State government officials may be failing to fully grasp how vulnerable their agency applications and databases are to the kinds of costly cyber attacks that humbled corporate giants Home Depot and Target over the past year, according to a new report.
The report, released Wednesday by Deloitte and the National Association of State Chief Information Officers (NASCIO), found that state officials are making headway in their efforts to better secure the information they maintain. But the study, the latest in a biennial series, also detected a significant gap in perceptions between state agency leaders and their IT security officers over how prepared their states are in responding to cyber attacks.
While half of the country’s states report year-over-year increases in cybersecurity budgets, 76 percent of state chief information security officers (CISOs) said those budgets remain insufficient to tackle the increasingly sophisticated cyber threats businesses and governments routinely face.
Moreover, the 2014 Deloitte-NASCIO Cybersecurity Study found that while 60 percent of state agency leaders said they are very or extremely confident in their state’s ability to protect information assets against cyber threats, only 25 percent of CISOs hold the same belief.
Part of that gap stems from the growing sophistication, intensity and volume of attacks CISOs encounter on a daily basis. While security has been a top priority for state CIOs since Deloitte and NASCIO began surveying state officials in 2010, this year marked the first time CIOs put it at the top of their priorities list, according to NASCIO Executive Director Doug Robinson and Deloitte Principal Srini Subramanian.
But the gap also reflects the growing complexity of securing shared systems, the expanding roles CISOs have inherited and the challenge CISOs continue to face communicating to top state officials the full scope of risks their agencies face. The study found, for instance, that while incident reporting has improved, reports to the state governors, legislators and agency leaders remain largely ad hoc in nature.
While virtually every state in the U.S. has established a CISO position and granted CISOs greater authority, “only 30 percent of states have established the position of (chief) privacy officers,” Subramanian said . That’s up from 18 percent of states in the 2012, he said, but the burden of assuring the privacy of citizens’ information continues to weigh on many CISOs at a time when they must also concentrate more intensely on technical solutions and compliance.
In an interview with StateScoop, Subramanian warned that states “have been holding online data for 10 years or more” and well beyond “normal data life cycle practices,” giving hackers a greater footprint to steal large collections of personal and health related data. States have generally not suffered the types of broad data breaches suffered by commercial businesses, but it’s only a matter of time, he said.
CIOs and CISOs attending NASCIO’s annual conference, where the results of the study were announced Wednesday, said the gap in perceptions between state leaders and CISOs may not be as large as the study suggests.
Paul Baltzel, CIO of Indiana, suggested the lower level of confidence of state CISOs might be somewhat skewed by the “natural concern” CIOs and CISOs have that “there is always more to do to protect our systems.”
Pennsylvania CISO Erik Avakaian said a team of state IT security experts recently met with agency heads to conduct cybersecurity awareness training as part of a broader effort to help leaders prepare for what actions they need to take “not if, but when a cyber event might occur.”
Among the studies’ other findings:
· Looking at the risks of data breaches, CISO’s worry most about malicious code penetrating state IT systems, hacktivism, and zero-day attacks that are as yet unknown to hardware and software vendors. But over the next 12 months, CISOs also anticipate an increase in activities, such as pharming and phishing that prey upon users of state information systems.
· Almost half of CISO (47 percent) say they plan to make use of the National Institute of Standards and Technology’s Cybersecurity Framework issued last February and another 39 percent report they are reviewing the guidelines.
· The scarcity of qualified cybersecurity professionals remains one of the biggest barriers states face in addressing potential threats. Nearly half of states now have between six and 15 full-time employees – up from 39 percent two years ago.
The report also makes a series of recommendations to CISOs, urging them to:
· Work with legislators and state leaders to build a business case for establishing security as a line item in the budget.
· Work with CIOs to allocate a more reasonable percentage of IT budgets to cybersecurity. The study found the majority of CISOs estimate security spending still only accounts for 1-to-2 percent of IT budgets.
· Develop threat-monitoring plans for early detection and move beyond perimeter protection systems.
The study surveyed state officials responsible for IT security oversight from 49 states. Additionally, Deloitte surveyed 186 U.S. state agency officials.