During October, Deloitte and NASCIO worked together on a survey that examined cybersecurity initiatives in state governments nationwide. The report, “State Governments at risk: A Call to Secure Citizen Data and Inspire Public Trust,” painted a grim picture for cybersecurity at the state level. More recently, CivSource spoke with Srini Subramanian director of state government security and privacy services at Deloitte about the survey and what states can do to overcome cybersecurity challenges.
State governments maintain the most comprehensive collection of individuals Personally Identifiable Information (PII) – between benefits records, driving records and tax information, state offices have almost as much information about their citizens as individuals have about themselves. However, many states suffer from lack of funding, authority, programs and resources to keep this information safe. Subramanian notes that in many cases, state CISOs rarely even have the authority to get started, “many state CISOs lack the visibility and authority to effectively drive security down to the individual agency level.”
According to Subramanian, most states have a documented cybersecurity strategy but there are significant challenges with execution. The CISO may not have the authority to execute across agencies, or may not even have security counterparts in all areas. Whereas, at the federal level agencies can revert to Federal Information Security Management Act (FISMA) which provides a unified plan for cybersecurity issues that is designed to address authority challenges.
All of this leads to the question of what states can do to manage this situation more effectively in an environment where state budgets and state employees are already stretched to the brink. Subramanian says that starting with governance issues can be one solution, “too many state CISOs have only dotted line relationships within agencies, giving them no real connection to what’s happening with information security. States that establish CISO authority through statute can create more effective outcomes.”
Another area to examine is personal identity management. According to Subramanian, 20% of identity breeches reported last year were from state and local governments. Having the number that high points to a significant problem with information security, and may warrant involvement from state Departments of Homeland Security. Homeland Security Departments typically have security risk frameworks that can be extended to afford more protection to cities and counties. Subramanian also noted that some states are forming digital identity working groups to find solutions.
Ultimately, its time for states to really engage on this issue and realize that security in cyberspace is a fluid and ongoing process. Subramanian argues that despite budget woes states can act to work on these issues and even save money if they focus on best practices and view it as an evolving response instead of a single budget allocation. States also need to work with each other and the private sector to find solutions that may also lead to shared costs. For more in-depth information, the full report is available here.