Teletech, saw these gaps and went to work on a blueprint.

“Having a cyber security plan in place and approved by the leadership within any organization is really critical for any entity to make any cybersecurity improvement whatsoever,” Blyth said.

Planning means progress

A 2016 survey of state CISOs by Deloitte and the National Association of State Chief Information Officers (NASCIO) showed that while 80 percent of respondents point to insufficient funding as the biggest barrier for cybersecurity, there is a direct correlation between low budgets and the absence of an approved strategy. States that have a cybersecurity strategy that is approved by their administrations demonstrated a significantly higher probability to have more full-time cybersecurity staff, higher skilled workers and yearly budget increases.

Blyth said her experience mirrored those findings. Instead of conjuring up her own strategy, submitting it to the legislature and praying it earned approvals, Blyth took to the challenge by leveraging inside and outside expertise. She turned to Colorado’s information security advisory board in 2015 , seeking input from the board’s diverse makeup of 32 government, academic and private sector cybersecurity experts. The intent was to refresh Secure Colorado, the state’s security strategy, with an updated action plan that was worthy enough to merit greater investment. Blyth’s predecessor Jonathan Trull had shared this vision when he and the advisory board organized Secure Colorado in 2012.

The effort produced a seismic shift in how Colorado handles its digital security and set a new precedent in funding, with appropriations exponentially enhanced for the 2016 to 2018 budget.

“It was just so helpful to be able to vet the program through that group of well-esteemed individuals so that when I took my strategy proposal to the legislature, and the joint budget committee, I could say, ‘Here’s my budget request, here is the specific plan, and here’s what I intend to do with with it,'” Blyth said. “These advisory board members helped us to review the strategy, promote it to lawmakers, and they gave independent credence to it.”

The budget for cybersecurity is now at 3 percent of the state’s total IT spending, at $350 million, and has placed the Colorado cybersecurity budget within the top 20 percent of states in terms of spending. Democratic Gov. John Hickenlooper fully endorses the measures and has offered more support as the state constructs a a National Cybersecurity Center (NCC) in Colorado Springs, which will serve as a hub for cybersecurity education and response.

Hitting targets

More impressive than funding tactics or initiatives are the outcomes that Colorado has achieved with its new resources. Blyth said that the state has lowered its digital risk index — an industry assessment rating by McAfee software —  it went down 48 percent in just two years to a McAfee Risk Score of 11.  The lower the Risk Score the better. The index measures the threat potential based on the overall levels cybersecurity for system configurations, security controls, data assets and other indicators of vulnerability. Colorado’s score is better than the ratings of some banks — 20 is considered a desired goal in the financial sector.

In the last two years, Colorado has also been able to increase its deployment of cybersecurity tools to departments, coverage from 70 percent of its systems, software and devices to 98 percent. On average, Colorado defends itself from 8.4 million security incidents per day. 

Speaking about some of this technology, Colorado Chief Technology Officer David McCurdy said the strategy and tools have have reshaped digital protection.

“The state made a pretty big investment and with Secure Colorado to go to modern, more intelligent firewalls. So we’re looking for traffic, trends, we learning from other partners and other customers and applying them in real time to our network.” McCurdy said.

In 2017, Blyth and McCurdy said cybersecurity teams are hoping to bring their risk index score under 10 percent while they continue to monitor progress in agencies with quarterly report cards detailing gaps and next improvements. The targeted cybersecurity budget is expected to be 5 percent to 7 percent of the state’s total IT spending. To those in other states looking to replicate results, McCurdy also advised to start small and then go bigger.

“Secure Colorado has always been intended as a long-term plan and it helped that we didn’t ask for all the money up front. What we did was ask for funding in the areas of the highest need, then showed the legislature what we could do.” McCurdy said. “I think they liked what they saw.”