State Leaders Upbeat on CyberdefensesBut CISOs Show Less Confidence on Cybersecurity
Two surveys - one of top state government officials and the other of state chief information security officers - show a disconnect on how they view the security of state information systems.
See Also: 2023 Threat Horizons Report
A survey of 186 senior state officials - such as attorneys general, secretaries of state, budget and procurement officers and chiefs of police, conducted by Deloitte for the National Association of State Chief Information Officers - reveals that 60 percent of the leaders feel "very" or "extremely" confident in the security of their states' IT systems. That result doesn't jibe with a separate NASCIO study, which shows only one-quarter of 49 state CISOs surveyed had such high confidence levels. More than half of the CISOs said they were only "somewhat" confident that their states could defend themselves against external threats.
They are clueless because this cybersecurity stuff ain't making cookies - it's hard, it's complex.
The deep faith among state officials in the government's ability to safeguard their digital assets could partly explain another survey result: Nearly half of the CISOs reported incremental increases to cybersecurity budgets but deemed the funding as insufficient.
"The reality is that, and I don't intend for this to sound mean or insulting, most state and local government officials are simply clueless about both the cybersecurity posture of their state governments, and the current threat and vulnerability environment their state's operate in every day," says Mark Weatherford, the former deputy undersecretary for cybersecurity at the U.S. Department of Homeland Security, who previously served as CISO in California and Colorado.
'It's Their Job to Know'
Although they were not surveyed by NASCIO, Weatherford says many governors and lawmakers also are as oblivious to cyber-threats as top appointed officials.
"They are clueless because this cybersecurity stuff ain't making cookies - it's hard, it's complex, and it's well beyond the scope of most elected officials who have a lot of other things to worry about. That does not, however, absolve them of responsibility because it's their job to know about the things that threaten the citizens of their states."
NASCIO Executive Director Doug Robinson, writing about the survey, says state leaders need to be better informed regarding the gravity of the cyber-threat and vulnerabilities facing state IT systems. "This disconnect may significantly undermine the CISOs' ability to gain funding and support for cybersecurity programs," he says.
Mississippi CIO Craig Orgeron, who serves as NASCIO president, says the survey paints a dire picture of the cybersecurity environment most states face. "What we have found is that insufficient funding, sophisticated threats and shortage of skilled talent threaten security and put state governments at risk," he says.
State officials and CISOs are not aligned in their level of confidence in the states' abilities to protect against external cyberthreats
Source: National Association of State CIOs
But whose fault is it that state leaders aren't adequately being informed about the security of states' IT systems, the officials themselves or the CISOs?
Many states have distributed IT operations, and appointed and elected officials might not have a great understanding on how those systems function and are secured. "In big, spread-out organizations that don't necessarily have good centralized reporting, they really don't know what's going on out at the edges," says Gene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University.
"Often in those environments, people at a lower level will report up only the good news so the accountability isn't really there, either," says Spafford, a Purdue computer science professor. "They're not aware of all the issues and they're also probably putting a little too much faith in what they're being told."
Worries About Cybercrime
Still, with the higher visibility of cyber-incidents such as the Home Depot and Target breaches, governors and lawmakers are requesting formal reports on cybercrime and what's being done to combat it. Nearly 80 percent of the CISOs say they send reports to the governor, up from 60 percent in 2012. But, most of those reports are generated on an ad hoc basis.
Weatherford, a principal at security advisers The Chertoff Group, suggests something he tried, and failed, to do in California and Colorado: Have the state CISO deliver a "cybersecurity state of the state" address at the beginning of the legislative session and also have either DHS or FBI offer cyber-threat briefings. "That would establish an important tone as legislators work through the legislative slate during the year," he says.
What do you think of Weatherford's idea? Please comment in the space below.