Whether it’s identifying a malicious virus, delivering a tactical response or unlocking critical funding, Oklahoma CIO Bo Reese says effective cybersecurity demands strong communication.
Reese and Andre McGregor, director of security at cybersecurity firm Tanium, stressed the talking point in an informal discussion at the National Association of State Chief Information Officers midyear conference Tuesday. Reese said that while it’s seemingly obvious, communication in cybersecurity should not be overlooked and requires a high degree of critical thinking. He used Oklahoma’s Cyber Correlation Platform as evidence.
The system was developed after state legislators moved to consolidate all agency cybersecurity operations into the state’s IT department. This meant doing a software security inventory of 77 agencies and communicating their gamut of intrusion warnings, virus alerts and network monitoring reports through a single system.
“Even though we have state standards on how we use everything, we couldn’t go out and replace all of it — we had to figure out how to use what we had,” Reese said. “That’s what drove the need for this system, to be able to correlate all that information coming in and be able to respond quickly.”
The kind of platform to funnel data from different brands of cybersecurity tools didn’t exist at the time these efforts began and still doesn’t, Reese said — largely because of the proprietary nature of security solutions — but to make this communication possible the state had to create its own system that could interpret the data.
And now, Reese said the platform is currently being considered by other states.
Beyond reliable tools, McGregor said experience working with government has also shown that staffing gaps, or simple inattention from employees overwhelmed with too many emails, can create cybersecurity communication problems even where none existed before.
He recalled an instance where an assessment of a client’s systems showed a major vulnerability and no IT staff was available to interpret the notification. The scenario showed how a simple lack of basic security training resulted in major breaches by frontline staff, and how an agency improperly dismissed warnings from a technologist, only to learn later that the issue had turned up in a national magazine.
“The point of these stories is that availability sometimes trumps security,” McGregor said.
In Oklahoma, Reese said there was a similar issue in which a college student had alerted IT staff of an issue that was quickly fixed, but the lack of a response confirming the fix sent the student to the local newspapers to report the vulnerability. Instituting careful communication protocols, Reese said, is a best practice that has become critical considering today’s threats.
And both experts emphasized that for results, dollars matter. McGregor highlighted state education and health care agencies as common industries affected by cyberattacks because of their low investment in technology. To garner support for such endeavors, Reese said it was necessary for state CIOs and other government IT leaders to make a strong business case using tangible examples.
“These things are going to come up, they’re going to cross your mind, you’re going to have to deal with them and as we’re trying to go back and get support from our state leadership for dollars you have to create the business case.” Reese said. “I think one of the best ways to do that is to be able to tell real stories. Things that have happened in your state, things other states have dealt with, things that are happening at the federal level. Those are real stories. Things you have to articulate to those who don’t understand the bit and bytes and realities of cyberthreats.”