State governments looking to improve their cybersecurity policies can do so by building workforces capable of dealing with ever-evolving threats, Louisiana Gov. John Bel Edwards told StateScoop on Wednesday.
Edwards, appearing at the National Governors Association’s cybersecurity conference in Shreveport, said state governments in recent years have become better-focused on the topic, but still need to figure out ways how to attract students and current members of the workforce to cybersecurity careers, especially those in the public sector.
“There are just thousands of jobs across the country unfilled, so we have to do a better job connecting young people with those jobs, not just provide them opportunity and prosperity but to provide security,” he said.
Edwards is among many other governors with ambitions to make their states factories of cybersecurity expertise, often through academic competitions or mandatory computer-science curriculums. Similar agendas have been announced across the United States, including scholarships in Delaware, training for all public-school students in North Dakota, and free re-skilling academies for veterans in North Carolina.
“We’ve got a curriculum we’re using in elementary schools just to expose people to cyber, making sure they know they’re capable of doing this kind of work, and especially making sure that female students and minority students know that,” he said.
Earlier in the day, Edwards moderated a panel featuring the presidents of Grambling State University and Louisiana Tech University, both of which offer four-year computer-science programs specializing in cybersecurity.
Yet while state leaders tout plans to cultivate future talent, funding for cybersecurity operations still falls short in many places, and states’ top cybersecurity officials meet rarely with their governors. According to a 2018 report published by Deloitte, states spend on average just 1 to 2 percent of their overall IT budgets on cybersecurity. Meanwhile, only 20 percent of chief information security officers report monthly to their governors, compared to 39 percent who do so on an ad hoc basis. Ten percent of CISOs say they never meet with their governor.
But Edwards said states are making progress, including Louisiana. He cited his 2017 creation of a 15-member cybersecurity commission, which is expected to issue a statewide plan later this year, and the incorporation of cyberattack scenarios into Louisiana’s disaster-planning exercises.
“We are learning more about the threat and more what we should be doing in terms of being responsible,” he said. “I’m not one of those guys who’s ever going to say we’re doing enough as it relates to cyber, but I know we’re doing more than we’ve ever done in the past.”
He also noted that this week’s conference — the NGA’s third biannual cybersecurity event — was the first one to attract representatives from all 50 state governments.
“That had not happened previously,” Edwards said. “The idea we can sit with each other and exchange best practices is critically important.”
Arkansas Gov. Asa Hutchinson, who has announced his own plans to bolster his state’s computer-science and cybersecurity workforces through more curriculum offerings, addressed the conference later Wednesday and echoed his southern neighbor’s focus on academic training. He mentioned the Arkansas Future Grant program, which offers two years of college tuition payments to students who pursue a “high-need” field of study — namely computer science or cybersecurity. Recipients are required to live and work in Arkansas after graduation, Hutchinson said.
But most important for states looking to improve their cybersecurity postures, Hutchinson said, is attention from highest rung of state government: the governors themselves.
“It starts at the top,” he said. “If the governor is not engaged in cybersecurity, the governor is in jeopardy. It’s something you have to engage in every day.”