ORLANDO, Fla. — How well-prepared are states to handle a major cyberattack? That depends on whom you ask.
A new joint survey released today by Deloitte and the National Association of State Chief Information Officers reveals a significant “confidence gap” exists in terms of how well CISOs versus state officials think security threats can be handled by their states.
Two-thirds (66 percent) of state officials say they are very or extremely confident that adequate measures are in place to protect information assets from externally originating cyber threats, compared with only a quarter (27 percent) of CISOs. “These findings, which are similar to those from our 2014 study, indicate that CISOs may need to take a different approach when communicating the severity of cyber threats to state officials,” the survey report states.
The inability of CISOs to effectively communicate risk to governors and legislative bodies has also been seen in the challenges they face in making progress on enterprisewide initiatives, such as cross-agency identity and access management initiatives.
“To overcome these challenges and help close the confidence gap that we continue to see, more will need to be done to elevate the authority and influence of the CISO role,” the report states. “CISOs need to improve communications around risks and metrics to better inform agency business executives and help promote their agendas.”
The gap appears to stem from a lack of communication between CISOs and elected officials. Although governors are receiving more frequent briefings on cybersecurity, only 29 percent of CISOs report providing their governors with monthly reports on cybersecurity. And the situation gets worse with respect to legislative bodies. Nearly a third of respondents said that “they never communicate with their legislatures.” That figure is unchanged from 2014. “This is an important consideration, given the legislature’s role in appropriating funds,” the survey report states.
In fact, the survey noted that of the 43 percent of CISOs who reported a funding increase, most reported boosts of far less than 5 percent. In contrast, the Federal cybersecurity budget has seen an increase of 35 percent over the 2016-enacted level.
“States faced with a myriad of priorities and ongoing resource constraints may be hard-pressed to allocate sufficient funding to cybersecurity initiatives. Competition for top talent can make it difficult to attract the professionals needed to effectively combat constantly evolving threats,” the survey warned.
Second only to the inability to obtain proper funding for cybersecurity initiatives, CISOs said they are concerned about the lack of availability of cybersecurity talent to fill critical positions.
“For many CISOs, their challenges are exacerbated by underfunded pension plans and budget constraints that have forced states to change retirement plans for those now entering the workforce. Attractive benefit plans, historically one of the ‘carrots’ of a state government career, are no longer a given, and retirement packages are being restructured to more closely resemble those found in the private sector,” according to the survey. “In addition, private sector salaries for information security professionals have risen dramatically in recent years, making state government less competitive on the compensation side.”
“Our businesses don’t understand all of the technical controls and why they are there. It’s our job as CISOs to fill the gap between our cyber risk and our technology folks,” said Virginia CISO Michael Watson, speaking Monday at the 2016 NASCIO Annual Conference in Orlando, Fla.
The role of the CISO is changing from purely a technology role to being able to speak to the language of agency business, Watson said. “You need a CISO that’s going to be able to speak all things.”
In particular, CISOs need to be able to communicate how risk is reflected in budget requests. “When we provide networks, we’re also providing firewalls with those networks. That should be reflected in our budget model as well.”
But “there will always be tradeoffs” when it comes to risk management, said Texas Chief Information Officer Todd Kimbriel. “It’s different for everybody. If it’s over-secure, you cant deliver your services.”
