CISOs make a case for more state-local cybersecurity collaboration

Collaboration across jurisdictional boundaries is critical for hardening the cybersecurity defenses of state and local governments, two state technology officials said on the latest episode of StateScoop’s Priorities podcast.

Maria Thompson, chief risk officer for North Carolina, said her state has boosted its level of collaboration between state agencies and between the state and local governments within the past several years. The “whole-of-state” cybersecurity approach sends a message that organizations everywhere should heed, she said.

“We want to make sure that we are here to support [local agencies], because we are all struggling with the same things, meaning the same issues as it comes to being under-resourced,” Thompson said. 

She said the state is doing more to evaluate the cybersecurity postures of local government organizations and bolster their resources where it’s needed, whether they’re short on staffing, knowledge, tools or the latest threat information. Working with local governments is essential for states, she said, because it fits into a broader agenda of unified defense.

“Sharing those indicators of compromise, showing those attacks that are coming toward your organization so that we as a whole can better protect ourselves, that is the only way that we are doing to be able to move the needle when it comes to cybersecurity,” Thompson said. “We need to know what is happening and ways in which we can better protect ourselves as a whole, regardless of what your cyber maturity is.”

Pennsylvania Chief Information Security Officer Erik Avakian, who wrapped up a National Governors Association workshop series targeting critical infrastructure defense on Oct. 16, said “collaboration” was the key word during those events.

“Cybersecurity, as we all know, in many of our local governments on down may not have the same capabilities or the same available resources to them as folks at the state level, and I think one of the things we’ve focused highly on is relationship building and branching out,” he said.

Avakian said those meetings helped everyone who attended — which included officials from organizations in Colorado, Michigan, Mississippi, New York, Oregon, Pennsylvania and Tennessee — break out of the “silo of state government.”

“The fun of building relationships and working with others outside is everyone has the same challenges,” Avakian said. “You learn from each other.”

In Pennsylvania, too, Avakian said the state has spent recent years putting more effort into a program designed to share its cybersecurity resources with local governments. Rather than simply making it available, though, he said state officials first surveyed the local governments to understand their business needs to ensure the cybersecurity services they offered would be welcomed. Because of that work the program was received well, he said, and everyone who participates saves on costs through economy of scale — and identifies new ways to improve government’s digital fence.

“We’ve actually done exercises at the state level that some of the counties had put into place because they had great ideas,” Avakian said. “But the beauty of putting together these types of shared services is that it gets people working together across different areas. People get to learn from each other and you start formulating and building relationships and really nurturing those relationships.”

On this episode:

• Maria Thompson, chief risk officer, North Carolina
• Erik Avakian, chief information security officer, Pennsylvania
• Colin Wood, managing editor, StateScoop

Things to listen for:

• Thompson explained how North Carolina’s “whole-of-state” approach to cybersecurity operates.
• North Carolina uses various local government organizations, like the North Carolina Local Government Information Systems Association, to build relationships and bolster cybersecurity.
• Budget is a “critical” concern for North Carolina’s cybersecurity planning, Thompson said.
• The “looming silver tsunami,” an upcoming exodus of critical technology employees, could be ameliorated by new workforce programs, Thompson said.
• Avakian shared some of the takeaways from the recent NGA workshops, such as the importance of breaking out of the “silo of state government.”
• Pennsylvania is doing more with data analytics to guide its decisions on cybersecurity and policy generally, Avakian said. 

Listen to archived episodes of Priorities from Season 5 (2020),  Season 4 (2019), Season 3 (2018), Season 2 (2017) and Season 1 (2016). Catch all of StateScoop’s podcasts on Soundcloud, Apple Podcasts, Spotify, Google Play, Stitcher or Alexa’s TuneIn.