The title of a new cybersecurity report – State governments at risk: Time to move forward (PDF) – shows how its sponsors view the state of cybersecurity today. The 2014 Deloitte-NASCIO Cybersecurity study makes at least two clear conclusions: cybersecurity is the primary concern of many state CIOs and state Chief Information Security Officers, and also that the concerns of CIOs and CISOs are well-founded. The report paints a cybersecurity landscape evolving in complexity and breadth on a daily basis.
The 31-page report released Oct. 1 reveals a maturing CISO role and an acknowledgement of security risks, but also common institutional challenges such as a confidence gap between CISOs and the average state official, and an insufficient security budget. Given these challenges and trends, the report outlines a call to action, noting the need for organizations to thoroughly govern their cybersecurity postures.
Trends and Challenges
The report highlights several key trends that establish the challenge landscape that security professionals must traverse. The CISO role is maturing, with 98 percent of organizations having a CISO position, and 89.8 percent of those reporting directly to the CIO. There is also no confusion about what a CISO does, as more than 96 percent of CISOs were shown to share similar top five job functions (see graph at left).
The report also showed a gap between the confidence of state officials (60 percent) and CISOs (24 percent) in an organization’s ability to protect against external attacks. More than 47 percent of organizations showed a year over year budget increase, but still 75.5 percent of organizations cited budget constraints as a challenge. The lack of sufficient talent was cited as the No. 3 challenge of 59 percent of CISOs, with 90 percent of respondents citing salary as the top barrier to proper staffing.
The top five security initiatives cited by the report include risk assessment (53.1 percent), training and awareness (49 percent), data protection (42.9 percent), continuous security events monitoring and security operations centers (40.8 percent, new for this year’s report), and incident response (30.6 percent, also new for the year’s report).
Amid many graphics, statistics and descriptions of today’s cybersecurity challenges, the report also attempts to provide strategies for an organization to move forward.
The idea that the CISO’s role may have become too diverse in scope could be alleviated by separating the role into three broad areas: governance, risk and compliance; privacy; and security technology and operations. Diving the roles and responsibilities would allow the CISO to continue managing the strategic and risk management and regulatory and compliance functions central to the role, while also exploring improved communication with elected officials as a means to navigate the increasingly complex regulatory environment.
Despite budget challenges, the report also concludes that the budget landscape is improving. In 2012, more than 75 percent of respondents said their budgets were decreasing or staying the same, but in 2014, almost half reported an increase in their cybersecurity budgets. The top five areas covered within cybersecurity budgets are awareness and communication costs (77.6 percent), compliance and risk management (73.5 percent), incident response (69.4 percent), infrastructure protection, devices and products (61.2 percent), and security consultants (53.1 percent).
However, unless deliberate action is taken, budget will continue to be a challenge as cybersecurity threats mount, the report states. Organizations should outline strategic roadmaps aligned with program priorities to get buy-in from decision-makers, because that’s a proven best method for obtaining funding, the report states. Only 55.1 percent of respondents reported having an approved strategy.
“Cybersecurity budgets will most likely never be sufficient to cover every need, so CISOs must understand which program components and which information assets are most important and focus their efforts on these,” the report states.
The cybersecurity landscape for state government is a complex and challenging one, by the report’s accounting, but reading the report will allow officials to at least understand the trends and challenges they face from outside and from within their organizations. The report is available on the NASCIO website (PDF).