Until recently, Illinois CIO Kirk Lonbom was frustrated that his state did not have a true hybrid cloud executable roadmap. Legacy staff feared change in developing one, and agencies dragged their feet. But Lonbom was able to leverage security concerns to change the conversation, and a unified roadmap was adopted several months later.
“The recent emphasis on cybersecurity has provided us with an opportunity. We are leading the charge to adopt new technologies as a change agent, establishing a paradigm of security as a foundation,” Lonbom told NASCIO 2018 on Tuesday.
Lonbom’s story reflects the experiences of states reflected in the "2018 Deloitte-NASCIO Cybersecurity Study — States at Risk: Bold Plays for Change," released during the national conference for the National Association of State Chief Information Officers. The study found that an increasing number of states are recognizing cybersecurity as a holistic business risk to the states as more of them provide formal authority to CISOs and dedicate budget to security issues.
The study authors said that the study results are encouraging. “CISOs and CIOs are increasing the cadence of communications to state leaders, the governor and the legislature, more so than the past year,” said Srini Subramanian, principal for audit and enterprise risk services at Deloitte.
“CISOs now have an executive platform. Their authority is now established by statute,” Subramanian said, pointing to the study’s findings that 63 percent of states have a CISO firmly established by law or statute, up from 49 percent in 2016.
Dedicated Cyberseurity Funding Makes a Difference in States
The NASCIO-Deloitte study report advocates for CIOs and CISOs to make “bold plays for change,” including advocating for dedicated cyber program funding, making CISOs enablers of innovation through participation in setting priorities, and teaming with the private sector and higher education to provide a pipeline for talent and to outsource when necessary.
“Some of the persistent challenges on budget and talent continue, and they have been there since 2010” when Deloitte and NASCIO released the results of the first iteration of its study, Subramanian said. “The states have not been able to break away from those challenges of budget and talent.”
Dedicated funding for cybersecurity is “at least a starting point,” Subramanian added. “CISOs and CIOs are doing a phenomenal job with what is allocated to them.” IT leaders must demonstrate progress with the budget allocated to them and seek more money as appropriate in following budget cycles.
NASCIO Executive Director Doug Robinson said, “It’s not necessarily a magic number. States should be allocating resources commensurate to their risk.”
“We still have a long way to go,” Robinson said. “States still focus on this on a technology issue. They don’t see it as a holistic risk to the state. But with dedicated funding comes a recognition that cybersecurity is a broad business risk.”
In the NASCIO 2018 panel discussion that presented the findings of the Deloitte study, Arizona CISO Mike Lettman emphasized that this was the first year that his state has a budget line item dedicated to cybersecurity. In prior years, IT officials had to make the case for funding. They would turn to the legislature and say, “OK, we built this protection in the state but we are going to have to shut it off if we don’t get funding in the following year,” Lettman said.
“The governor’s office got visibility on how to spend the dollars through a budget item versus agencies spending the money separately,” which reduced overall risk for the state, Lettman said.
Top Challenges Remain Unchanged with Persistent Issues
Budget, talent and the sophistication of threats are the top three challenges facing states, according to the study report. NASCIO’s national IT workforce surveys indicate that hiring and retaining a qualified workforce is the “most persistent challenge.” According to the report, most state enterprise cybersecurity teams consist of only six to 15 full-time employees.
States have reformed their IT hiring when possible, changing job classifications to make them more appealing and modernizing their qualifications. Antiquated job descriptions were at the top of the list of challenges identified in an annual state CIO survey conducted by NASCIO last year. While reforming such hiring practices helps, it’s not going to solve the problem entirely, the report authors said. Deloitte and NASCIO both have helped states examine compensation and other barriers to hiring qualified IT personnel, but government agencies simply cannot compete with the private sector in hiring.
“Salary and compensation are not going to be addressed effectively in our lifetime. There’s no way. States must seek other remedies,” Robinson said.
“Public-private partnerships, including universities, are going to be the bold play that is most important in the future,” in part due to universities’ capabilities to help the public sector nurture IT talent, he added.
Read more articles and check out videos from StateTech’s coverage of NASCIO 2018 here.