Cybersecurity Guidelines for New Governors

Information technology is no longer simply an enabler of government; it is ubiquitous in and crucial to every aspect and function of government. Governors, today you need to be as prepared to respond to IT-related disasters as they are for hurricanes, wildland fires and floods. A poorly managed disaster can tie up a governor’s agenda, potentially for years to come.

In preparation for IT and cybersecurity-related crises, incoming governors need to be familiar with the concerns of their Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs). A great place to start is the National Association of State Chief Information Officers (NASCIO). NASCIO recently published its annual list of the Top 10 Policy and Technology Priorities for state CIOs. New governors, it’s strongly encouraged to keep these priorities in mind as you prepare for the upcoming budget cycle.

Cybersecurity and Risk Management Remains the #1 Priority

For the last 10 years, the number one concern of state CIOs has been cybersecurity and risk management. This includes a range of underlying issues, such as governance, budget and resource requirements, security frameworks, data protection, training and awareness, insider threats and third-party risk. While governors don’t need to understand the bits and bytes of cybersecurity, they should, at a minimum, understand the threats their states face and the negative impacts of a successful attack.

Immediate Actions to Take

There are a number of immediate actions that all governors, especially new governors, can take to ensure they understand the threats they face and are as prepared as possible to respond to a successful cyber attack:

• Get a Threat Briefing from the IT Security Team: State CIOs and CISOs deal with attacks every day and can provide the governor with critical information about the number and nature of the attacks they’re defending against.
• Get an Outsider’s View of Your State’s Networks: A third-party assessment, as well as a review of the state’s attack surface will help provide independent insight into the security of the state’s networks, as well as the vulnerabilities that attackers can see.
• Know Your State’s Cybersecurity Response Plan and Participate in Training Exercises: Just like natural disasters, a successful cyber attack is a question of when not if. As such, governors need to know how to respond and in short order. The first hours after an attack are crucial.

These are just a few foundational actions governors can take. At its heart, governors must understand that cybersecurity is not an end state. Rather, it’s an ongoing core business function of government. Good security goes beyond “checkbox security" and establishes holistic, consistent, and dynamic security practices that evolve as threats evolve and gubernatorial leadership is essential.

As states have modernized their technologies, so have the attackers. The result is that governors must remain ever vigilant to ensure continuity of services and the protection of their citizens. Towards that end, in addition to the perspectives their CIOs and CISOs can provide, governors can also benefit from broader initiatives, such as the National Governors Association’s Resource Center for State Cybersecurity and Palo Alto Networks Security Roundtable.