Aug 07 2023

How Vermont Is Broadening Its Cybersecurity Horizons

The state’s Agency of Digital Services is looking to establish a cybersecurity council to protect citizen data stored outside of government systems.

Cybersecurity remains an uphill battle for state and local governments, and agencies are always looking for ways to protect citizen data. The challenge is that government systems aren’t the only areas that need airtight cyberdefenses, since personally identifiable information sits in the networks of privately owned critical infrastructure industries, such as hospitals and public utilities.

Vermont is working to close cybersecurity gaps by establishing a Cybersecurity Advisory Council that would help protect citizen data located within critical infrastructure that’s outside of state government systems. The bill that proposes the creation of the council, known as H.291, passed the House and the Senate and was delivered to Gov. Phil Scott on June 13.

The council, led by Vermont’s Agency of Digital Services (ADS), would be a public-private partnership chaired by the Vermont CIO, now Denise Reilly-Hughes following the retirement of Shawn Nailor. State agencies could use their own cybersecurity learnings to bolster the cybersecurity of critical infrastructure. According to Nailor, who spoke with StateTech before his retirement about the future of the council, Scott signing the bill is the starting signal for to bring council members together and make preparations. 

Click the banner below to gain ransomware defense insights.

Nailor said the council is to be composed of the state CIO and the state CISO along with representatives from a number of agencies and industries, including representatives from a state municipal water system, a hospital, a distribution or transmission utility, an electric utility, Vermont Emergency Management, Vermont Information Technology Leaders, the Vermont Homeland Security Unit and the Vermont National Guard.

Things aren’t up and running just yet, but Nailor says the council is set to kick off in earnest with initial meetings held by early September. 

“We’re trying to develop a model by which the Vermont government starts to have awareness of how others are using Vermonters’ information,” Nailor says. “Citizens look to their government to provide protections and services. Cybersecurity is starting to be among those things where citizens aren’t going to have the capability to assess if their utilities are prepared for cyber events.” 

LEARN: How to develop a multilayered approach to protecting systems against ransomware. 

Establishing a Statewide Baseline for Cybersecurity

With the cybersecurity council, Nailor and other council members aim to conduct a statewide landscape assessment of how prepared organizations are for cyberattacks. Are agencies on equal footing or do some need to catch up? Do organizations all have sound cybersecurity protocols? Are they doing routine tabletop exercises to stay alert? Are they complying with cybersecurity standards? The council would use the assessment to address these points.

Another important question to answer: Are organizations — public and private — working together? Nailor says that the council wants to bring a level of coordination between individuals across agencies and industries to create a more holistic approach to cyber preparedness. From there, the council could identify opportunities for the state to provide cybersecurity services — such as a security information and event management (SIEM) solution or a security operations center (SOC) — to organizations that don’t have the means to implement on their own. 

“Maybe a small organization has one person who’s their entire tech team. They manage the desktops and patch the servers, but they don’t have dedicated security services,” Nailor says. “By bundling security as a service and offering a white-glove, low-touch experience, we could monitor your stuff for you.”

EXPLORE: What are the differences between SIEM vs. SOAR vs. XDR.

ADS Looks to Launch Council as Organization Matures Technologically

Cybersecurity is always a priority, but Nailor says there are several reasons that ADS pushed to launch the cybersecurity council now. For one, Nailor says that ADS is now at the right level of maturity to do so. Six years ago, the organization centralized all technologists into one agency, built out its own SIEM and SOC, and is now ready to look outward. The frequency and voracity of cyberattacks also played a huge part.

“Two years ago, we just weren’t mature enough ourselves,” Nailor says. “But there’s also been a continuous bombardment of negative cyber news, whether it’s in the administration or under the golden dome in the state house. You get to a point where you say, ‘OK, we’ve got to do something.’”

Getty Images/ SeanPavonePhoto

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT