While technology is certainly progressing at a rapid pace, as advanced persistent threats prove, the truth is that most IT security failures are a result of human error, through things such as social engineering or lack of communication.
Several state IT leaders gathered last month at the National Association of State Technology Directors Southern Regional Seminar and identified how their states are attempting to make security a permanent mindset, reports StateScoop.
Arkansas is ahead of the pack, since it already has “established a security architecture” for new projects, said Frank Andrews, chief security officer for Arkansas. Larger projects tend to latch onto this architecture and use it accordingly, but for smaller projects, it’s easy — and tempting — to let security compliance slide.
This is where it’s important to keep the lines of communication open among the various state agencies. Andrews relies on the state’s customer relationship management agency for information and feedback, since the agency has the responsibility of guiding other agencies in the state through implementation on projects, according to StateScoop.
Georgia is another state that is running a tight security-architecture ship. Georgia Technology Services Officer Chris McClendon said his state takes a day-one approach to security considerations on all IT projects, regardless of size.
“Our customers have to submit a request for service for everything that they do,” McClendon said. “It goes through a formal design review process and the providers are incented to design it based on the security architecture.”
When it comes to succeeding with security initiatives, state IT leaders highlight the need to secure buy-in from non-IT leadership and stakeholders.
Often, that means showing value or ROI from the security investment.
“Show that your investment with these tools can help operationalize and quickly identify these [bad] users,” Ricardo Lafosse, CISO for Cook County, Ill., said last year at StateTech’s Cybersecurity Summit.
It’s also important to regularly engage the IT team responsible for deploying and managing security. While security awareness training and campaigns for end users and non-IT departments are great, the IT workers tasked with maintaining security should be challenged, rewarded and recognized as well, so they stay on their toes.
“Give them odd projects that [aren’t] the normal. Instead of upgrading the A/B system, create a honey pot,” Lafosse said.
Above all, give IT workers ownership and investment in upholding security.
“Give them a process, a function. Something to implement that’s going to make it theirs,” Paul Bivian, CISO for the City of Chicago, said at the Cybersecurity Summit.