State

The pandemic exposed cybersecurity shortcomings, NASCIO study finds

Statewide CISOs have become more visible during COVID-19, but despite some achievements, many hurdles remain, especially when it comes to funding.

By Benjamin Freed

October 14, 2020

(Getty Images)

Like their CIO colleagues, state chief information security officers have faced no shortage of new and sudden challenges during the COVID-19 pandemic, according to the results of a biennial survey released Wednesday by the National Association of State Chief Information Officers.

For the past seven months, state CISOs have moved quickly to ensure their state government workforces can work remotely without sacrificing network security. They expanded the use of VPNs, firewalls and multi-factor authentication and responded to widespread financial fraud targeting overworked unemployment benefits systems. Meanwhile, other familiar cybersecurity issues have not subsided, including the pernicious threat of ransomware and a nagging lack of funding that’s only heightened the appetite for increased federal support.

“CISOs rose to the challenge, working closely with their state IT departments to balance cybersecurity risks and business continuity,” reads the report, which was compiled by NASCIO and Deloitte. “While the pandemic has highlighted the resilience of CISOs, it has also brought to light some long-standing challenges facing state IT and cybersecurity.”

Centralization popular, but still not the norm

Similar to the annual chief information officer survey NASCIO released Tuesday that highlighted the growing role of CIOs in state government, the cybersecurity report found that state CISOs’ prominence also grew in the health crisis. And that creates an opportunity for CISOs to press the case for cybersecurity’s importance in government, said Meredith Ward, NASCIO’s policy and research director and one of the report’s authors.

“If anything positive can come out of the pandemic, it’s increased focus and attention,” she told StateScoop.

She added that current CISOs largely agreed that treating cybersecurity as centralized function, rather than a federated one spread across agencies, brings many advantages. According to a survey of 51 state and territorial CISOs, though, half of NASCIO’s member governments still take federated approaches to information security. Centralized governance, the report argues, would help states with cybersecurity staffing, the adoption of good cyber hygiene practices and implementation of new tools and procedures.

The report also endorses further collaboration between state governments and their localities, in hopes of further fostering the “whole-of-state” approach — in which all state and local agencies with roles in business operations, public safety and emergency management collaborate on cybersecurity — that groups like NASCIO and the National Governors Association have been promoting for the past few years. But progress on that front has been slower than desired, with only 34% of CISOs reporting “extensive collaboration” with their local counterparts.

“Even low-hanging fruit like cyber awareness training, not many states are offering it to local government yet,” said Srini Subramanian, a Deloitte principal and Ward’s co-author. “The challenge is how to transcend across the governance model. We should maybe highlight this even more and continue to get behind it. Most of the CISOs said they gave limited collaboration with the local agencies, and not many of them are talking about extending the capabilities states have.”

‘Side by side’ with CIOs

Still, CISOs’ responses to the pandemic has shown tangible improvements, especially in securing video-conferencing and collaboration software and implementing stronger identity and access management policies, like multi-factor authentication.

Identity management also skyrocketed on CISOs’ priorities in the survey, jumping from No. 11 in the last report, published in 2018, to No. 2, trailing only risk assessments, which stayed at the top of the list this year.

Yet the newfound passion for broader IAM policies hasn’t manifested itself — just 15 states have enterprise IAM solutions that cover all executive-branch agencies, the report found.

Another area where CISOs have made strides is getting involved with legacy modernization efforts, which, like identity management, were accelerated by the pandemic, especially as states had to rapidly overhaul unemployment systems that were targeted early by scammers filing phony claims. Subramanian said those incidents make the case that CISOs should be at the forefront of states’ technology modernization agendas alongside CIOs, and indeed, the survey backs that up: When asked what the greatest barriers were to overcoming cybersecurity challenges, CISOs placed legacy modernization third, behind only budgets and staffing.

“CISOs must be at the forefront of the tech modernization,” he said. “Not just CIOs. They should be side by side.”

‘States desperately need it’

But it’s the funding issue that remains most pressing.

“Any CISO you talk to is going to say they need more money for cybersecurity,” Ward said.

The NASCIO report makes frequent mention of the need for dedicated cybersecurity funding from the federal government, an issue the group made its top legislative priority at the start of the year, but on which it’s made only incremental progress. While the House of Representatives last month passed a bill that would create a $400 million annual grant program, its prospects in the Senate appear dim. Still, House approval alone is an improvement, Ward said.

“If you had asked me seven or eight years ago, I would’ve said it would never happen,” she said. “But now with what states are asked to do: be agents of the federal government, protect federal data? States desperately need it. We really wanted to call it out.”

Yet funding issues trickle down to the statehouses. NASCIO’s 2018 cybersecurity report found that, on average, states only committed 1-2% of their overall IT budgets to cybersecurity, and few had dedicated line items for cyber in their budgets. In 2020, the average budget share is still less than 3%, and just 36% of states have dedicated cybersecurity appropriations.

Subramanian said CISOs should point to instances of pandemic unemployment fraud as evidence as they ask for bigger budgets and greater resources.

“While the risk of data loss and citizen trust is always a concern, hundreds of millions of dollars in fraud always gets immediate attention,” he said.

Despite the many ongoing challenges, though, Ward said that between 2019 — a year dominated by ransomware attacks — and the responses demanded by the 2020 pandemic, cybersecurity chiefs are becoming more visible to their states’ leaders.

“With CISOs, the progress I’ve seen is that government as a whole is a little more hip to cybersecurity,” she said. “We hear anecdotes about CISOs and CIOs being able to get through to their leaders. I do think things are getting better.”