State cyber organizations provide good ROI, UC Berkeley researchers find

When attempting to pry funding from state coffers for new cybersecurity programs, officials most frequently resort to advertising a (perhaps well-justified) fear of being associated with the next big disruptive and expensive cyberattack. But one underappreciated strategy, said Grace Menna, a senior fellow at UC Berkeley’s Center for Long-Term Cybersecurity, is selling the financial upside to spending on cyber.

A guidebook published Tuesday catalogs Menna’s thoroughgoing project to compare the various state-led and community-led cybersecurity efforts that have grown more common in recent years, particularly under an administration that’s encouraged states to wean themselves off of federal support. One of the guidebook’s key findings is that cybersecurity programs are frequently sound investments: Regional security operations centers (found in Arizona, Louisiana, Oregon, Texas and South Carolina) generate between $1.1 million and $2.6 million in annual economic value, cyber clinics (found in more than half of the states) are worth up to $150,000 annually and state cyber corps (found in Louisiana, Maryland, Michigan, Ohio, Texas and Wisconsin) generate between $1.4 million and $7.5 million in economic value each year.

Menna, whose team spent six months researching and interviewing cybersecurity officials and volunteers from around the country, with the aim of compiling an authoritative “centralized resource” on state cyber programs, said “the ROI piece is really key to this equation.” She said “the idea is to get hard numbers in front of state legislators and governors and state policymakers that are having a hard time getting this across, essentially moving the conversation away from a risk conversation to a financial conversation.”

The new publication is timely. State chief information officers this year reported sinking levels of confidence in their ability to protect government data stores against AI-enhanced attacks, while increasingly operating with stagnant or slumping budgets. As attested by several state technology officials at a conference last week, getting support for cyber projects often boils down to salesmanship. Michael Watson, Virginia’s chief information officer, said that when trying to get support for cybersecurity projects, he tries to figure out “that one thing” that a given official or agency cares most about. In her publication, Menna suggests that a universally persuasive argument might be found in economic impact.

One state cyber corps that responded to the Center for Long-Term Cybersecurity survey estimated that an annual budget of $1.15 million led to $20.1 million of “total service value,” including incident response and preventative services, spread over four years. Not every cyber corps performs that well, but Menna pointed out that getting a 747% return on investment is an excellent value, one worth pursuing: “that’s startup-level returns.” 

The various cybersecurity programs under examination in the guidebook are relatively new, with the oldest among them just more than a decade old. There are brief reviews of the new Texas Cyber Command, a $135 million project still finding its footing, the Wisconsin Cyber Response Team, a volunteer group created in 2015, and New Jersey’s Cybersecurity and Communication Integration Cell, which in 2015 became the nation’s first state-run cyber fusion center. Each cybersecurity organization spawns to serve a unique combination of needs for its place and time, and the report points out that some types of organizations excel where others just get by — clinics are more effective for growing the cybersecurity workforce, while cyber corps are better at defense, for instance — and that they’re meant to work in concert.

Menna said although such groups can provide services to government at much more affordable rates than managed security service providers, her advocacy for such organizations isn’t to displace providers — “we need more MSSPs” — but to highlight the federated aspect of cybersecurity and the imperative for states to diversify their organizational holdings. The report provides the analogy of cyberattack as structure fire, in which the RSOC is the smoke alarm, the cyber clinic is the maintenance crew and the cyber corps is the volunteer fire department. If alert systems are funded, but emergency responders are not, “the building burns down.”

State officials have in recent years widened the circle of their cyber concerns. The natural interdependence of IT systems was steadily fueling a trend later accelerated by the State and Local Cybersecurity Grant Program, a $1 billion tranche of funding that in 2022 encouraged states to take a broader view of security. Officials have begun viewing all cybersecurity happenings within their states’ geographic borders as at least tangentially related to their jobs. This includes agencies on the periphery of the public sector — county utility offices, fire houses and elementary schools — but also all the organizations providing services to the public that aren’t part of government — hospitals, small businesses and nonprofits. Many of these, Menna writes, sit below the “cyber poverty line,” “target-rich, resource-poor” organizations that are “uniquely vulnerable to disruption.”

Menna said one source interviewed for the guidebook remarked that “in the last two months they’ve had more calls for service than they’ve ever had before.” It was only an anecdote, she pointed out, but it could be a representative one these days — “folks that are running these programs are underwater.”