State CISOs Face Workforce Challenges as They Combat Cybersecurity Threats

State IT security officers may look to outsource some functions as they add more responsibilities.

Indiana and Georgia are among the states pouring more resources into cybersecurity centers, and IT security is top of mind amid ransomware attacks and threats to elections. Yet state CISOs face real challenges in meeting the demands of the job, even as their portfolios have expanded. 

State CISOs often face a shortage of in-house cybersecurity talent, leading some to contemplate outsourcing critical security functions to third parties. They also face budgetary constraints and are tasked with doing more with less. 

These and other aspects of how the state CISO role has evolved were the subject of a recent webinar hosted by the National Association of State Chief Information Officers. During the webinar, Pennsylvania CISO Erik Avakian and Missouri CISO Michael Roling discussed how the job has changed and the challenges they face. 

NASCIO’s 2018 biennial report found 30 percent of CISOs are giving cybersecurity reports to governors on a monthly basis, GCN reports. Roling said he has seen state leaders take an increased interest in cybersecurity issues. When he started as CISO, he reported to the governor irregularly, but that is changing now, thanks to a formalized IT security strategy. 

VIDEO: Find out how state IT security leaders address staffing gaps! 

State CISOs Face Budgetary and Staffing Constraints

When Roling started in 2010, his office had five staffers, but he now has 21 full-time employees, and the office has “experienced some growing pains” along the way, he said, according to StateScoop. The fact that Roling’s office in the Missouri capital is two hours from St. Louis and three from Kansas City has made it tough to recruit a talented workforce. 

“Like many state capitals, we are not near a whole lot of talent in Jefferson City,” he said. “In other states, where the capitals are in big cities like Austin, how do you even compete with that? We’ve done our best to hire within.”

Roling still relies on direct hires for much of his office’s work, but he said he may need to start using contractors to help with the office’s ever-expanding responsibilities. 

Meanwhile, in the Keystone State, Avakian said his office, which has about 30 employees, may also need to look to outsourcing some duties in the future. For now, Avakian’s office is helping the state go through an IT centralization effort and a shift to a shared services model, a project that will likely continue until at least July 2019. 

“The centralization is going to have a positive impact,” he said, StateScoop reports. “More resources are needed, but we need to make better use of the resources we have.”

Roling said he tries to make the case to state lawmakers who control his budget that cybersecurity is worth investing in. “We have a lot of small business owners in our legislature, and they’re not going to cough up additional funding for anything unless they see what it’ll go to,” he said. 

Notably, Roling’s office has also set up a website for the governor’s office, allowing staffers to see the return on investment of cybersecurity expenditures. 

Half of statewide enterprise security offices have only six to 15 full-time workers, according to a report by Deloitte, which has produced biennial surveys of states’ cybersecurity postures for NASCIO since 2010. States are investing more in cybersecurity but are still far behind larger enterprises in the private sector in terms of staff, Deloitte Principal Srini Subramanian said during the webinar, according to StateScoop. 

Smaller CISO offices may find outsourcing some cybersecurity functions appealing. “What are the things worth outsourcing?” Avakian said.

According to the 2016 edition of NASCIO’s cybersecurity survey, 54 percent of states contract out risk assessments, 35 percent outsource threat monitoring, and 27 percent go outside for vulnerability management — all of which were increases from the 2014 report (the 2018 report is expected to be released in October). 

“It’s just this progression from the operational to the strategic,” Avakian said. “This position has really morphed to the point where the CISO is speaking the language of the business. They can demonstrate the value of cybersecurity, and that’s a much different role from where we were in 2010.”

Cybersecurity-report_EasyTarget.jpg

jacoblund/Getty Images
Sep 17 2018