Nailor said the council is to be composed of the state CIO and the state CISO along with representatives from a number of agencies and industries, including representatives from a state municipal water system, a hospital, a distribution or transmission utility, an electric utility, Vermont Emergency Management, Vermont Information Technology Leaders, the Vermont Homeland Security Unit and the Vermont National Guard.
Things aren’t up and running just yet, but Nailor says the council is set to kick off in earnest with initial meetings held by early September.
“We’re trying to develop a model by which the Vermont government starts to have awareness of how others are using Vermonters’ information,” Nailor says. “Citizens look to their government to provide protections and services. Cybersecurity is starting to be among those things where citizens aren’t going to have the capability to assess if their utilities are prepared for cyber events.”
Establishing a Statewide Baseline for Cybersecurity
With the cybersecurity council, Nailor and other council members aim to conduct a statewide landscape assessment of how prepared organizations are for cyberattacks. Are agencies on equal footing or do some need to catch up? Do organizations all have sound cybersecurity protocols? Are they doing routine tabletop exercises to stay alert? Are they complying with cybersecurity standards? The council would use the assessment to address these points.
Another important question to answer: Are organizations — public and private — working together? Nailor says that the council wants to bring a level of coordination between individuals across agencies and industries to create a more holistic approach to cyber preparedness. From there, the council could identify opportunities for the state to provide cybersecurity services — such as a security information and event management (SIEM) solution or a security operations center (SOC) — to organizations that don’t have the means to implement on their own.
“Maybe a small organization has one person who’s their entire tech team. They manage the desktops and patch the servers, but they don’t have dedicated security services,” Nailor says. “By bundling security as a service and offering a white-glove, low-touch experience, we could monitor your stuff for you.”
ADS Looks to Launch Council as Organization Matures Technologically
Cybersecurity is always a priority, but Nailor says there are several reasons that ADS pushed to launch the cybersecurity council now. For one, Nailor says that ADS is now at the right level of maturity to do so. Six years ago, the organization centralized all technologists into one agency, built out its own SIEM and SOC, and is now ready to look outward. The frequency and voracity of cyberattacks also played a huge part.
“Two years ago, we just weren’t mature enough ourselves,” Nailor says. “But there’s also been a continuous bombardment of negative cyber news, whether it’s in the administration or under the golden dome in the state house. You get to a point where you say, ‘OK, we’ve got to do something.’”