According to the third biennial Deloitte- National Association of State Chief Information Officers Cyber security Study, states, CIOs, and Chief Information Security Officers (CISOs) continue to face strategy and resource challenges in protecting states’ critically important systems and data.CISOs from 49 states and 189 elected and appointed business leaders from a broad cross-sector participated in the survey which identified the top barrier all faced: a strategy-investment disconnect. To further compound this problem, there is a recognized nationwide skills-gap and shortage in information security professionals.
"Chief Information Officers (CIOs) need cyber security strategy and resource investment to meet today’s cyber challenges"
Eighty-eight percent of survey respondents saw cyber security attacks among the three biggest threats facing organizations today. However, less than half—only 44 percent—responded that they expect to hire information security resources to address the threat. Of those, 41 percent planning to hire more cyber security professionals this year say they expect to have difficulty finding a skilled candidate. Worse, only 38 percent say they are prepared to experience a cyber-attack, while 58 percent indicated they were either unsure or not planning to hire any cyber security professionals to address the threat at all.
The results of these studies were recently discussed with more than 1,000 public-sector attendees during the California Department of Technology, Office of Information Security’s Annual Cyber security Summit in Sacramento. This year’s summit, Advancing Information Security and Privacy through Awareness and Action, fell in the middle of September’s National Emergency Preparedness Month and California, and the nation’s Cyber security Awareness Month in October.
To help address the apparent strategy disconnect, a common recurring theme throughout our event was the importance of investment--not just in tools, but in the people with information security and privacy subject-matter expertise. Those who possess the knowledge, skills and abilities to articulate security and privacy concepts in terms business leaders can understand, and implement security and privacy that directly links to a business mission and objectives.
The following are some tips for information technology and private industry partners that were shared.
Tips for technology leadership:
1. Invest in allocated security and privacy subject matter expertise. A CISO’s job is a full-time effort. They cannot effectively fulfill their role and responsibilities if they are also expected to simultaneously serve in other key roles, such as the network administrator, developer, or database administrator. To best serve you and your organization, your CISO should be dedicated to their respective security role, and engaged with all lines of business in your organization to better understand the business mission and objectives and to align security and privacy with those.
2. For effective risk-based decision making, give the CISO a seat at the governance table. They should be expected to articulate security in terms business leaders can understand. The CISO should serve as the voice of security, helping to inform the business and key decision makers about risk and alternatives to mitigate risk.
3. Don’t shoot the messenger. The CISO and security professionals can be bearer of bad news or inform you about things you won’t necessarily want to hear. To establish an effective risk management strategy, create a culture in which people feel comfortable bringing matters of risk to your attention. CIOs and business leaders must be willing to listen and show appreciation for risk matters and alternatives being brought forward.
4. Recognize that security tools alone are not a panacea and do not run themselves. To be effective, any tool will require an investment in people and process. Lessons learned from recent incidents demonstrate that implementing a tool without people and process has led to unattended security alerts and alarms--pre-cursors to compromise.
5. Invest in continuous security training and professional development across your organization--not just for security subject matter experts. You need to invest in maintaining your security subject matter expertise; however, security is a shared responsibility. All positions, especially those in information technology, need to understand the current threats and ways to mitigate risk and defend against attacks. With the current security workforce challenges, you may need to consider developing in-house talent into security roles. There are many advantages to this approach, chiefly working with individuals that already know the lines of business and are attuned to their needs.
Tips for private industry partners:
1. Understand that government, as your customers, is highly regulated in the area of security and privacy. Our requirements are not intended to break your business model but are necessary to meet the regulatory requirements we must adhere to. Those regulatory requirements are often driven by constituent demand for increased security and privacy protections.
2. We need innovative solutions that will help us meet both mission delivery and constituent security and privacy expectations. When made a priority, it is possible to design secure and privacy-conscious technologies. As cybersecurity has become a national priority there are some exciting innovations taking place.
3. We need transparency, especially when outsourcing to you as a service provider, as you have now become part of our accountability and due diligence chain. We need to be able to demonstrate your security and privacy protections are in place, work as intended, and meet any regulatory requirements.
Chief Information Officers (CIOs) need cyber security strategy and resource investment to meet today’s cyber challenges. The cyber threat landscape changes with each keystroke and organizations can no longer take the approach of cyber security as an afterthought; it’s not a matter of if, but when. Knowing the challenges cyber security presents to organizations can connect strategy and security investment and incorporate the shared responsibility of cyber security within every division of your business.