State cybersecurity leaders should advocate for more funding, embrace emerging technology and collaborate outside of the public sector to improve information security, specialists from Deloitte say.
These recommendations, which stem from the biannual joint survey from Deloitte and the National Association of State Chief Information Officers, focus on three “bold plays,” Srini Subramanian, a principal with Deloitte & Touche LLP, says in a video interview with StateScoop conducted during NASCIO’s Annual Conference in San Diego.
“We looked at [the survey data] and said, ‘Well, what can the states do to really break away from the status quo [and] leverage the executive platform that the CISOs have?” Subramanian says. “That’s how the bold plays came into play.”
The first bold play centered on the state’s chief information security officer as an advocate for more funding dedicated to cybersecurity. Traditionally in state government, Subramanian says, cybersecurity only comprises about 2 percent of the state technology budget. In federal agencies and in the private sector, that number is much higher.
“When you really look at it with the federal agencies and the commercial sector, they are breaking away free and moving, progressing much faster,” Subramanian says. “We really thought that the first bold play ought to be related to the budget and making cybersecurity as a budget line item.”
Part of the reasoning behind advocating for a line item in the budget for cybersecurity comes down to awareness, Subramanian says. State leaders are already including cybersecurity heavily in strategic business plans, but without the emphasis in the actual budget process, the risk-based investments states are forced to make are often glossed over by decision makers.
“[By] really communicating to the leaders what kind of risks they are assuming by not doing certain things because of a lack of budget, then this would become much more visible,” Subramanian says. “I’m sure that the state leaders and the legislature would be interested in what kind of risks are they assuming and if they can find other avenues for funding these initiatives.”
Clayton Frick, a managing director at Deloitte & Touche LLP, says state CISOs “are not prioritizing” innovative technologies and preparing their governments for the cybersecurity risks that come with them.
“Technologies such as artificial intelligence, machine learning, blockchain, ‘internet of things,’ smart cities, smart state, everything — CISOs rated those new technologies at the bottom of their [priority] list,” Frick says in a video interview. “If they’re not spending time on it, they are not in the position to adopt in a timely way to these new technologies.”
To combat this, Frick recommends CISOs embrace emerging technology and get familiar with it so that they can secure the technologies when they make it to state systems.
In addition, it’s about using the executive position CISOs have to make an example.
“They can be out there, driving and enabling innovation based in those places,” Frick says. “I think if they do those things — embrace change, set the tone, and use their platform — what they’re going to be able to do is have broader support for the overall cyber risk agenda, platform and program.”
A common theme in technology and cybersecurity in state governments in general is a lack of adequate staffing resources to tackle the problems agencies face. To combat this, Mike Wyatt, a Deloitte & Touche LLP principal, suggests states should turn to collaboration to help make up the gap.
“We see the need to collaborate to create the talent pipeline necessary to meet the needs of state CISO organizations,” Wyatt says. “There’s a real need for evaluating strategic use of public-private partnerships to address those competencies that are really hard to fill and maintain in state organizations.”
States should embrace those partnerships — and use the convening power government holds to bring different sectors together in person to share ideas and resources, Wyatt says.
These videos were produced by StateScoop and brought to you by Deloitte.