Why a Whole-of-State Approach Is Needed
Historically speaking, the most pressing mission requirements for governments have taken priority over upgrading security operations. Ensuring that state and local governments deliver on their commitment to constituents will always be the top priority. Many times, this means that the premium placed on modernizing cybersecurity programs is reduced when compared to other parts of daily operations. The task of implementing proper cybersecurity standards remains a challenging endeavor for organizations in today’s complex threat landscape.
State governments house a multitude of entities, each possessing distinct cybersecurity requirements, budget stipulations and infrastructures. Unifying these diverse components under one cybersecurity framework requires an understanding of their differing needs, technologies and operational setups.
Enter the whole-of-state approach, a strategy that unites the complex and vast ecosystem of networks and systems under a single, standardized framework of policies, procedures and controls. To effectively safeguard operations and constituent information, state governments need a comprehensive approach to cybersecurity. Whole-of-state cybersecurity is a collaborative effort across state and local government to protect citizens, data and the digital infrastructure that keeps these organizations operating freely. This approach recognizes the varying needs of different entities — such as technologies and operational setups — to establish a high level of protection to thwart attacks and fortify security posture. Perhaps the most important component of this strategy, and potentially the most beneficial outcome, is the open communications framework that allows these disparate organizations to join in the fight against an unrelenting adversary community.
EXPLORE: How state and local agencies can establish zero trust.
Managing Change Through Cybersecurity Challenges
Considering the multitude of benefits, many assume that governments are quickly implementing this new approach to transform their defenses. But they face an array of organizational and operational complexities that are standing in the way of successfully adopting the whole-of-state approach, including:
- Operational silos. Each entity within a state government (agencies, departments, municipalities and school districts) usually has its own IT infrastructure, which means it will have distinct cybersecurity requirements to comply with government regulations and ensure secure systems. For many agencies, unifying these diverse components under a homogenous cybersecurity framework requires an understanding of their differing needs, technologies and operational setups, which can be difficult.
- Financial constraints. Agencies frequently encounter fiscal limitations, compelling them to carefully distribute resources across numerous projects. Without ample funds, leaders are forced to prioritize select projects over others. This tradeoff often finds cybersecurity strategy on the losing side of the decision.
- Legacy systems and infrastructure. State and local governments frequently rely on outdated systems that they’re unable to upgrade due to budget constraints. Legacy technology typically lacks effective security capabilities and the latest software updates, rendering them susceptible to cyberthreats and requiring supplementary measures for protection.
- Evolving threat landscape. Modern threat actors are only becoming savvier in their tactics, requiring security practitioners to leverage more sophisticated defenses. However, with the industry facing a skills shortage and it becoming more difficult for government entities to attract and retain talent, agencies must have a proactive cyber approach. Leveraging modern IT enterprise security tools and concepts such as multifactor authentication, Software as a Service applications and proactively hunting for threats within the network puts power back into the hands those who defend against pervasive cyberthreats.
The Whole-of-State Works for All Agencies Involved
The whole-of-state approach simplifies these challenges to address cybersecurity concerns holistically by building on the skills of existing personnel or recruiting specialized talent while unifying the efforts of government entities to minimize redundancies and optimize processes through shared resources. The results include streamlined security operations with clear communication channels, alignment on common objectives and governance structures, and reduced compliance burdens on individual entities.
State governments are already starting to reap the benefits of the whole-of-state approach. Last year, New York started a $30 million shared services program aimed to assist counties with cybersecurity across the state. Additionally, the state’s new cyber strategy also calls for state agencies to implement zero-trust architecture, a critical part of defending IT infrastructure to radically reduce lateral movement during malicious cyber attempts. Although this improved coordination is just the start of a whole-of-state approach, it highlights how state governments should be assessing their cybersecurity posture.
It’s also clear that state governments of differing political persuasions are looking to similar legislative approaches to help further standardize their efforts. Utah was one of the first states to pass legislation focused on zero-trust principals that is standardized across executive branch agencies. California also introduced its own version of this legislation this year.
READ MORE: How state and local governments are addressing threats with zero trust.
This bipartisan legislation marks the start of implementing a whole-of-state approach across state and local governments throughout the country. However, it’s just the tip of the iceberg: Zero-trust principals (where every request to access the system must be authenticated, authorized and encrypted) and endpoint detection and response tools are but a small part of a healthy security posture. To truly create a resilient enterprise, governments must adopt holistic security solutions that minimize the attack surface, incorporate a variety of EDR capabilities and leverage threat hunting to ensure the safety of their networks. And, considering the overwhelming rise in identity-based attacks — a threat vector that is sure to grow moving forward— we should hope to see identity detection measures woven into the fabric of these new security models. If executed successfully, state governments, local governments and educational institutions will be empowered to stay ahead of cyberthreats, strengthen their defenses and protect essential services and citizen data.
It’s clear that state and local governments will continue to be targeted by both bad actors and nation-state threats. With that in mind, it’s important for organizations to embrace this new way of thinking about their cybersecurity practices to prepare for the evolving threat landscape of the future. By using a whole-of-state strategy to centralize security management, leverage advanced threat intelligence and deploy robust endpoint protection capabilities, state governments can create a more secure environment for their operations while fostering collaboration and resilience across all entities within the state.
