A report developed by the Center for Internet Security and partners presents a “call to action” for state government leaders on strengthening cybersecurity “governance” processes, with a series of recommended steps intended to help officials “maximize investments while securing their state[s].”
The report “presents four action steps and a set of eight tools to guide the decisions states must make and execute to respond to an ever-increasing and evolving threat to state assets and operations. This Call to Action is mindful of previous efforts of states’ cybersecurity initiatives and identifies governance as the missing ingredient.”
“Managing Cyber Threats Through Effective Governance” was developed by CIS, the Center for Technology in Government at the University at Albany, State University of New York, the National Governors Association, and the National Conference of State Legislatures.
“The four organizations conducted formal interviews with 13 sitting CIOs and CISOs and consulted with other organizations, Homeland Security experts, and cybersecurity experts to include: the National Association of State Chief Information Officers (NASCIO), and the University of Maryland,” according to CIS.
Among the state officials who contributed “frank and practical insights” to the authors was Chris DeRusha, the former CSO in Michigan who is now Chief Information Security Officer for the federal government.
“While every state has implemented cybersecurity programs, few have cybersecurity governance that effectively ensures that a state’s risk is managed to a level and in ways that have been determined to be, through formalized governance processes, acceptable to the governor and legislature,” according to the report.
“This Call to Action presents four steps to be taken by governors and state legislatures to establish or strengthen their cybersecurity governance,” urging states to:
- Establish Authorities through Executive Order and Legislation
- Formalize Key Processes
- Assign Roles and Responsibilities
- Monitor Indicators for Decision-Making and Adaptation
The report also cites eight tools “critical to states’ efforts to gain compliance, even within executive agencies, with the standard policies and procedures required to systematically manage risk. … These tools are critical for addressing the often weak or missing authority that executive agencies have to establish the interagency, intergovernmental, and inter-sectoral agreements that are necessary to formalize collaborations.”
The eight tools are:
- Enterprise Architecture
- Cyber Risk Assessments
- Control over IT Procurement and Acquisition
- Control over Network Connectivity
- Councils and Advisory Boards
- Complementary Legislation
- Collaboration and Shared Services Agreements
- Monitor Workforce Requirements and Close Gaps
The authors emphasize that, “Once established, cybersecurity governance must be agile, allowing cybersecurity programs to evolve as new threats that require adaptations in risk management strategies emerge. As smaller organizations become increasingly aware of their limits in understanding threats and managing their risk, they are looking to state partners for assistance. Expanding scope beyond executive level agency assets, to a “whole of state” perspective that engages stakeholders across multiple sectors and levels of government in a coordinated and collaborative process of risk management, is increasingly recognized as an important step in managing a state’s cybersecurity risks.” – Charlie Mitchell (firstname.lastname@example.org)