May 05 2020

NASCIO Midyear 2020: N.C. Officials Call for ‘Whole of State’ in Cybersecurity

State and local IT leaders described how they built upon existing relationships.

In 2018, North Carolina state and local government officials attended a policy academy hosted by the National Governors Association. To foster participation, North Carolina Chief Risk and Security Officer Maria Thompson identified local stakeholders to attend the course with state officials. In her outreach, she met Rowan County CIO Randy Cress.

Soon after they attended the NGA Policy Academy on Implementing State Cybersecurity, the state faced a ransomware attack. And because state and local stakeholders had established connections to begin crafting a statewide incident response plan, they coordinated well to mitigate the attack.

“We had local folks trusted in the local counties as part of our team to assist them in response and recovery activities,” Thompson said during a panel of the NASCIO Midyear 2020 Conference, which occurred virtually through a series of webinar presentations on Monday.

Cress praised the state partnership, noting that it began through emergency management compacts established to respond to natural disasters. “We’ve forged good relationships for when events do happen,” he said during the NASCIO panel. 

State and local officials first came together through emergency response teams, including an IT strike team, that tackled hurricane challenges. That IT strike team broadened its mission to serve the state cybersecurity coordination plans.

“We leveraged a relationship that was already there,” Thompson affirmed.

MORE FROM STATETECH: Explore how Michigan's state government boosts local cybersecurity with CISO as a Service.

National Guidance Provided North Carolina with Goals

In January, NGA and NASCIO teamed up to produce a guide, “Stronger Together: State and Local Cybersecurity Collaboration.” As part of Monday’s panel, NGA Program Director Maggie Brunner and NASCIO Director of Policy and Research Meredith Ward highlighted three recommended actions listed in the guide:

  1. At a minimum, states should build relationships with local governments.
  2. States should raise awareness of existing services offered to local governments.
  3. States should explore cost savings that can be achieved by including local governments in service contracts.

To make the guidance effective, Thompson called for a “whole of state” approach to cybersecurity. 

“You can no longer work in your own silos of excellence. You have to work together,” Thompson said. And state and local officials must discuss cybersecurity with all of their partners, not just those whose title indicates IT or security responsibilities. 

“For those who think it’s not your swim lane, it is. You have to adopt a whole of state approach to cyber,” she added.

As a key part of relationship building, Cress advocated for IT managers to share what they are doing in response to an incident, and why. Too often, Cress said, IT workers operate with a great deal of secrecy, out of fear of reprisal or discomfort after suffering an attack. But reporting openly is the right thing to do.

“Sometimes it comes across as an embarrassment,” so officials are reluctant to report incidents, he said. “You’re just an IP address; it could happen to anybody.”

Building Upon Existing Mechanisms Strengthened Coordination

In 2019, North Carolina faced seven ransomware incidents in local counties and school systems. For five of them, state officials worked side by side with the IT strike team, which was first stood up by the North Carolina Local Government Information Systems Association.

“In many occasions, they were the first boots on the ground before National Guard teams could be deployed to support the counties,” Thompson said.

In addition, NCLGISA can turn to a different line of funding for cybersecurity response to augment state funding, which has improved since the NGA Policy Academy. It was easier to convince state legislators of the need once they, too, faced ransomware threats, Thompson said.

“I look for money wherever it exists, and I pull it together,” she said, being careful to follow NGA and NASCIO’s guidance to leverage statewide contracts for maximum value.

Check out this page for more coverage from the NASCIO Midyear 2020 conference, and follow us on Twitter at @StateTech, or the official conference Twitter account, @NASCIO,  and join the conversation using the hashtag #NASCIO20.

Getty / gorodenkoff

More On