A significant portion of state and local government technology officials in a new survey say they are under-equipped, under-staffed and under-resourced in addressing cybersecurity concerns.
Four in 10 state and local IT leaders say they lack the tools they need to identify and report cybersecurity vulnerabilities in their networks, according to a study conducted by CyberScoop and StateScoop, and underwritten by Tenable.
For 38 percent of respondents, this shortcoming is further exacerbated by the need for security intelligence tools that prioritize vulnerability risks. Combined, these technology gaps make it harder for security personnel to optimize their time and effectiveness. Nearly half of respondents (46 percent) said that access to more skilled and knowledgeable information security professionals would improve the ability to spot security vulnerabilities — more than any other potential enabler.
Officials also said a lack of understanding about technologies and risks, and difficulty understanding security metrics, are the biggest challenges they face in communicating security risks to top government leaders and elected officials.
Despite these challenges, researchers are optimistic.
“The study’s findings suggest that state and local government agencies aren’t as far behind their industry counterparts in cybersecurity preparedness as is often thought,” said Wyatt Kash, who heads content strategy for Scoop News Group.
In fact, state and local government officials “are more confident in their ability to secure operational technology and IoT systems than their industry counterparts,” Kash said, based on a parallel survey conducted with industry executives.
He attributed that confidence to the long-standing role state and local agencies have had operating such networks. But there are improvements to be made and complications that must be overcome.
The study suggests that state and local agencies would benefit from a combination of tools that identify cybersecurity vulnerabilities, policies for responding to them, and reporting methods (such as real-time dashboards) that make it easier to communicate threats to senior government leaders and elected officials.
Assembling a digital view of cybersecurity vulnerabilities can be problematic for state and local governments because of the diverse range of networks they operate, compared to their private sector counterparts. In addition to managing traditional information technology (IT) networks, 37 percent of state and local government IT leaders say their organizations also use operational technology (OT) to manage physical networks, such as traffic signals and water or electrical facilities. A quarter of those polled said their organizations also manage systems and data from internet-enabled devices such as environmental sensors.
Data shows that the environment is also evolving. Nearly half (47 percent) of respondents said their organizations now make use of cloud-based applications and platforms. Six in 10 also maintain the security of web applications and mobile endpoint devices such as laptops and smartphones.
Efforts at state and local agencies are further complicated by the lack of authority or control they have over their networks, and adjacent networks operated by third parties. More than one-third of respondents (36 percent) cited “a lack of control over systems and devices operated by third-party contractors, which connect to our networks” as an obstacle preventing full security visibility. Another 35 percent said the fact that information security responsibilities are fragmented across their organization is an additional obstacle.
While a majority of state and local government officials polled reported having at least some visibility into the security of their IT systems, that visibility varied by the type of networks they had to protect — and there remains a clear need for fuller visibility.
The study, “Closing the Gaps in Cybersecurity Visibility at State & Local Government Agencies,” was based on the responses of 125 pre-qualified state and local government officials with IT and cybersecurity responsibility.
This article was produced by StateScoop and CyberScoop for, and underwritten by, Tenable.