Non-technology solutions to achieving 20/20 cybersecurity vision

For state government organizations searching for enhanced cybersecurity visibility, technology alone cannot fill the gaps.

On the latest episode of StateScoop’s “Priorities” series, experts from North Carolina, Minnesota and RSA Security spoke about the ongoing effort to gain more visibility of potential cybersecurity vulnerabilities across the state IT enterprise.

“I think it’s fundamental to the practice to recognize and understand that security is not a one and done,” Robert Myles, RSA Security’s business development manager for state and local government and education, says on the episode. “Technology’s not a panacea. It doesn’t really fix all the issues that are out there. It’s an enablement process that we can add on to the core practices they’ve already established and got set up.”

Indeed, Maria Thompson, North Carolina’s chief risk officer, says visibility is one of her top priorities — and it has been since she came to state government nearly two years ago.

“We’re working toward that,” Thompson says. “The key thing that I’ve been focusing on is building relationships with the executive agencies, legislative agencies, judicial agencies so that we can get that visibility.”

In Minnesota, Chris Buse — the state’s chief information security officer — says visibility is one piece of “four main themes” that form the basis of the state’s enterprise security programs, as outlined by his state’s strategic plan.

“Those documents bring together our strategic program,” Buse says. “We update them annually and we’re always trying to have a five year vision of the future, and that outlines the 18 core strategies now within those four themes that our state is hoping to achieve right now.”

Cybersecurity has risen to prominence in recent years and shows little sign of relenting. On the National Association of State Chief Information Officers’ annual top 10 priority list, cybersecurity has taken the top slot annually since 2014, and has been in the top seven since the creation of the Top 10 list in 2006.

On the podcast:

• Chris Buse, chief information security officer, Minnesota
• Maria Thompson, chief risk officer, North Carolina
• Robert Myles, SLED business development manager, RSA Security

Things to watch for:

• In Minnesota, Buse and his team look to their strategic plan to outline where the state is now and chart a course forward toward where the state should be. The plan addresses technical challenges and other problems like culture and staffing.
• States like Minnesota and North Carolina are “in the same boat” with challenges when it comes to budget, Thompson says, but in addition, one of the biggest challenges facing state cybersecurity operations is recruiting and retaining a cybersecurity workforce.
• Thompson is looking across the North Carolina state government landscape and hoping to obtain appropriated funds that can enable her and her team to establish a baseline cybersecurity tool that will help standardize the approach across all agencies.
• In Minnesota, visibility across agencies themselves isn’t necessarily the biggest challenge — instead, the challenge is for the state IT agency to have visibility across agencies 24/7/365.
• State and local governments around the country that are looking to gain more visibility across their enterprise should look at consolidation as a possible venue, Myles says. Consolidation can help cut down on duplicate networks, and streamline operations and reduce the amount of what needs to be monitored.

Priorities is StateScoop’s regular podcast that examines the leading strategies, technologies and challenges that state CIOs expect to face this year. This episode of Priorities was sponsored by RSA Security.

In addition to listening to Priorities on StateScoop.com, you can now subscribe to the podcast on iTunes and have episodes delivered directly to your podcasts app on your smartphone when they are released.