The position of statewide chief information security officer may be starting to resemble the “broker” role that many state chief information officers have taken on in recent years. While state governments are steadily pouring more resources into cybersecurity, there are still many tasks that can’t be achieved with in-house talent, resulting in CISOs outsourcing critical functions like cyberthreat risk assessments and vulnerability monitoring.
The evolution of the CISO job was the focus of a webinar Tuesday hosted by the National Association of State Chief Information Officers. During the hour-long session, Pennsylvania CISO Eirk Avakian and Missouri CISO Michael Roling talked about how state governments’ information security portfolios have grown over the past decade, as well as the staffing and budgetary constraints they face.
“Back in 2010, there were just five of us,” Roling said of his office. “We’re now up to 21 full-time employees, and we’ve experienced some growing pains.”
One of those pains is Roling’s relative distance from larger cities and more educated workforces.
“Like many state capitals, we are not near a whole lot of talent in Jefferson City,” he said, noting that the Missouri capital is a two-hour drive from St. Louis and three hours from Kansas City. “In other states, where the capitals are in big cities like Austin, how do you even compete with that? We’ve done our best to hire within.”
While Roling said some of his office’s best work is done by direct hires, including a former bouncer and a former hairdresser each of whom had academic backgrounds in computer science, an ever-expanding list of responsibilities means he may have to start focusing more on finding contractors who can pick up the slack.
Avakian said his office, which numbers about 30 employees, might also have to start outsourcing some duties in the future. But for now, Pennsylvania’s information security office is going through the paces of the state’s broader IT centralization effort, which is moving the commonwealth to a shared-services model after decades of siloing each agency’s resources and is not expected to be finished until July 2019 at the earliest.
“The centralization is going to have a positive impact,” he said. “More resources are needed but we need to make better use of the resources we have.”
In Missouri, Roling said his role today isn’t just about making his office’s services more efficient, but proving to the lawmakers who control his budget that cybersecurity is a worthwhile investment.
“We have a lot of small business owners in our legislature, and they’re not going to cough up additional funding for anything unless they see what it’ll go to,” he said. Roling’s team has also set up for a website for the governor’s office where staffers can see returns on the information security bureau’s spending.
Despite Avakian and Roling saying they’re as stretched as ever, their offices are larger than the average CISO bureau, according to data collected by NASCIO. Half of statewide enterprise security offices have between six and 15 full-time workers, according to a report by the accounting firm Deloitte, which has conducted biennial surveys of states’ cybersecurity postures for NASCIO since 2010.
The most recent findings suggest states are staffing up central cybersecurity offices more than ever, Deloitte’s Srini Subramanian said during the webinar, but the numbers still pale compared to efforts by similarly sized enterprises, like financial institutions. A large bank, he said, will have a cybersecurity team that numbers in the hundreds.
With cybersecurity touching an increasing number of state government functions — from public-assistance programs to elections — it’s harder and harder for small offices to cover the entire surface, which makes farming things out more appealing.
“What are the things worth outsourcing?” Avakian said.
According to the 2016 edition of NASCIO’s cybersecurity survey, 54 percent of states contract out risk assessments, 35 percent outsource threat monitoring and 27 percent go outside for vulnerability management, all increases over the the 2014 survey’s findings.
“It’s just this progression from the operational to the strategic,” Avakian said. “This position has really morphed to the point where the CISO is speaking the language of the business. They can demonstrate the value of cybersecurity, and that’s a much different role from where we were in 2010.”
The 2018 edition of NASCIO’s cybersecurity survey will be released at the organization’s annual conference in October.