As cyber threats increase in sophistication and force, securing state government IT systems has never been more challenging. Just in time for National Cybersecurity Awareness Month, the findings of a new study from Deloitte and the National Association of Chief Information Officers show states need more funding and influence to better protect data.
Based on responses from 49 states, the 2010 Deloitte-NASCIO Cybersecurity Study shows progress since the survey was last conducted in 2006. However, staffing and resources remain a struggle.
"Many state [chief information security officers] lack the visibility and authority to effectively drive security down to the individual agency level," said Srini Subramanian, a director at Deloitte & Touche and leader of state government security and privacy services. "At the federal level, the president has recognized the critical nature of the problem and appointed a cybersecurity coordinator to address it; it's imperative that governors and state legislative leaders make cybersecurity a priority."
At the NASCIO annual conference this week in Miami, Deloitte executives and CISOs gathered for a briefing covering the survey's results.
The good news is that 92 percent of respondents have an established CISO position. Most state CISOs report to the CIO, the state IT director, or equivalent. This is up 22 percent from the 2006 study.
In terms of how state information security models are structured, the federated model is most common, as chosen by 51 percent of respondents. The most common functions CISOs are responsible for include information security strategy and planning, incident management and IS governance, said Kristen Miller a senior manager in Deloitte's public-sector practice.
States are converging on the National Institute of Standards and Technology's risk assessment framework, Payment Card Industry Data Security Standard, and Federal Information Security Management Act regulations. But without a federal mandate, such compliance efforts aren't likely to be fully achieved. "It kind of becomes the 10 suggestions, not the 10 commandments," said Michigan Chief Technology Officer Dan Lohrmann.
"If technology is the business enabler for the state, security is the enabler of technology," said Nevada CISO Chris Ipsen. Engaging business stakeholders in security strategy is likely to lead to better adoption of security standards within business applications, according to an audience poll.
Declining security budgets are a big concern for state CISOs. A full 88 percent consider lack of sufficient funding to be the greatest barrier to information security. The study suggests seeking help through Department of Homeland Security grants or emergency management agencies. Panelists point out that states run a proliferation of federal programs, such as Health and Human Services and food stamps. "Security is in a lot of different categories, so follow the money," Lohrmann recommends.