ORLANDO, Fla. — The idea of cybersecurity as “everyone’s responsibility” is gaining traction, but states still have a lot of work to do, according to state IT leaders in a new survey.
In the 2016 survey of state chief information security officers released by the National Association of State Chief Information Officers and Deloitte at the association’s annual conference, 49 state CIOs reported that governor-level awareness of cybersecurity is on the rise, but states face difficulties when it comes to cyber budgets and workforce.
“There continue to be challenges with proper funding and finding qualified talent,” Darryl Ackley, NASCIO’s 2015-2016 president said about the findings, prior to its release. “But the good news is that we are seeing positive indications that state CISOs and CIOs are having an impact as communication and collaboration among government is increasing.”
In the survey, states reported a 15 percent increase in monthly meetings with executive leadership around cybersecurity — showing that cybersecurity is “a more frequent topic of discussion at state executive leadership meetings,” according to the survey.
Indeed a 2016 analysis by StateScoop reported that governors are increasingly forming cybersecurity task forces or committees to study how to maximize cybersecurity opportunities — though questions do remain about how effective those groups are.
“If you don’t invest in security upfront, you’re going to pay for it in the end and nobody wins,” said Washington state Chief Information Security Officer Agnes Kirk, during a panel discussion on the study’s findings at the NASCIO conference today.
“I think it’s significant that the federal government has increased its cyber budget by more than 30 percent [in fiscal year 2017 over fiscal 2016] — there has to be a reason for that,” she said.
Despite the increased executive focus on cyber, the respondents of the survey reported a “confidence gap” in the difference between how confident state cybersecurity officials are in their ability to respond to threats, versus how their leadership feel.
“Two-thirds of state officials say they are very or extremely confident that adequate measures are in place to protect information assets from externally originating cyberthreats, compared with only a quarter of CISOs,” the survey said.
The survey recommended officials take a different approach when attempting to communicate the severity of those cyberthreats to officials.
Even with that confidence gap, however, the survey did report that cybersecurity has become part of the “fabric of government operations,” although Connecticut CIO Mark Raymond, who moderated the panel, quipped that conditions may resemble more of “quilt than fabric.”
One piece of evidence suggesting it is more of the latter was found in survey results showing how well established the CISO’s role has become in state government, according to the study.
“For the first time, all respondents report having an enterprise level CISO position, an indication that states consider protecting information assets — including citizen data — from cyberthreats to be an important government responsibility.”
The survey also called on CISOs, CIOs and other officials to continue the work on a more formal strategy that could help attract more resources for cybersecurity in their state — even though NASCIO’s annual state CIO survey reported that 94 percent of states now have a cybersecurity framework in place.
Even though states have made progress in integrating cybersecurity as a top actionable priority, funding still remains a tough issue for states to tackle.
Between 2014 and 2016, 9 percent more respondents reported that their states spent three to five percent of their overall IT budget on cybersecurity alone.
“Lack of sufficient funding remained the most significant challenge for CISOs in 2016,” the survey said. “The majority of respondents continue to indicate that their cybersecurity budgets are beyond zero and two percent of their state’s overall IT budget.”
“You have to call it ‘cyber’ to get funding,” said Indiana state CISO Tad Stahl. “Calling it ‘information security’ won’t get you there,” he said only half jokingly.
He warned, however that state and IT leaders “have to look hard at what you’re putting in place to maintain the public trust, because you can lose it so quickly.”
The upside for states with a more cohesive cybersecurity strategy is how it helps with recruiting talent and securing more budget support, according to Srini Subramanian, principal at Deloitte, and lead author of the study.
“States with approved strategies are having more success getting full time employees and budgets,” Subramanian said.
According to the survey, 16 out of 33 states with an approved strategy reported they had an increase in budget and 11 of those states reported they have more than 15 full time employees dedicated to cybersecurity.
In contrast, among states without an approved cybersecurity strategy, only five saw an increase in their cybersecurity budget and only one had more than 15 full time cybersecurity employees.
Wyatt Kash contributed to this report.