Pennsylvania Adopts Cyber Scorecards

What if your agency’s website was down for two weeks because of a distributed denial-of-service attack?

How would you maintain operations? How would you communicate to citizens that critical online services were temporarily unavailable?

Erik Avakian, Pennsylvania’s chief information security officer, posed those questions to CIOs and security professionals across the state's agencies, but he didn’t stop there. Avakian, along with Pennsylvania's CIO and secretary of administration, has had similar conversations with state agencies’ deputy secretaries for administration and the governor's staff.

His message: “Yes, a cyberattack can impact your business,” Avakian also told attendees on Monday at CyberSecureGov 2014, a conference hosted by information security organization ISC2. He said CISOs have to speak the language of those who aren't security professionals and tie cybersecurity to business continuity.

By doing so, the state's Office of Administration was able to roll out a new initiative that will allow executives to see what security risks each agency is grappling with, compare risks among agencies and see how quickly issues are remediated. Think of it like a scorecard that the governor or CIO can view on a dashboard and use to monitor progress as new information comes into the system.

Automating Security

Currently, the scorecards are paper-based, and they indicate how well agencies are managing their risks. For example, the scorecards show what portion of the workforce has completed security awareness training, which critical applications are at risk and what vulnerabilities need to be fixed. So far, Avakian has met with 15 state agencies to discuss their risk assessment scores, but he expects Pennsylvania will automate this process in the next three to four months.

Using the RSA Archer enterprise governance, risk and compliance (eGRC) platform, state officials will have a more dynamic view of their security posture, and so will their fellow executives at other agencies. In the past, Avakian received little feedback from agencies in response to automated security scan reports from his office. Now, there will be more pressure on agencies to address deficiencies, as more data are accessible on the dashboard for their colleagues and heads of agencies to view.

The new system is like a workflow tool for security, and it will empower agencies to improve compliance with policies and mitigate risks — and to do so in a timely manner. There is also a component for self-assessments, which can provide a reality check by comparing agencies' responses to questions about data encryption and other security practices to actual data collected by the system.

For agencies, turning data into action is key, said Dan Waddell, director of government affairs for ISC2. Information from the dashboard can help agencies direct what limited funding they have to address their greatest needs.

But some CIOs may find it challenging to secure funding for automated tools or other security technologies. On average, security spending across states is about 1.5 percent of the entire budget, Avakian said.

Making a Business Case

He recommends that CISOs explain to their senior leaders how and why they are aligning their strategy with their CIOs’ vision and federal initiatives like the cybersecurity framework, which the National Institute of Standards and Technology developed with industry. From there, security professionals can explain what is needed to align with those efforts.

“You’re going to get them to listen a lot more because they see this as something we need, and they are more apt to give funding,” Avakian said.

When an investment is made, senior leaders also want to know how it benefits the agency. “That’s business talk: year over year reductions and increasing operating income,” Peter Gouldmann, director of information risk programs for the State Department’s Office of Information Assurance, said at the ISC2 conference.

“It’s just very difficult to see that return on insurance policies, and that’s essentially what information security has been presented as,” Gouldmann said.