Chief information security officers have seen their profiles in government grow larger over the past few years as more states develop cybersecurity policies, but most statewide CISOs say they still lack sufficient funding and personnel to develop solid defenses against external and internal cyberthreats.
The findings were delivered in a biannual survey of state CISOs published Tuesday at the annual conference of the National Association of State Chief Information Officers in San Diego.
The most promising finding from the survey, which was conducted by Deloitte, might be that many CISOs are briefing their governors on cybersecurity issues more regularly than just two years ago. Fifteen state CISOs said they speak with their governor or governor’s staff on an ad-hoc basis, while another nine said they provide monthly updates.
“People are taking the role seriously,” Srini Subramanian, the Deloitte consultant who wrote the survey’s accompanying report, told StateScoop. “We see that the CISO role is well-established.”
But, Subramanian continued, CISOs continue to say their operations are insufficiently funded and staffed. On average, states commit just 1 to 2 percent of their total information technology budgets toward cybersecurity, the survey reported.
That leaves states with tiny cybersecurity staffs compared to similarly sized organizations. The average state government employs between six and 15 full-time cybersecurity professionals. By comparison, a large corporation, such as a financial institution, may have hundreds of cybersecurity employees.
Large federal agencies also spend much more of their budgets on cybersecurity than states do. The Department of Transportation has 5.6 percent of its 2019 IT budget allocated toward cybersecurity, while the Justice Department will commit a full quarter of its technology budget on cybersecurity.
Just 20 states have dedicated line items in their budgets for cybersecurity. For the rest, cybersecurity money is carved out of broader IT funding, and many CISOs do not have input in the budgeting process.
“I’ve never seen it,” Alaska CISO Shannon Lawson said of his state’s budget.
Lawson, who was hired last year as the state’s inaugural CISO along with its first chief information officer (Bill Vajda, who resigned last month ), is overseeing a consolidation effort that has made it tricky to gauge cybersecurity resources.
“There’s a lot of growing pains,” he said. “You’re reigning in stuff from 15 departments, and sometimes they’re willing to show you their budget and sometimes they’re not and you’re trying to get all this stuff in and figuring out what [chargeback] rates are going to be.”
But Lawson said that the biggest hurdle he faces is a “culture problem,” stemming from a bureaucracy staffed by employees who have not changed their habits in decades. He added that while most states struggle to compete with the federal government and private sector for top cybersecurity professionals, Alaska’s remote location makes that challenge “double.”
Changing the bureaucratic culture is one way Lawson said he’s trying to make Alaska more attractive to new talent. “While the state might not be able to afford top salaries, you can do other things that cost way less but drastically improve employee morale,” he said.
One of those things is offering training to employees more often than just once a year. Lawson also said his team studies cyberattacks in other states to determine if systems in Alaska have the same vulnerabilities. “Every time an organization is hit, that’s a good opportunity to learn what they did wrong and if you have that hole in your system, to patch that,” he said.
The Deloitte survey lists additional training and certification as two ways states can attract better cybersecurity talent, but the top-line recommendations reinforce CISOs’ longstanding need: funding.
The survey encourages CISOs to urge cybersecurity be added to their states’ budgets as a distinct line item. It also recommends states demand more money from federal agencies whose security requirements they are required to meet in order to receive funding. That’s already the case with the U.S. Department of Health and Human Services, which provides funding to state health agencies to upgrade security protocols on systems that use data from the Centers for Medicaid and Medicare Services.
The report also states that CISOs “should be at the forefront of the ‘Fourth Industrial Revolution’,” referring to emerging technologies like artificial intelligence, internet-connected devices and blockchain ledgers. But that recommendation may be at odds with how CISOs actually filled out the survey — most of these technologies rank near the bottom of respondents’ priority lists.
In the case the technologies are adopted, the document encourages CISOs to coordinate more often with their CIOs.
“Such early involvement can also help identify whether cybersecurity is baked into new applications of emerging technologies, technology evaluations, and procurements,” the report reads.
Nevertheless, lack of funding is the greatest inhibitor to bigger cybersecurity programs, which in turn contribute to states’ talent deficits. In light of this, the survey’s final recommendation calls on CISOs to outsource functions like risk assessments, threat management and audit log analysis. More than half of states, though, do not farm out those responsibilities, often leaving them to under-qualified government employees, the survey found.
Subramanian, the Deloitte consultant, suggested states lean on private companies and academic institutions to handle the workload. During a panel discussion of the survey on Tuesday, Georgia CISO Stan Gatewood embraced the idea of incorporating the education sector, pointing his state’s new $100 million cybersecurity facility , which includes a cyber range that will be used by Augusta University, among other tenants.
But Gatewood was cautious about contracting out too many duties. “Don’t outsource everything,” he said. “You need to keep control.”