NASCIO 2017: State IT Experts Explore the Human Side of Cybersecurity

As citizens’ lives become more intricately linked and digitized, the need for information security is more critical now than ever for state and local governments.

Microsoft estimates that four billion people will be online by 2020 — more than twice the number of people online in 2016. Further, the company estimates that 50 billion devices will be connected to the internet. And as we have seen with the WannaCry ransomware and phishing attacks, cyberthreats are growing in number and intensity.

While firewalls and other technologies are a huge part of ensuring that data and systems stay safe, people are perhaps the most important element in the fight against cyberthreats, as four cybersecurity professionals shared at the NASCIO Annual Conference in Austin, Texas, this week.

SIGN UP: Get more news from the StateTech newsletter in your inbox every two weeks

Georgia Targets the Need for Workforce Development

“Computers and applications don’t attack each other,” said Stanton Gatewood, CISO for the state of Georgia, during the “Cybersecurity: The Human Factor” session on Wednesday. “The human element is the weakest link in the chain.”

A 1.5 million cybersecurity workforce shortage is expected for 2020, and human resources in cybersecurity are likely to be stretched more than ever — with the possibility that more cyberattacks will eke through.

Gatewood attributes some of this shortage to the unreasonably high levels of experience required for these roles.

“I once saw a job placement for a CISO that required 20 years of experience,” he said, noting that a college grad won’t have anything near that level. “We have an aging workforce. We have people who have done 30 years of cybersecurity work who are about to retire.”

More important than years of experience is practical experience, said Gatewood, which includes IT professionals that understand layering defense and monitoring analytics to identify risk.

By employing more opportunities for cybersecurity workforce development, the private sector and government can help to combat this trend.

“When they come out on the other end of training, they are ready to sit in the seat,” said Gatewood. “We need to close the 1.5 million gap.”

Many states are already creating these opportunities. Georgia launched the Georgia Cybersecurity Workforce Academy, which aims to provide cybersecurity awareness, training and education to information security officers employed by the state.

Programs built into school and university curricula can also help to build better cybersecurity skills.

“We need to teach our teachers [about cybersecurity], and then they can teach our students,” said Gatewood.

In Michigan, Civilians Come to the Cyber Rescue

For Rajiv Das, chief security officer for the state of Michigan, people are the most important element of maintaining strong cyberdefenses, which is why the state is using civilian talents to the fullest.

To enhance its ability to rapidly resolve cyberincidents, the state launched the Michigan Cyber Civilian Corps (MiC3) in 2013. The group is comprised of trained cybersecurity professionals who volunteer to provide assistance in the time of cyberemergency.

Currently, MiC3 boasts 63 members, with plans to increase volunteers to 200 by the end of 2018.

Illinois Lets Legislation Lend a Hand

Kirk Lonbom, CISO of Illinois, knows that phishing attacks are some of the most dangerous to local government.

“Ninety-one percent of attacks start with an email,” said Lonbom. To help combat phishing attacks, the state recently passed HB2371, an amendment to the state’s Data Security on State Computers Act that requires mandatory cybersecurity awareness training for all state employees. The training includes detecting phishing scams, and preventing and responding to data breaches.

“Cybersecurity is not a partisan issue,” said Lonbom.

With the previous act, the mandatory cybersecurity training saved the state an estimated $9 million in cost avoidance, Lonbom noted. The amendment will further increase mandatory cybersecurity training for the 47,000 state employees, with the aim to protect state information systems and enhance Illinois’s cybersecurity abilities and partnerships.

Pennsylvania Looks to Train the Front Line of Cybersecurity

“Our end users are our first lines of defense,” said Erik Avakian, CISO for the state of Pennsylvania, noting that an organization can have all the tools in the world, but all it takes is one click to make a system vulnerable.

“Phishing: it’s a business problem,” said Avakian. But there are also business solutions. “Cybersecurity awareness training and employee re-enforcement campaigns can reduce successful phishing by as much as 70 percent,” he noted.

But annual training awareness is not enough, so Pennsylvania trains employees quarterly.

Several years ago, Pennsylvania realized there was a need for continued training through the use of phishing simulations, and it received executive support to roll out a program. While the program started small, it has since procured a third-party Software as a Service tool and ramped up services throughout the state.

Over the years, Avakian has seen benefits from the program.

“It provides end users with tangible feedback,” he said. “The end user becomes part of the response team, and therefore part of the solution. We can make reporting phishing attacks simple for our users to report with one click … This is not about getting people in trouble, it’s about improving our security posture.”

Check out all our articles and videos from StateTech’s coverage of the NASCIO 2017 Annual Conference here.