State governments face the same cybersecurity threats that menace the federal government and the private sector. But when it comes to defending against those threats, state resources are comparatively scarce. That leaves state Chief Information Security Officers (CISOs) in a tight enough spot. In some states, they face the additional hurdle of challenges related to risk and security management governance. However, if approached correctly, these challenges become opportunities to make better use of the resources that are available.
Perennial Budget Challenges
The National Association of State Chief Information Officers (NASCIO) and Deloitte publish an annual cybersecurity study which has consistently listed the cyber budget void as one of the top five state CISO priorities. In my time working at the Department of Homeland Security (DHS), I observed a disconnect between this priority and the number of FEMA Homeland Security grants awarded that target cybersecurity.
This is not due to a lack of interest from states’ IT leadership, governors’ offices or homeland security advisers. Based on my discussions with state CIOs and CISOs, given the limited pot of FEMA dollars available, only a portion of state grant requests focused on cybersecurity investment. Other kinds of valid but also more politically salient security spending, such as police training or new emergency equipment, received preference. A new fire truck is more relatable for an electorate than a new firewall.
That is in part due to the somewhat vague public perception of cybersecurity risks. Physical risks like violent crime or fires are obvious and demand urgent response. But if there is a data breach, those whose data is stolen may not even know, and regardless there would unlikely be immediate, direct consequences.
It’s not that cybersecurity isn’t recognized as a serious threat. The challenge is making an ironclad case for increased defensive spending. The cost per incident (such as in a data breach) vs. the overall cost for security can be difficult to quantify. Significant investment could be made, but then no significant incidents occur. Was that because of a stronger defensive posture, or because no one attacked you?
Also, costs-per-record can be a highly inaccurate metric. Once a breach occurs, whether the bad actor stole 50,000 or 5 million records, there will be fixed and variable costs. While variable costs may increase along with the number of records, certain fixed costs will not. Yet fixed vs. variable incident costs are usually blurred in cost-per-record calculations.
To overcome that inaccuracy, DHS’s Cybersecurity and Infrastructure Security Agency’s Office of the Chief Economist is developing a break-even analysis model. This model balances the costs of preventive controls against incident response and recovery expenditures. Its approach considers different adversary techniques and compares them to different possible defensive actions for each, enabling organizations to assess trade-offs between the costs of prevention and response. Further cost avoidance, such as preventing disruption to mission or business operations, intellectual property loss or reputational damage, can help bolster the investment business case. The goal is to couch cyber risk and cyber risk mitigation in comparable dollar amounts.
States stand to benefit from leveraging this model. Focusing on risk-based analysis would empower states CISOs to defensibly articulate their additional cybersecurity investment requests, and could lead to security dollars being spent more effectively.
A Seat at the Governance Table
Of course, accurately representing cybersecurity break-even analysis in state budget discussions depends on involving a subject matter expert. As with federal agencies, state CISOs generally report to the CIO. However, CIOs and CISOs aren’t necessarily mutual advocates given their sometimes conflicting priorities. Allowing CISOs a more equal voice in governance (government-wide planning, budgeting, operations and performance reporting) would help bring security resources to bear on the problems that various agencies face, while also better informing the budget discussion.
The 2018 NASCIO-Deloitte study shows minor improvements in CISOs’ access to state agencies and other constituents.
For more states to benefit from elevating their CISOs and their cyber initiatives, awareness-raising needs to accelerate. There’s an opportunity for state CISOs to work more closely together – whether nationally through organizations like NASCIO and the Multi-State Information Sharing and Analysis Center (MS-ISAC), or with regional neighbors. State legislatures also have a role, and the collaborative efforts of organizations such as the Council of State Governments and the National Conference of State Legislatures can generate dialogue to share best and emergent practices.
Intra- and inter-state collaboration can also benefit from budget efficiencies. For instance, through collaboration and subject to state laws, groups of states and/or agencies can buy security services and technologies off the Federal GSA schedule and blanket purchase agreements for greater volume discounts compared to single agency or state purchases.
Our Call to Action
Overcoming these challenges requires an assertive leadership posture and concerted action. State CISOs must combine awareness campaigns, cyber operations, risk analysis and federal resources like FEMA grant guidance and GSA discounted purchasing to construct an argument based in real data: here is our state’s level of risk; this is how we will manage it; this is the correct resource investment for risk mitigation; and here are federal resources we can leverage to help.
While today we see elements of this approach being adopted, it has yet to coalesce into a national strategy that will help governments across all 50 states. With cyber threats and associated risks accelerating, there is an imperative to change long-entrenched dynamics that no longer serve, and embrace a more inclusive, informed and actionable approach to security that will benefit all states, and collectively, the nation.
Matthew Shabat is U.S. Strategy Manager at Glasswall Solutions.