CISOs Must Take Bold Action to Ensure Cybersecurity, NASCIO Says

Cybersecurity flag

The National Association of State Chief Information Officers (NASCIO), in partnership with Deloitte, today released its new cybersecurity study which argues CISOs need to launch three “bold initiatives” to ward off advanced cyber threats.

“With state CISOs enjoying a solid platform in an era of escalating cyber threats and the inevitable need to embrace technologies that introduce new cyber risks, it is now time to take bold action,” the report explained. “We encourage state CIOs and CISOs to consider bold initiatives that include a combination of key legislative and advocacy measures to gain significant additional resources to scale cybersecurity programs.”

The study, which gathered feedback from all 50 state CISOs, argues that CISOs need to advocate for dedicated cyber program funding, work as enablers of innovation, and partner with the private sector and academia.

“While CISOs and CIOs have done a tremendous job over the years developing much needed governance plans and building relationships with state leaders, the funding and talent needed to fully address cyber risk is not there,” said Srini Subramanian, principal, Deloitte & Touche, and state and local government risk advisory leader.

The report further highlighted that the time for CISOs to act is now, as technology becomes even more complicated and the risk of a cyber attack grows.

“When governors, legislators, and business and technology leaders collaborate, these bold initiatives are possible,” the report argued. “Indeed, CISOs need to continue to elevate themselves as business leaders and to embrace innovation to influence greater change. These bold plays become even more urgent as enterprises adopt greater connectivity, advanced technologies, and data-sharing.”

Budget Concerns

NASCIO and Deloitte have conducted their biannual cybersecurity survey since 2010, and in each of their five surveys, CISOs have listed lack of adequate budget as the top barrier they face when trying to address cybersecurity challenges. The report argues that to overcome this barrier, CISOs need to ensure their work is adequately addressed in the state budget. Currently, nearly half of U.S. states do not have a cybersecurity budget line item, NASCIO explains. To change this, NASCIO and Deloitte said that “CISOs should strive to establish a dedicated budget line item for cybersecurity as a subset of the overall technology budget.”

Not only does this move protect current funding, but it also sets the stage for requested budget increases.

“While the percentage of state IT spending on cybersecurity may be much lower than that of private sector industry and Federal agency enterprises of similar size, the line item can help state CISOs and CIOs give the state legislature and executive branch leaders the right level of visibility into state cybersecurity expenses in an effort to raise funding levels,” the report said.

Additionally, dedicated funding leads to greater change, according to NASCIO. According to the report’s authors, the 2018 survey results show that “Federal and state cybersecurity mandates, legislation, and standards with funding assistance result in more dramatic progress than those that are unfunded.”

On top of requesting funding from their state legislature and governors, the report said that CISOs should “[a]dvocate for and demand funding from large Federal agencies to implement their security requirements and controls.” The report points to successes in doing so in other areas, such as health, human services, and law enforcement and justice.

CISOs as Enablers of Innovation

While CISOs are inherently risk-adverse, the report argued that they must help states to embrace innovative and cutting-edge technology in a secure manner.

“CISOs should be at the forefront of the ‘Fourth Industrial Revolution’–digital disruption through emerging technologies such as artificial intelligence (AI), the Internet of Things (IoT), and smart government,” the report said.

During this year’s survey, CISOs ranked AI, IoT, smart cities, and blockchain technology near the bottom of their initiative list, indicating to NASCIO and Deloitte that these emerging technologies are not yet a priority for them.  NASCIO and Deloitte urge CISOs to “actively participate with state CIOs in shaping the innovation agenda, collaborate with state digital and innovation officers, and lead the charge to help program leaders embrace and securely adopt new technologies.”

By leading the pack on new technologies, CISOs may have the opportunity to ensure higher cybersecurity standards.

“Being at the forefront of program and business innovation may afford the CISOs more opportunities to collaborate with other leaders to gain their support to advance cyber risk programs,” the report said. “Such early involvement can also help identify whether cybersecurity is baked into new applications of emerging technologies, technology evaluations, and procurements.”

Collaborate With Academia and Private Sector

CISOs are faced with challenges they cannot solve alone, and partnering with higher education and the private sector will help ensure their needs are met even if they lack the resources necessary.

“The enduring cybersecurity talent shortage and a persistent competency gap in the available talent require CISOs to cast a wider net for the right people to staff their teams,” the report said. “To address the talent shortage, CISOs can make use of public-private partnerships, developing contracting models with assured service levels for certain cybersecurity functions and competencies.”

While many CISOs have increased their use of outsourcing, according to survey data, more than half of U.S. states are not outsourcing key cybersecurity functions. The report explains that outsourcing can be a “significant opportunity as states continue to struggle with hiring and retaining qualified security staff.”

On top of outsourcing, working with local colleges and universities can help states set up a pipeline of talent through internship programs, co-ops, and apprenticeships.

“Simply put, the time is now to be bold in state cybersecurity,” concluded Bo Reese, CIO of Oklahoma and NASCIO’s president.

Recent