Oct 02 2014

Top Threats and Priorities for State CISOs

A new NASCIO survey has found that security officers rank malicious code, hactivism and zero-day attacks as their greatest threats.

Managing cyberrisk is no longer a problem for chief information security officers alone.

Cybersecurity is drawing the attention of state agency heads, legislators and governors, and many are giving CISOs greater authority over operations across executive branch agencies, according to the 2014 Deloitte-NASCIO Cybersecurity Study released Wednesday. “More CISOs indicate they have also taken on oversight of various technical security functions since 2012, including network security and perimeter defense and vulnerability management — adding to the increasing list of their responsibilities.”

But insufficient budgets, a lack of resources for recruiting cyberprofessionals and the increasing sophistication of cyberthreats are putting security and state governments at risk, Craig Orgeron, NASCIO president and CIO of Mississippi, wrote in the report.

“Additionally, state officials appear more confident than CISOs in the safeguards against external cyberthreats, perhaps a result of ineffective communication of risks and impacts,” the study noted.

A total of 49 CISOs or their equivalents participated in the biennial survey, which reveals key findings about the maturing role of CISOs, their priorities and challenges.

When asked about their top cybersecurity concerns, 74.5 percent cited malicious code, followed by hactivism and zero-day attacks. To combat the growing number of threats, officials are focusing on key areas: risk assessments, training and awareness, data protection, continuous monitoring and incident response.

As the CISO functions evolves, the report recommends that states consider whether CISO responsibilities have become too diversified for one executive to handle and whether certain priorities need to take a back seat. Having leaders who specialize in key areas, such as risk and compliance or privacy and security technology, and assigning them resources could help improve program efficiency. In some cases those positions may continue reporting to an elevated CISO position.

“The traditional approach to managing security through preventive and risk-based protective measures, while important and necessary, is no longer enough,” according to the report. “States today must add two other elements to the mix: vigilance — continuous monitoring for threats that gives them early detection capabilities; and resilience — the ability to respond and recover.”

Here are a few statistics from the survey:

93.9% Percentage of CISOs who use cybersecurity standards developed by the National Institute of Standards and Technology
46.9% Percentage of CISOs who are using version 1.0 of the NIST Cybersecurity Framework
25% Percentage of states that have appropriate job descriptions documented by human resources
9 out of 10 Number of CISOs who cite salary as the top staffing challenge
49% Percentage of state enterprise security offices that have six to 15 full-time workers
6 out of 10 Number of CISOs who cite an increase in sophistication of threats
46.8% Percentage of states with cybersecurity funding that accounts for only 1 to 2 percent of the IT budget