A recent Deloitte and National Association of State Chief Information Officers (NASCIO) study found five cybersecurity barriers working against state and local government organizations’ ability to improve their security posture. According to the study, only 36% of U.S. states have a dedicated cybersecurity budget line item, and most states allocate less than 3% of their total IT budget to cybersecurity.
This funding seems far from adequate given the cybersecurity megatrends impacting state and local government organizations:
Chief information officers (CIOs), chief information security officers (CISOs) and their teams had a Herculean task in setting up hundreds or thousands of “branches of one” when the COVID-19 pandemic forced employees to work from home. Many organizations accessed emergency funding to fortify endpoints and make other investments in emergency connectivity. Now, they face the daunting challenge of modernizing their IT infrastructure to secure long-term work-from-home and hybrid work arrangements, ensuring their networks are well-supported, engaged and reliable for users.
Like many businesses, state and local governments widened their embrace of software-as-a-service (SaaS) and cloud computing during the pandemic. However, the proliferation of these workloads has led to a staggering lack of visibility into what’s happening with devices, users and data across the many clouds.
This blind spot is now a black hole for many organizations as their workers, who are fed up with cumbersome and unreliable connections, are turning off secure VPNs to connect to the cloud directly to access apps and services. This behavior is understandable, connecting to the enterprise through the cloud to access the cloud again is downright inefficient. However, it's also greatly expanding the attack surface.
A larger attack surface means more risk for cyberattacks, and state and local governments are already prime targets for malicious actors. Attackers recognize these organizations can be easy to compromise because they rely on legacy technology with known vulnerabilities and lack the resources to keep them updated. In addition, cybersecurity training for staff is often inadequate.
State and local governments, along with their security teams, clearly have some significant cybersecurity challenges to solve. Here’s a closer look at the cybersecurity barriers impeding their progress, which were identified in the Deloitte-NASCIO study. We offer a few suggestions for navigating them:
Cybersecurity needs to be included in the operational budget; it can’t be an IT budget line item. Why? Because cybersecurity must be part of the overall business strategy.
Viewing cybersecurity as integral to supporting and protecting the business of government often requires a mindset shift among top leadership. Proactive, substantive conversations on this topic must occur, and the CIO must be invited to the head table to engage in discussions and planning. This dialogue can help move the cybersecurity budget from insufficient to appropriate.
Hiring skilled cyber talent is an ongoing challenge for state and local governments. Engaging specialized or contract-based talent on a project basis can help them get work done and completed on time.
That said, cybersecurity projects can’t be treated as one-off initiatives. They must be strategic and linked to business outcomes, as well as help the organization create a strong foundational layer of security to build on. Most importantly, the resulting platform must make tool and app integration easier, laying the groundwork to use machine learning, automation and other technologies to help overcome cybersecurity staffing challenges.
Modernizing IT and adopting new tools, including those that provide insight into the cloud, are vital to-dos for state and local governments.
Now is a good time for CIOs and CISOs to seek buy-in from leadership for this type of change. As the Deloitte-NASCIO report explains, security teams have been able to demonstrate the value of cybersecurity to the business during the pandemic, and security leaders should now work to keep the forward momentum going strong as organizations plan for the future.
Security costs need to be addressed at the onset of any IT project. And again, there must be dedicated funding for cybersecurity in the operational budget. Answering the question, “How much is needed?” will depend on what the organization wants to accomplish to increase its security posture, since there is no one-size-fits-all approach.
C-suite conversations that include the CIO can help determine what’s needed, where it’s needed and how much it will cost.
State and local governments are challenged when it comes to competing for in-demand cybersecurity talent, so they must make the best use of the talent they have. Being strategic and time-bound with cybersecurity projects can help them deploy talent effectively and budget for additional temporary resources when necessary.
Improving cybersecurity is a heavy lift for state and local governments. No one technology is going to solve all challenges, which is why CIOs need technologies that will work together to help protect the business of government. To overcome key cybersecurity barriers to progress, cybersecurity must be at the foundation of every project, and every initiative, large or small, should be considered individually, holistically and with an eye toward the future.
Get more insight on how state and local governments can improve their security posture in my previous post on creating a well-planned response to an inevitable cyberattack.