Insights

States vary on cyber awareness, workforce approaches

Cybersecurity continues to be the top concern of state chief information officers, but Arkansas IT Secretary Jonathan Askins recommended states focus on their defense postures rather than the threats themselves.

By Skylar Rispens

October 10, 2023

Arkansas IT Secretary Jonathan Askins speaks on a panel at the National Association of State Chief Information Officers annual conference in Minneapolis on Oct. 10, 2023. “I want the gamer, I want the kid that spends 24 hours in the basement playing games all day, that’s the kind of person I’m looking for,” Askins said while discussing workforce initiatives. (Colin Wood / Scoop News Group)

“I think people confuse that sometimes, they think they have a culture of information security because they know about all the different threats that are out there, but they can’t tell you what their defense posture is,” Askins said at a conference on Tuesday.

Ransomware attacks, human error and phishing schemes are among the top five risks to cybersecurity today, according to an annual survey published Tuesday by the National Association of Chief Information Officers. Askins said that mandatory executive branch awareness training is his main focus when it comes to building a better culture around cybersecurity in his state.

The same is true in Wisconsin, though state CIO Trina Zanow said her state’s approach to cybersecurity awareness training is a bit different from Arkansas. Zanow is focused on making security standards and policies more accessible and visible to local governments and K-12 schools.

“The more awareness and information that we can share with them, the greater we are as a whole,” Zanow said. “We’re spending a lot of time and energy and getting the message out, getting the word out, talking about cybersecurity.”

In Rhode Island, state CIO Brian Tardiff said that his highest priorities in promoting cybersecurity are endpoint detection as well as identity and access management, particularly with the increased adoption of remote work.

“Relying on awareness training to shape the behaviors and hope that users remember that I’m not supposed to click on something is not really a good strategy from my perspective,” Tardiff said.

Instead of focusing cybersecurity training on users, Tardiff said, his time is better spent training agency leadership on why cybersecurity is a necessary investment by the state.

Within state CIOs’ concerns with cybersecurity looms a growing challenge of recruiting and retaining qualified cybersecurity professionals. A majority of states now offer more flexible work options like hybrid or remote opportunities and a growing number are eliminating four-year degree requirements in an effort to recruit and retain employees, according to the NASCIO report.

Both Wisconsin and Arkansas work with K-12 and higher education institutions to help develop skills and real-world experience. However, Askins said, two-year colleges are often overlooked.

“I want the gamer, I want the kid that spends 24 hours in the basement playing games all day, that’s the kind of person I’m looking for,” Askins said. “You can provide the technical college training or some of these community colleges and then put them in the real world. … I think those are going to be tremendous workers in the future.”

Tardiff added that moving away from four-year degree requirements also opens doors to hire those who have served in the military and have real-world experience, but not the degree to show for it.