Survey after survey has revealed that cybersecurity is top of mind for most states these days. And that’s backed by the fact that every state now has a chief information security officer on staff. At this year’s NASCIO Annual conference in Orlando, Fla., the organization released its biennial cybersecurity survey. The survey, which was compiled by Deloitte, had 59 questions and was answered by CISOs from 49 states and territories.
Here are a few key takeaways from this year’s survey:
Cybersecurity has traditionally been viewed as part of the IT department, which meant many CISOs did not report to the state’s governor. With security breaches grabbing headlines regularly, a change in that viewpoint is starting to emerge. The survey points out that 67 percent of CIOs feel good about their state’s security, while only 22 percent of CISOs feel the same way. Given this disconnect, it’s important for CISOs to have a voice of their own outside of the state’s CIO office.
Some state CISOs now report to the governor directly, and others communicate through their CIO, but a growing number (29 percent) are now informing the governor on a monthly basis on the security posture of the state. This is up from 17 percent in 2014.
Agnes Kirk, CISO for the state of Washington, says it’s encouraging that governors are becoming more aware of threats thanks to these regular briefings from CISOs. But she also points out that it’s not just about informing the governor; the legislature — which decides where the state’s budget goes — needs to be informed as well. Security has to be funded; if the legislature isn’t briefed on the state’s security needs, it won’t fund it.
“We try to educate the legislature that if they don’t invest in prevention, they will be investing in cleaning up messes from breaches,” said Kirk.
The top five barriers to addressing cybersecurity challenges were identified in the survey as a lack of sufficient funding (80 percent), inadequate availability of cybersecurity professionals (51 percent), lack of documented processes (45 percent), increasing sophistication of threats (45 percent) and lack of visibility and influence within the enterprise (33 percent). Having a formal strategy can help with some of these barriers.
In the survey, 33 states reported having an approved strategy, compared with 16 states that did not. Of the states with a strategy, 48 percent saw an increased budget, compared with 31 percent that did not have a strategy. Thirty-three percent of the states with a formal strategy have more than 15 full-time employees for cybersecurity, and 48 percent say the staff has required competencies, compared with the 6 percent of states that say they have that many employees and the 19 percent that have required competencies without a formal plan.
Michael Wyatt, a managing director at Deloitte, says it’s easier to get funding if CISOs make the case that security is not only risk mitigation and compliance, but also a mission-critical objective.
Hiring IT professionals in general is a major challenge for states, but hiring cybersecurity professionals is even tougher. With the silver tsunami looming, as many state IT professionals retire, the number of full-time cybersecurity employees is flat in most states. According to the survey, 51 percent of states reported having 6–15 employees, up only 2 percentage points, from 49 percent in 2014; 14 percent reported having 16–25 employees, up from 12 percent in 2014; and 8 percent reported having 26–50 employees, a drop from 10 percent in 2014.
The survey mentioned job stability (53 percent), opportunity to serve the state (49 percent), and challenging work environment (41 percent) as the top three factors to attract and retain cybersecurity professionals. With hiring down, states need to look for more creative ways to attract young professionals
Indiana CISO Tad Stahl says his state has established an intern program and has hired four people from that program so far. Attracting IT professionals to state government is about showing people they can achieve work-life balance and stability through a government job, versus taking a higher paying job in consulting and traveling five days a week — a recipe for burnout.
Washington’s Kirk says her state is providing returning veterans with training on IT and cybersecurity as an alternative to competing with the private sector on salary. The state is also looking to align its job titles to mirror the private sector so that professionals can recognize what they are qualified for.
“We need to name jobs that mean something,” says Kirk.
Additionally, states need to offer their IT workers some of the dynamism and flexibility that they can find in the private sector. By instituting job rotation, states can deepen their cybersecurity bench and give employees a more diverse work experience — and perhaps help them find a passion for cybersecurity they might not otherwise have known.
“You can take IT people and have them do a tour of duty in cybersecurity and then go back. That can lead to them staying in the cyber field,” said Deloitte’s Wyatt.
Visit our NASCIO 2016 event page for more coverage from the show.