NASCIO 2020: Pandemic Bolsters the Case for Centralized Cybersecurity

According to the survey, these are the top security measures established or reinforced by CISOs during the pandemic:

1. Safeguard teleconferencing and videoconferencing
2. Establish secure work connections with MFA
3. Provide guidance on phishing and disinformation campaigns
4. Update continuity of operations plans
5. Provide continuous guidance on COVID-19 scams

At a Wednesday panel about the survey during the NASCIO annual conference, speakers agreed that COVID-19 has challenged continuity and amplified gaps in cybersecurity

Discouraging the use of shadow IT has been a challenge, said North Carolina State Chief Risk Officer Maria Thompson, whose state follows a decentralized cybersecurity governance model.

“We found ourselves being more educators, not just on cyber awareness principles but also on approved solutions and the policies around them,” Thompson said. Workers may not see the perils of innocently using a personal application to support an official conference, for example.

Colorado CISO Debbi Blyth said the pandemic has required more technical support from her agency, which has centralized cybersecurity governance across state agencies.

“In Colorado, we had to spin up our VPN from 10,000 concurrent sessions to 30,000 concurrent sessions. We did that over a weekend,” Blyth said.

Employees working from home also prompted Colorado to devise a new way to patch its systems. Previously, the state IT agency pushed patches out over the VPN, which worked because the state assumed users would receive the updates while connected in their offices. But now, employees who aren't connected to the VPN all of the time may miss vital patches. This spurred the state to develop a new approach to patch management, Blyth said.

Moreover, states may hire new employees during the pandemic who have never used state IT networks, said Deloitte Principal Srini Subramanian, a co-author of the 2020 cybersecurity survey.

“There are workers, like contract tracers, who have never been state workers before and have never set foot in a state facility, yet they require access to state systems,” Subramanian said. These workers require immediate IT orientation and training.

A centralized structure helps CISOs position cybersecurity to be more agile, effective and efficient, the Deloitte-NASCIO survey says.

The study reveals that 40 percent of the states operate in a federated model, where CISOs are responsible for enterprise policy with a mix of centralized shared services and agency-specific services. Another 10 percent operate in a decentralized model of cybersecurity governance, in which individual state agencies are responsible for their own network security following policy guidance from the state CIO.

“As CISOs look to take on a more visible role in technology modernization and securing the workforce of the future, a centralized cybersecurity governance structure will position them for enhanced effectiveness. Fully three-quarters of state CISOs believe that a centralized model can most effectively improve the cybersecurity function,” the survey states.

By adopting a centralized model, states may consolidate resources and unify silos across enterprise-level and agency-specific programs. For example, under a centralized model, 44 percent of states would have more than 51 full-time employees dedicated to cybersecurity, the survey notes.

A centralized agency could pull from a stronger pool of skills to resolve challenges at individual agencies and provide flexibility to deploy resources to agencies with the most need.

Check out more coverage from the NASCIO Annual 2020 conference, and follow us on Twitter at @StateTech, or the official conference Twitter account, @NASCIO,  and join the conversation using the hashtag #NASCIO20.