Data Center

CIOs Discuss Need for Cybersecurity Funding

At conference panel, IT leaders say user training alone isn’t enough to protect critical infrastructure.

Google+ Twitter

Amy has worked on StateTech since May 2007. As managing editor, she shapes editorial content for print and online. Before that, she spent 10 years at Network World as senior managing editor of features and managing editor of features. Amy began her IT publishing career at PC Week. While out of the office, she enjoys traveling and rooting for the Red Sox.

@onetoughnerd says the country is doing a poor job with #cybersecurity. "We shouldn't wait for a crisis. We should be proactive" #govlive

— Ryan Petersen (@RyanPete) January 29, 2013

Here at @governing #govlive conf, @nacotweets notes fed, state & county budgets closely intertwined; sequestration will affect everyone.

— Amy Schurr (@AmySchurr) January 29, 2013

MT @mherckis: Resources and better public understanding of #cybersecurity threat necessary, state CIOs explain. #govlive

— GOVERNING (@GOVERNING) January 29, 2013

After discussing the dangers of cyberthreats for more than a decade, state CIOs want public officials to back up the rhetoric with sufficient IT security spending.

Speaking at Governing’s “Outlook in the States and Localities” conference in Washington, D.C., a panel of government IT leaders agreed that cyber awareness among users and the general public is imperative, but can only go so far. “The problem is not going away,” said Michigan CIO David Behen. “It’s only going to get worse.”

Behen believes he’s fortunate because Gov. Rick Snyder recognizes the risks to the IT infrastructure. Together with Maryland Gov. Martin O’Malley, Snyder leads the National Governor’s Association Resource Center for State Cybersecurity. “We cannot be successful unless the federal government is working hand in hand with state government,” Behen said, pointing to the need for additional investments in cybersecurity and his state’s goal of building an industry.

Speaking of the woes in Alabama, South Carolina and Utah, panel moderator Cathilea Robinett said more cyberattacks against government will be forthcoming. “It’s not a question of if, but of when,” said Robinett, executive vice president of e-Republic. She hears a common refrain of IT security being underfunded and even cases where audits turn up problems that are not fixed because there’s no budget.

Virginia Deputy Secretary of Technology Aaron Mathes said that his state’s outsourcing arrangement with Northrup Grumman leaves that partner responsible for security. Agencies pay for those services in a chargeback arrangement. As the state incrementally raises prices, leaders can go before the legislature and explain, “This is what we need to do and why.”

Robinett mentioned that perhaps an idea promulgated by former Montana CIO Dick Clark could help ensure that cybersecurity receives adequate investments — purchase cyberinsurance policies for states. By treating IT security like any other risk, such as driver’s insurance, the criteria would be there to encourage policy holders to take preventative measures in exchange for lower premiums.

<p>Image courtesy of Stuart Miles / <a href="http://www.freedigitalphotos.net" target="_blank">FreeDigitalPhotos.net</a></p>