Collaboration aided states’ cybersecurity during pandemic, but shrinking budgets concern CISOs

State government’s pre-pandemic cybersecurity models weren’t well-suited for the new working environments that were widely adopted this year, but unprecedented levels of collaboration across government and industry, combined with a few on-the-fly operational tweaks, have proven effective, two state chief information security officers told StateScoop on the latest episode of the Priorities podcast.

In California, acting CISO Vitaliy Panych said the pandemic forced him to reconsider the risk-assessment model used to evaluate the 140 state agencies and offices he’s responsible for protecting.

“We have to be more on a continuous model instead of a point-in-time test,” Panych said. “Sure, in a pre-pandemic environment that may be adequate enough, but in my opinion it was not really. We have to become more continuous in actually having a lens in how departments are increasing their cybersecurity maturity and increasing their attack threat landscape or decreasing it, because that’s obviously moving way faster than we used to operate on a traditional cycle.”

Washington CISO Vinod Brahmapuram warned that while the speed of state government’s operations may have increased during the pandemic, the threat level remains the same or greater, necessitating greater vigilance by technology officials.

“What we are going to see is certainly there’s going to be a shift in new applications, new services that are getting stood up within agencies, and those services also have to go through a very careful review of cybersecurity, because we do not want to undercut security,” Brahmapuram said. “We do not want to invite more trouble.”

Allan Wong, an executive with the software company Tenable, who also joined the podcast, said the rising number of cyberattacks seen nationally should encourage state technology officials to prioritize cybersecurity now more than ever.

“Unfortunately, the bad actors today are not taking a sabbatical because of this pandemic,” Wong said. “In fact, they’ve become more active and there’s an uptick in attacks and phishing attacks and scams.”

Though state technology offices have in recent months handled much larger workloads as they’ve shifted thousands of staff to remote-work environments and assisted agencies fielding avalanches of requests for health advice and unemployment insurance, the state CISOs said their capacity has been boosted by partnerships across agencies, as well as with other levels of government and the private sector.

“We relentlessly communicated on a very frequent basis, almost on a daily basis,” Brahmapuram said of his communications with other agencies inside the state government after the pandemic began. “So for the first almost two to three months, I would have a call with the CISOs of all agencies, really to share information. That also highlighted how important and how hungry everyone was for information.”

Panych said the pandemic has also fueled collaboration in California as vendors have approached the state and provided pro-bono services, noting that this assistance made him feel as if his team “grew by a factor of 100.” But that useful resource has also generated an additional concern, he said.

“We are establishing new relationships, new business relationships almost literally on an hourly basis, so managing the integration and the trust between those relationships kind of becomes super important in managing risk,” he said.

As states face billions in budget shortfalls, the CISOs said cybersecurity remains well-funded and supported by their governors.

“California. Gov. [Gavin] Newsom just signed the state budget act earlier in the week,” Panych said. “With that carries a statewide centralized cybersecurity incident response team, which will have a broader scope beyond just state executive branch entities, but also organizations at the local level, the county, the city level, and at the academic level as well, so this fiscal year we are seeing a net increase in cybersecurity funding and support.”

Certain IT funding models, though, could threaten cybersecurity initiatives, however. And general declines in state revenue could have knock-on effects that are already concerning security officials.

“When organizations have to make some tough choices, for example they may not be able to hire as many people as they want, or organizations might face a challenge from not being able to sunset some systems that are probably aging, getting close to end of life, that is what gets me a little concerned, because when funding is a challenge for some of those transformations, those components have a direct bearing on cybersecurity, as well,” he said.

On the podcast:

• Vitaliy Panych, acting CISO, California
• Vinod Brahmapuram, CISO, Washington
• Allan Wong, director of U.S. public sector, Tenable
• Colin Wood, managing editor, StateScoop

Things to listen for:

• California recently created a new statewide centralized cybersecurity incident response team.
• In Washington, the adjustments during the pandemic have been subtle because the state has had a telework policy for two years and many employees were familiar with working from home.
• California is exploring crowd-sourced models for managing its cybersecurity risk.
• Organizations like the National Association of State Chief Information Officers have proven invaluable to Washington state, where Brahmapuram said he’s sharing the group’s updates in his internal CISO meetings.
• Brahmapuram concludes the episode by saying: “If this pandemic is going to leave us with one big thing, it is that four-letter word that is T-E-L-E.”

This episode of Priorities is sponsored by Tenable.

Listen to archived episodes of Priorities from Season 5 (2020),  Season 4 (2019), Season 3 (2018), Season 2 (2017) and Season 1 (2016). Catch all of StateScoop’s podcasts on Soundcloud, Apple Podcasts, Spotify, Google Play, Stitcher or Alexa’s TuneIn.