Governors are increasing their focus on cybersecurity in state and local government, but challenges remain in terms of budget allocations and finding qualified people, according to the findings of the bi-annual Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study. The survey was released today in conjunction with NASCIO’s Annual Conference, currently underway in Florida.
“I think governors are starting to focus in more on cybersecurity in a tangible way,” said Srini Subramanian, principal at Deloitte and state government cyber risk services leader in an interview with CivSource. Subramanian worked with NASCIO on the findings. “Cybersecurity was a top issue at the recent National Governors Association meeting, but there’s still a way to go in terms of that awareness equating to budget and resources going toward cybersecurity.”
Right now, much of that awareness is tied up in monthly reporting plans. According to the respondents, 29 percent are required to present a cybersecurity report to the governor’s office on a monthly basis. That’s an increase over when the survey was done in 2014. At that time, only 17 percent of respondents said they had to present monthly reports to the governor. Another 39 percent of respondents to the 2016 survey said they present reports to the governor on an ad hoc basis.
Despite an increase in the governor-level awareness of cybersecurity, the most significant challenge for state chief information security officers (CISOs) in 2016 remains a lack of sufficient funding. Most state cybersecurity budgets are hovering between zero and 2 percent of their overall information technology budget. “We’re seeing cybersecurity become a more significant part of government operations, but with a spend of only 1-2 percent of the total budget, government is going to be limited in what it can ultimately do,” Subramanian added. “By way of comparison, that 1-2 percent figure has held steady year-over-year at the state government level, meanwhile, we’ve seen a 35 percent increase at the federal level just this year.”
With a such a tight budget, many states are relying on training and awareness approach to cybersecurity. 39 percent of those surveyed said they were using things like strong passwords or staff training to try and help people spot potential points of attack. Another 37 percent said they were engaged in cybersecurity monitoring. But, only 29 percent said they had been able to fully operationalize their cybersecurity strategy.
Lack of budget also leads to complications when it comes to finding high quality staffers as compensation levels can often lag behind that of what’s available in the private sector.
Government CISOs have been able to outsource some of their operations to third party providers, however, survey data shows that’s not always the most seamless approach. 65 percent of respondents said they were only “somewhat confident” with the security measures third-party technology service providers were taking. The remaining 22 percent said they were “not very confident”. According to Subramanian, part of the issue is that state CISOs are relying solely on service level agreements and assurances in contracts that third parties were doing their best. “State CISOs will have to start doing audits and getting tougher on third parties, similar to what we have seen in the private sector, if they want to be assured they’re getting all they have paid for,” he said.
The full findings are available here.