Security Experts:

State CISOs Have Little Confidence In Ability To Defend Against External Threats

Deloitte Survey Shows Few State CISOs Are Confident In Their States' Ability to Defend Against Cyber Attacks

Less than a quarter of state chief information security officers were confident in their states' ability to safeguard data from attacks, according to a recent Deloitte & Touche survey. Only 32 percent of the CISOs felt state employees have the "required cyber-security competency."

Increasingly sophisticated cyber-attacks present a new set of challenges to state officials tasked with safeguarding citizen's personally identifiable information, according to the 2012 Deloitte-National Association of State Chief Information Officers report released Tuesday. States collect an enormous amount of citizen data through various programs and services, making it critical that the data is protected.

Government agencies have lost more than 94 million records of citizens since 2009, wrote Srini Subramanian, a principal at Deloitte & Touche, and Doug Robinson, executive director of NASCIO, wrote in the executive summary, citing a recent report from Rapid7.

"Every CIO and CISO wakes up each day knowing that if they don’t get security right and breaches are suffered, their programs can be perceived to be ineffective, and their citizens may suffer direct harm," Brenda L Decker, president of NASCIO and CIO of the state of Nebraska, wrote in the introduction to the report.

Top 5 Barriers in Addressing CybersecurityWhile some threats to state information technology security has diminished since 2010, 52 percent of CISOs in the survey said elaborate and sophisticated threats was a barrier to addressing security. The state CISOs recognize the importance of cyber-security, but struggle to gain adequate budgets and stakeholder buy-in to carry out their plans, the survey found. This challenge was also present in the 2010 report.

Budget is a problem for states in safeguarding their data as about 86 percent of CISOs reported that insufficient funding was the most significant barrier to addressing cyber-security issues. The second most significant barrier was the "inadequate availability" of IT professionals well-versed in cyber-security, according to the survey.

The survey results called for a greater collaboration between state CISOs, business leaders in state agencies, and elected officials. CISOs can develop a network of stakeholders across state government offices and agencies and include them in discussions about strategies, risks, progress, and results. CISOs can partner with business stakeholders and "advocate jointly" for increases in cyber-security budgets through "well-articulated strategies, measures, and outcomes," said Subramanian.

States can also create competency centers to share qualified personnel, technology and dollars, the report found. CISOs should also "aggressively explore alternative funding sources," the report recommended.

Even though there was a significant rate of turnover since the initial survey in 2010, the results were remarkably similar.

The second biennial Deloitte-NASCIO survey assessed the security of all state digital data and cyber-assets administered by CISOs. CISOs and CIOs from 48 states and two US territories participated in the survey. A parallel survey examined responses from 63 state business stakeholders and elected officials and found that 92 percent of respondents ranked cyber security as "most important" or "very important."

The top four threats facing state governments in the next year include phishing, pharming, and other related variants, social-engineering, the growing number of sophisticated threats, and mobile devices, Deloitte and NASCIO said. While State CISOs recognize the importance of cyber-security, the report highlighted a few steps states should adopt to mitigate some of the risks.

States should adopt a uniform security framework, perform regular compliance assessments, and communicate risks to relevant stakeholders. CISOs should also routinely report cyber-security threats and status of projects to build support security and privacy initiatives. There should be more user education, the report suggested.

"Balance the cost of education and the disruption to individuals against the benefit of keeping the state out of the headlines—and it’s clear the investment is a sound one," report said.

With more and more functions being outsourced to third-party firms, more needs to be done to manage risk, and cybersecurity policies must be communicated and enforced with partners and contractors, as well.

State CISOs are not the only ones concerned about their ability to defend against cyber attacks. Earlier today, Canada’s auditor general warned that the country "has been slow" to set up firewalls to protect against cyber threats to critical infrastructure, leaving the nation vulnerable to crippling attacks.

In a report, Auditor General Michael Ferguson said the Canadian government has made only "limited progress" over the past decade to safeguard electrical grids, telecommunications infrastructure, banking systems, manufacturing and transportation, as well as its own computers. 

The full 40-page report can be downloaded here.

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.