The Public Eye with Eric Chabrow

State Leaders Upbeat on Cyberdefenses

But CISOs Show Less Confidence on Cybersecurity
State Leaders Upbeat on Cyberdefenses
Mark Weatherford sees need for "Cybersecurity State of the State" address.

Two surveys - one of top state government officials and the other of state chief information security officers - show a disconnect on how they view the security of state information systems.

See Also: ISO/IEC 27001: The Cybersecurity Swiss Army Knife for Info Guardians

A survey of 186 senior state officials - such as attorneys general, secretaries of state, budget and procurement officers and chiefs of police, conducted by Deloitte for the National Association of State Chief Information Officers - reveals that 60 percent of the leaders feel "very" or "extremely" confident in the security of their states' IT systems. That result doesn't jibe with a separate NASCIO study, which shows only one-quarter of 49 state CISOs surveyed had such high confidence levels. More than half of the CISOs said they were only "somewhat" confident that their states could defend themselves against external threats.

The deep faith among state officials in the government's ability to safeguard their digital assets could partly explain another survey result: Nearly half of the CISOs reported incremental increases to cybersecurity budgets but deemed the funding as insufficient.

"The reality is that, and I don't intend for this to sound mean or insulting, most state and local government officials are simply clueless about both the cybersecurity posture of their state governments, and the current threat and vulnerability environment their state's operate in every day," says Mark Weatherford, the former deputy undersecretary for cybersecurity at the U.S. Department of Homeland Security, who previously served as CISO in California and Colorado.

'It's Their Job to Know'

Although they were not surveyed by NASCIO, Weatherford says many governors and lawmakers also are as oblivious to cyber-threats as top appointed officials.

"They are clueless because this cybersecurity stuff ain't making cookies - it's hard, it's complex, and it's well beyond the scope of most elected officials who have a lot of other things to worry about. That does not, however, absolve them of responsibility because it's their job to know about the things that threaten the citizens of their states."

NASCIO Executive Director Doug Robinson, writing about the survey, says state leaders need to be better informed regarding the gravity of the cyber-threat and vulnerabilities facing state IT systems. "This disconnect may significantly undermine the CISOs' ability to gain funding and support for cybersecurity programs," he says.

Mississippi CIO Craig Orgeron, who serves as NASCIO president, says the survey paints a dire picture of the cybersecurity environment most states face. "What we have found is that insufficient funding, sophisticated threats and shortage of skilled talent threaten security and put state governments at risk," he says.

State officials and CISOs are not aligned in their level of confidence in the states' abilities to protect against external cyberthreats

Source: National Association of State CIOs

But whose fault is it that state leaders aren't adequately being informed about the security of states' IT systems, the officials themselves or the CISOs?

Many states have distributed IT operations, and appointed and elected officials might not have a great understanding on how those systems function and are secured. "In big, spread-out organizations that don't necessarily have good centralized reporting, they really don't know what's going on out at the edges," says Gene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University.

"Often in those environments, people at a lower level will report up only the good news so the accountability isn't really there, either," says Spafford, a Purdue computer science professor. "They're not aware of all the issues and they're also probably putting a little too much faith in what they're being told."

Worries About Cybercrime

Still, with the higher visibility of cyber-incidents such as the Home Depot and Target breaches, governors and lawmakers are requesting formal reports on cybercrime and what's being done to combat it. Nearly 80 percent of the CISOs say they send reports to the governor, up from 60 percent in 2012. But, most of those reports are generated on an ad hoc basis.

Weatherford, a principal at security advisers The Chertoff Group, suggests something he tried, and failed, to do in California and Colorado: Have the state CISO deliver a "cybersecurity state of the state" address at the beginning of the legislative session and also have either DHS or FBI offer cyber-threat briefings. "That would establish an important tone as legislators work through the legislative slate during the year," he says.

What do you think of Weatherford's idea? Please comment in the space below.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.