Mar 26 2019
How Government CIOs Prioritize Their Security & Risk Management Strategies
Learning about specific best practices used by technology executives and how they guard against security breaches.
The past five years have seen an unprecedented rise in the risk to government institutions from bad actors who have weaponized technology to foment discord, disseminate misinformation and inflict damage on government services, infrastructure, and the public trust.
Cyber-attacks against local, state and federal government agencies are increasing. A 2016 Government Accountability Office report found that between 2006 and 2015, the federal government alone saw a 1,300% increase in information security-related incidents. Confronting and managing these risks is the job of the public-sector CIO. These growing cyber-risks have become a critical inflection point for how states balance competing for tactical and strategic priorities.
Those looking to inflict harm on government institutions do so for many reasons; from the challenge of the hack itself, for material gain, or to undermine the fabric of our democracy. While nation-states pose the most serious threat, organized criminals, hackers and cybercriminals motivated by personal gain also represent a salient threat.
Each fall, state CIOs gather together for an annual conference sponsored by the National Association of State Chief Information Officers (NASCIO). This conference is an important time for public-sector technology thought leaders to discuss areas of mutual concern, develop strategies, assess priorities and learn from the success, or failure, of their peers.
At the end of their annual conference, NASCIO publishes a list of the Top 10 collective priorities of state CIO. Top on the list for the past few years has been Security and Risk Management.
How then do public sector CIOs address and prioritize their security and risk management strategies?
Develop a Risk Intelligence Strategy
Luckily, public-sector CIOs are not entirely on their own when it comes to risk intelligence. The level of collaboration and information sharing between government agencies has been steadily improving since the events of 9/11 and have accelerated even more so in the past years. The Department of Homeland Security has an array of programs designed specifically to assist state and local governments with risk intelligence. Moreover, many public-sector CIOs have been granted special security clearances that allow them access to the latest threat information and intelligence from the federal government.
The federal government has published a Cybersecurity Risk Determination Report and Action Plan that identifies four (4) core actions that are necessary to address cybersecurity risks across the enterprise:
- Increase cybersecurity threat awareness among government entities by implementing the Cyber Threat Framework to prioritize efforts and manage cybersecurity risks;
- Standardize IT and cybersecurity capabilities to control costs and improve asset management;
- Consolidate agency Security Operation Centers (SOC) to improve incident detection and response capabilities; and
- Drive accountability through improved governance processes, recurring risk assessments, and the engagement of leadership.
Additionally, public-sector CIOs are also embracing other frameworks, standards and best practices, such as those found ISO/IEC 27000, the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) and so forth.
Frameworks are vitally important, but they only take you so far – it’s also about management and leadership. While this can be especially difficult in a politically-driven environment, CIOs must nonetheless strive to be a catalyst for change.
Develop a Cloud Services Strategy State
CIOs have identified the importance of a strategy for the use of cloud services as their number two priority.
They are looking at different deployment models and want to create “scalable and elastic IT-enabled capabilities provided ‘as a service’” for constituents according to NASCIO.
CIOs face several challenges when looking at cloud services. Many states have mature on-premises technologies and software that provide essential services to citizens and which cannot be easily moved to the cloud. Other services, such as messaging, collaboration and file sharing services might be easier to migrate but may complicate administration and require the organization to support parallel environments while migrations are underway.
In their overview of enterprise cloud security, Gartner recommended that technology leaders responsible for governing cloud market opportunities and adoption should:
- Ensure strategy and policy logically fit together and drive correct behavior, preferably through facilitation rather than regulation. To achieve this, use constructive, clear and direct language.
- Review existing or proposed cloud strategies and usage policies against this research to identify relevant gaps; validate your approach and deliver pragmatic guidance, and
- Take a differentiated — in many cases, bimodal — approach toward cloud adoption, by balancing risk and due diligence with rapid acquisition and deployment of cloud services.
Further complicating any migration to the cloud, in whole or in part, is identity governance, administration, and user authentication. This is a complex and layered topic and not one that we can adequately cover in this whitepaper.
An organization’s user identities are critical to the smooth and secure integration of cloud G2B or G2C services, yet this is often one of an organization’s greatest vulnerabilities. In their 2017 Data Breach Investigations Report, ITC Security Magazine summarized that most data breaches occurred using end-user credentials that were compromised using rather simple and all-to-common techniques.
Balancing Priorities and Risks
Public-sector technology leaders understand the risks facing their governments and how best to confront the threat. That’s the easy part. Getting the required support and funding is the challenge. Government administrations and state lawmakers face many conflicting demands and they struggle to make the most of a limited pool of resources.
Everyone in public service is expected to do more with less and priority setting is therefore inevitable. A technology leader’s priorities must, therefore, compete against a Hobson’s choice of needs, be it healthcare, homelessness, public safety, child welfare, transportation, debt service, or a myriad of other needs.
As a result, CIOs are looking at new ways to address the risk within their limited resources. These include making changes in modest increments, looking to see if there are cost-effective interventions available in the private markets or by partnering with peer states.
But barriers still exist. Following the 2018 Annual CIO Conference, NASCIO summarized state CIO input into the question, “What major barriers does your state face in addressing Cybersecurity?” The CIO’s responses are summarized below
The Low-Hanging Fruit
While technology leaders in all markets are challenged by competing priorities and limited funds, they can and do take some very basic and meaningful actions. The “low-hanging cybersecurity fruit” if you will. Here are a few of the most common steps that state technology leaders take to help reduce cybersecurity risk.
- Increased emphasis on security awareness training. Many states have enacted legislation or state policy that mandates annual Cybersecurity Training for employees.
- Implementing an enterprise-wide fine-grained password policy. Increasing the complexity of an end user’s password and how often passwords need to be changed helps reduce or eliminate accounts being compromised.
- Requiring the use of multi-factor authentication for system administrators and anyone handling regulated or restricted information. States leverage the use of MFA to add an additional layer of protection to critical user accounts.
- Keeping current on upgrades and critical software patches. By keeping critical systems updated and patched, states can reduce another potential vulnerability in their environment.
- Implementation of defense-in-depth. The state creates layers of protection and redundancy to protect valuable data and information. If one layer fails, another layer can step in to thwart an attack.
As the nation’s cyber-threat landscape is changing, public-sector technology leaders are working hard to keep up. They seek to leverage every tool, solution, and resource available to protect their state’s infrastructure and data from attack.
It’s clear that CIOs are trying hard to create a proactive security culture in their states and addressing cyber-risk head on. Ultimately, effective risk mitigation begins with strong executive sponsorship and leaders who encourage staff to take cybersecurity seriously. State CIOs and CSOs cannot do this alone.