Collaboration among stakeholders is still a challenge as more states move to a whole-of-state approach to cybersecurity, but improved communication and sustainable funding would allow states to make more gains, officials said at a conference Monday.
North Carolina Chief Risk Officer Torry Crass said his state’s cybersecurity task force, which was created by an executive order last year, is comprised of team members in the Enterprise Security and Risk Management Office, the state’s National Guard, North Carolina Emergency Management and the North Carolina Local Government Information Systems Association. He said the group has already made a difference in the state’s cyber posture.
“The task force really has been critical in helping respond to incidents in North Carolina [and] doing assessments at local and county levels to where those entities have a team show up, work on identifying gaps and problems in their environment and then … suggesting ways to shore up those defenses and we’ve seen that make a very big difference in terms of just the posture in general across the state,” Crass told the National Association of State Chief Information Officers’ annual conference in Minneapolis.
Arizona Chief Information Security Officer Ryan Murray pointed to a cybersecurity compliance program used by Arizona, called StateRAMP, which is modeled after the Federal Risk and Authorization Management Program. The program assesses vendors to ensure they’re meeting the state’s security requirements before procurement. The only challenge is that Arizona only has one cyber compliance analyst, Murray said.
“We do have, from an existential level, a crisis of most of these government entities are smaller than the businesses we’re working with, they are truly living below the cyber poverty line,” Murray said. “They have nothing and they have no resources, they have no funds, they have no people, they have no capabilities to defend themselves against sophisticated cyber.”
Officials said securing sustainable funding for tools and services is also a challenge. Both Crass and Murray disagreed with the notion that grants will solve their IT problems.
“The reality is it’s not,” Crass said. “Most of the grants are set up so it’s one time you get to use the grant money to establish the tool or the service that you’re looking at and then it’s up to the local, the county, the state to sustain after the initial infusion of capital.”
Once funding runs out from a grant and another funding source has not been identified, governments have to remove the service or tool, Crass said.
“There’s acceptance that, yeah, we should be doing more, we should be doing better than what we can,” Crass said. “We just can’t afford it.”
Jennifer Pittman-Leeper, who was formerly a security program manager in Arizona but now works in the private sector, suggested that lobbyists make an effort to further cybersecurity conversations with elected representatives that can improve communication and knowledge on government technology challenges and can help secure expand technology budgets or sustainable funding for future projects.
“The point is, you have to meet the state where they are,” Pittman-Leeper said.
For the long term in North Carolina, Crass said he’s exploring options to combine cybersecurity services and tools into statewide contracts with the aim of a collective statewide defense.
Murray suggested the private sector to build tools with multi-tenancy and mobility to allow greater flexibility. That way, he said, if a state-level program goes away, local governments can still pay for those services on their own.
“We can’t just throw everyone together in a big bucket and hope it’s all going to play together well,” Murray said.