Oct 14 2020

NASCIO 2020: Pandemic Bolsters the Case for Centralized Cybersecurity

Annual Deloitte-NASCIO Cybersecurity Study examines how working from home makes the case for consolidating states' overall security posture.

State CISOs have worked with remote workforces to strengthen cybersecurity during the pandemic, according to an annual cybersecurity survey by Deloitte and the National Association of State Chief Information Officers.

During the NASCIO 2020 Annual Conference on Wednesday, the association released "States at Risk: The Cybersecurity Imperative in Uncertain Times," which revealed that 52 percent of respondents had less than 5 percent of staff working remotely prior to the pandemic. But after COVID-19 hit, 35 states reported that more than half of their employees were working remotely. Nine states support a workforce where more than 90 percent work from home.

Since the pandemic closed state offices in March, CISOs have worked to establish safeguards for teleconferencing and collaboration solutions and to secure system access with multifactor authentication.

    States Face a Wide Range of Cybersecurity Challenges

    According to the survey, these are the top security measures established or reinforced by CISOs during the pandemic:

    1. Safeguard teleconferencing and videoconferencing
    2. Establish secure work connections with MFA
    3. Provide guidance on phishing and disinformation campaigns
    4. Update continuity of operations plans
    5. Provide continuous guidance on COVID-19 scams

    At a Wednesday panel about the survey during the NASCIO annual conference, speakers agreed that COVID-19 has challenged continuity and amplified gaps in cybersecurity

    Discouraging the use of shadow IT has been a challenge, said North Carolina State Chief Risk Officer Maria Thompson, whose state follows a decentralized cybersecurity governance model.

    “We found ourselves being more educators, not just on cyber awareness principles but also on approved solutions and the policies around them,” Thompson said. Workers may not see the perils of innocently using a personal application to support an official conference, for example.

    Colorado CISO Debbi Blyth said the pandemic has required more technical support from her agency, which has centralized cybersecurity governance across state agencies.

    “In Colorado, we had to spin up our VPN from 10,000 concurrent sessions to 30,000 concurrent sessions. We did that over a weekend,” Blyth said.

    Employees working from home also prompted Colorado to devise a new way to patch its systems. Previously, the state IT agency pushed patches out over the VPN, which worked because the state assumed users would receive the updates while connected in their offices. But now, employees who aren't connected to the VPN all of the time may miss vital patches. This spurred the state to develop a new approach to patch management, Blyth said.

    Moreover, states may hire new employees during the pandemic who have never used state IT networks, said Deloitte Principal Srini Subramanian, a co-author of the 2020 cybersecurity survey.

    “There are workers, like contract tracers, who have never been state workers before and have never set foot in a state facility, yet they require access to state systems,” Subramanian said. These workers require immediate IT orientation and training.

    Centralized Management Proves More Robust and Agile

    A centralized structure helps CISOs position cybersecurity to be more agile, effective and efficient, the Deloitte-NASCIO survey says.

    The study reveals that 40 percent of the states operate in a federated model, where CISOs are responsible for enterprise policy with a mix of centralized shared services and agency-specific services. Another 10 percent operate in a decentralized model of cybersecurity governance, in which individual state agencies are responsible for their own network security following policy guidance from the state CIO.

    “As CISOs look to take on a more visible role in technology modernization and securing the workforce of the future, a centralized cybersecurity governance structure will position them for enhanced effectiveness. Fully three-quarters of state CISOs believe that a centralized model can most effectively improve the cybersecurity function,” the survey states.

    By adopting a centralized model, states may consolidate resources and unify silos across enterprise-level and agency-specific programs. For example, under a centralized model, 44 percent of states would have more than 51 full-time employees dedicated to cybersecurity, the survey notes.

    A centralized agency could pull from a stronger pool of skills to resolve challenges at individual agencies and provide flexibility to deploy resources to agencies with the most need.

    Check out more coverage from the NASCIO Annual 2020 conference, and follow us on Twitter at @StateTech, or the official conference Twitter account, @NASCIO,  and join the conversation using the hashtag #NASCIO20.

    Getty Images / VioletaStoimenova