How states are using data to manage cybersecurity risk

States are increasingly using data to improve how they address their biggest problems, including their biggest problem: managing cybersecurity risk.

On StateScoop’s Priorities podcast, West Virginia Chief Technology Officer Joshua Spence outlines the state’s recent efforts to prioritize its cyber risk, a project that begins with an understanding that the job of government IT security officials is never complete.

“Pretend I’m the fire marshal and ask me if the building’s fireproof,” Spence says. “Most people, immediately the light bulb goes on and recognizes the risk does not justify the cost of making buildings fireproof, but the risk of fire still exists, so what do we do? We put in preventative measures to prevent fire and we put in responsive measures should fire occur.”

In West Virginia, making cybersecurity a standing effort began in 2019, when the state created a new office, tasked its chief information security officer with implementing a risk governance framework and joined the National Governors Association’s cybersecurity policy academy. The project entered its second phase last month when the state hired a software company called Galvanize to design a tool for executive leadership that provides an overview of cybersecurity risk across the state government.

Beyond day-to-day cybersecurity operations, Spence says requesting cybersecurity funding without metrics in hand is challenging because it’s hard to prove return on investment for a preventative measure, but also because cybersecurity risk is so ill defined.

“By doing the risk analysis and being able to show critical risk, we help empower the agencies to make the justification for budget requests to address their problems,” he says. “That’s where we would see the biggest benefit, because now we would be strategically addressing the critical risk, not just at the tactical level.”

Later in the episode, Oklahoma CISO Matt Singleton says data is used in his state as a “starting point” for guiding cybersecurity policy. 

“You can’t quantify everything, but you can absolutely start and ensure you’re headed down the right path if you do some data analytics up front,” Singleton says. “All of this comes back to risk management. We need to understand not only the impact of something bad happening, but the likelihood of that happening, and a lot of times you can’t quantify the likelihood.”

In the pandemic era especially, states have been driven to aggregate and make sense of larger pools of data for a wide variety of uses, says Andy MacIsaac, director of solutions marketing for public sector at Alteryx. In some cases, he said, states operated opioid platforms or procurement dashboards that were adapted for new needs of the health crisis.

“There were definitely some states that had a more robust analytics capability that when the pandemic hit they were able to transition or pivot some of that analytics capability to really address the significant challenge,” MacIsaac says. “While it was a significant public health challenge, it really was a data challenge.”

On the podcast:

• Colin Wood, managing editor, StateScoop & EdScoop
• Joshua Spence, CTO, West Virginia
• Matt Singleton, CISO, Oklahoma
• Jake Williams, associate publisher, StateScoop & EdScoop
• Andy MacIsaac, director of solutions marketing public sector, Alteryx

This episode is sponsored by Alteryx.

Listen to archived episodes of Priorities from Season 5 (2020),  Season 4 (2019), Season 3 (2018), Season 2 (2017) and Season 1 (2016). Catch all of StateScoop’s podcasts on Soundcloud, Apple Podcasts, Spotify, Google Play, Stitcher or Alexa’s TuneIn.