Cybersecurity chiefs across state governments struggle with insufficient staffing and difficulty obtaining visibility across the state’s enterprise, agreed officials in a panel of the Annual Conference of the National Association of State Chief Information Officers on Tuesday.
The biennial cybersecurity survey of state CISOs conducted by NASCIO and Deloitte identified a lack of talent and challenges with serving the “whole of state” as chief obstacles to government cybersecurity efforts.
“We have been talking about talent as being in a state of crisis for state government with respect to cybersecurity for the past several years. This is only getting more and more complicated,” said Deloitte Principal Srini Subramanian.
Two of the top five barriers to maintaining effective cybersecurity identified in the 2022 NASCIO-Deloitte cybersecurity survey report, “State Cybersecurity in a Heightened Risk Environment,” relate to cyber talent, Subramanian added. Those include a lack of qualified cybersecurity professionals and inadequate staffing.
Talent Gap Remains a Significant Barrier to Cybersecurity Coverage
Addressing the challenges to states’ cybersecurity workforces, Subramanian said, “When it comes to the number of full-time equivalents for cybersecurity professionals that are available at the disposal of the state CISOs, the number has stayed the same for the last two years. There is not a huge difference in the number of professionals employed by the state.”
Most states have five to 16 full-time professionals, he added. States also have long hiring processes, which diminish the pool of available talent.
“It takes a long time to hire people, even at the entry level. When we are talking about the executive level, like the CISOs, the average time-to-hire is more than six months,” Subramanian said.
Subramanian believes public service is still attractive to younger job seekers, but they may not care about traditional perks like job stability and retirement plans. Young workers prioritize work-life balance and flexibility, as well as the opportunity to gain skills, he added.
More state governments thus could attract applicants by offering remote work. According to the NASCIO-Deloitte survey, only 25 percent of state CISOs offer remote work as an incentive for new hires.
Speaking on the NASCIO panel, Connecticut CISO Jeff Brown said his state’s workers have been operating remotely since the beginning of the pandemic, although the status is reviewed every six months.
Michigan CIO and CISO Laura Clark told the panel that her state maintains a hybrid work environment, and they do so with the goal of providing support to all of their customers, all week.
“We quickly asked, do we really want to bring the entire security operations center back on the same two days a week? Because if we have an illness in the security operations center, we don’t want to take everybody out at the same time,” Clark said.
So, the state IT agency staggers employees’ remote workdays, asking them to work in the office two days a week. While doing so, the agency strives to build a cross-functional team that can upskill and can cover a range of responsibilities. At the same time, the agency incorporates technology to solve problems as often as possible.
“We are never going to be able to get enough hands on keyboards and eyes on screens to continue with the trends we see from the data,” Clark said.
Whole-of-State Cybersecurity Cooperation Faces Obstacles
The cybersecurity talent gap also hurts the CISO’s capacity to provide support to the whole-of-state. The concept recognizes that state and local agencies operating in the same geographic regions share cybersecurity concerns and thus should work together to better defend IT systems.
“We are being hit by an increasing number of attacks on a daily basis, and our digital services are being demanded at a higher level while we are trying to work through the talent gap,” Clark said.
For a long time, NASCIO and Deloitte pushed a centralized cybersecurity model, Subramanian explained, but in the past three years, they shifted to the whole-of-state approach. State and local agencies may not report to the state CISO, but the CISO might encourage a common approach and pooled resources to the benefit of all.
Still, the NASCIO-Deloitte study revealed that many local governments have not adopted state shared services, suggesting there is much more work to be done, both to establish services and to promote them. Sometimes language is a barrier: Only 24 states have job classifications consistent with cybersecurity workforce best practices. The title of IT administrator, for example, is not ideal for a cybersecurity professional.
Michigan was a leader in offering support to local governments through a CISO as a Service initiative, where the state could detail professionals to assist local agencies upon request. Clark shared some lessons learned from that program, including difficulties in scalability, a lack of trust and understanding, and a need for working relationships and continuous conversations.
From that experience, Michigan state government now meets monthly with local governments that want to share expertise, conducts tabletop exercises with interested parties and talks in-person with those who seek deeper conversations, Clark said.
“You must understand the regional issues so that you can help address those and have the conversation they want to have and not the conversation you want to have,” Clark said.
Brown emphasized the importance of executive support and having an engaged governor. He also said one simple thing to do is to encourage state and local agencies to join the Multi-State Information Sharing and Analysis Center (MS-ISAC), which offers free resources to governments to support improving their cyberdefenses.
Connecticut has more than 200 government organizations participating in the MS-ISAC, Brown said.
Check out more coverage from the NASCIO 2022 Midyear Conference and follow us on Twitter at @StateTech, or the official conference Twitter account, @NASCIO, and join the conversation using the hashtag #NASCIO22.