But instead of engaging in end-of-year cyber voodoo, I thought it would be more productive to focus on a few important things state and local governments could do in the coming year that would make their security programs better, and therefore their citizens more secure. These are all big, hairy and audacious goals (BHAG), but with some dedicated focus and purposeful strategic ambition, December 2022 could find state and local government organizations in a healthier security posture.
A top priority, as always, is finding the money to fund robust defenses. “The increasing escalation of cyber-attacks on state and local government organizations, and higher expectations of digital access by the public, necessitates an operational strategy that makes infrastructure refreshes and training a required component of base budgets. Cybersecurity performance is both people and technology,” said Henry Sobanet, former director of the Colorado Office of State Planning and Budgeting and currently senior vice chancellor and chief financial officer at the Colorado State University System.
There are dozens of other important cybersecurity issues that could realistically be in the BHAG inventory, but I’ve chosen to focus on three: addressing the cybersecurity staffing and talent gap, developing a cyber supply chain response strategy, and taking measurable steps on the journey to zero trust.
Avoiding a Downward Staffing Spiral
In a global survey of cybersecurity professionals published last summer by the Information Systems Security Association and the industry analyst firm Enterprise Strategy Group, 59 percent of respondents said their organizations could be doing more to address the cybersecurity skills shortage, and 57 percent said a shortage of those skills has impacted their organizations. This data indicates that the passive approach to hiring and retaining cybersecurity staff is failing and requires an active response.
Rich Schleip is the chief technology officer at the Colorado Department of State, and he told me, “Over and over again I see the government organizations hiring contractors to fill the immediate need for cybersecurity professionals. However, they then fail to establish the necessary solid foundation to attract people with the right skills, and more importantly, retain those with institutional knowledge, which creates an increasingly downward spiral of hiring, training, rehiring and retraining.” As government organizations struggle to keep good people due to the vast pay disparities between the public and private sectors, the workload on remaining employees is resulting in an environment where burnout has become a serious health factor.
Human resources and hiring personnel need to become more creative and realistic in talent acquisition and focus on retaining good people because staff turnover is not just expensive, it’s incredibly disruptive to the organization. This is a moral imperative.
Risks from Downstream Vendors
Cybersecurity supply chain risk management is one of the most significant growing concerns for governments at all levels. It was a primary component in President Biden’s May 2021 executive order titled “Improving the Nation’s Cybersecurity.” The past year has seen a number of large security breaches exploited as a result of vulnerabilities in the systems and software of trusted software suppliers, and months later many of these organizations are still recovering. The recovery and mitigation costs, reputational damage and loss of citizen trust cannot be overstated.
“To begin to address these vulnerabilities, governments not only need to assess their own cybersecurity risks but should also expect their cloud service providers and software suppliers to have and follow a cybersecurity supply chain risk management framework,” said Dugan Petty, former CIO for the state of Oregon. “Recent security incidents exploited through third-party software highlight why supply chain risk management should receive more attention during the contracting process.”
Government organizations need to become more diligent in evaluating and monitoring vendor contracts to ensure that downstream vendors are employing good supply chain risk management, since risk accepted by one is risk borne by all.
Trust No One
The concept of zero trust has been around for years but just recently has become the cybersecurity buzz-phrase du jour. For those unfamiliar with the term, instead of assuming the people and devices on a network are trustworthy, a zero-trust architecture implements policies and technical controls that require frequent and ongoing verification of trustworthiness. Zero trust is not trivial and is a journey that requires discipline, investment and continuous application of the concept of “least privilege,” which means that every user and every device is considered a threat and must be unceasingly challenged to prove they have and need legitimate access.
The Biden executive order was also very explicit about employing zero trust, calling for the federal government to adopt that architecture as practicable and for the Cybersecurity and Infrastructure Security Agency to “modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with zero trust architecture.”
State and local government organizations should use the federal order as a road map and begin to methodically deploy a zero-trust architecture with a finite goal of completion in the next two or three years. Once again, this requires a commitment of both funding and high-level executive support.
Aggressively addressing these three issues in particular would go a long way toward taking cybersecurity beyond a posture that is merely reactive. “With respect to cybersecurity, I have always believed that the best defense is a good offense,” noted Joe Panora, former CIO at the California Department of Corrections and Rehabilitation. “Cybersecurity requires a proactive mindset with actionable measures because once you believe you have everything under control, that’s when you are most vulnerable.”
Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.
