States at Risk: Cyber Threat Sophistication, Inadequate Budget and Talent

Similar documents
2014 Deloitte-NASCIO Cybersecurity Study State governments at risk: Time to move forward

Cybersecurity in the States 2012: Priorities, Issues and Trends

State of South Carolina Initial Security Assessment

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Into the cybersecurity breach

Information Systems Security Line of Business (ISS LoB)

Cybersecurity The role of Internal Audit

State of the States: IT Trends, Priorities and Issues

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

State of Minnesota IT Governance Framework

How To Write A National Cybersecurity Act

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

Personal Security Practices of the CAO

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Addressing Cyber Risk Building robust cyber governance

Don t Get Left in the Dust: How to Evolve from CISO to CIRO

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Cyber Security key emerging risk Q3 2015

The Computerworld Honors Program

Cybersecurity and the AICPA Cybersecurity Attestation Project

Office of the Chief Information Officer

INFORMATION TECHNOLOGY GOVERNANCE IN PENNSYLVANIA. Executive Summary

CYBER SECURITY, A GROWING CIO PRIORITY

Major IT Projects: Continue Expanding Oversight and Strengthen Accountability

Seamus Reilly Director EY Information Security Cyber Security

State of Minnesota. Enterprise Security Program Policy. Office of Enterprise Technology. Enterprise Security Office Policy. Version 1.

CyberSkills Management Support Initiative

Enhancing NASA Cyber Security Awareness From the C-Suite to the End-User

El Camino College Homeland Security Spring 2016 Courses

An Introduction to the DHS EBK: Competency and Functional Framework for IT Security Workforce Development

State CIOs, Emerging Trends and the Forces of Change

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Information Security Program CHARTER

The Imperative for High Assurance Credentials: State Identity Credential and Access Management (SICAM) Guidance and Roadmap

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Developing a robust cyber security governance framework 16 April 2015

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Cyber Risk Managemet Next? What Board Members, Shareholders, Government, Auditors and Others Will be Asking from the CIO Next:

Session 9: 20 Questions You Should Answer About Your Cyber Security Readiness Jeff Thomas, Partner, KPMG Ivan Alcoforado, Senior Manager, KPMG

Governmental Oversight and Accountability Committee

The Role of Internal Audit in Risk Governance

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

NASCIO 2014 State IT Recognition Awards

Feature. Developing an Information Security and Risk Management Strategy

All Eyes: A Security Breach Exercise. Disaster Recovery/Security and Business Continuity Readiness

The Internal Audit fraud challenge Prevention, protection, detection

Internal audit value optimization for insurance organizations

Michigan Cyber Summit 2013 Hosted by Michigan Governor Rick Snyder

FFIEC Cybersecurity Assessment Tool

Risk Considerations for Internal Audit

Key Cyber Risks at the ERP Level

Vendor Risk Management Financial Organizations

North Texas ISSA CISO Roundtable

The Human Capital Management Systems Business Case A Checklist to assist agencies developing a business case

ADVISORY SERVICES. Risk management in an evolving world. Making the case for social media governance. kpmg.com

Presidential Summit Reveals Cybersecurity Concerns, Trends

658 Cedar Street Saint Paul, MN

Tim Turner Tim Turner & Associates, LLC TEXAS. Health Information Technology Advisory Committee (HITAC)

Cybersecurity Awareness for Executives

Threat Intelligence is Like Three Day Potty Training

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

IT Governance. What is it and how to audit it. 21 April 2009

Information Management & Technology (IM&T) Strategic Plan

Cybersecurity: You re Doing IT Wrong

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

TAUHEEDUL EDUCATION TRUST

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Transcription:

SESSION ID: PNG-R04 States at Risk: Cyber Threat Sophistication, Inadequate Budget and Talent MODERATOR: Christopher Ipsen CIO Nevada Desert Research Institute PANELISTS: Tim Hastings Chief Information Security Officer (CISO) State of Utah Srini Subramanian State Sector Risk Advisory Leader Deloitte & Touche LLP Thomas MacLellan Homeland Security and Public Safety Division Director National Governors Association, Center for Best Practices

Panel Christopher Ipsen CIO, Nevada Desert Research Institute Moderator Tim Hastings Chief Information Security Officer (CISO), State of Utah Thomas MacLellan Homeland Security and Public Safety Division Director, National Governors Association, Center for Best Practices Srini Subramanian State Sector Risk Advisory Leader, Deloitte & Touche LLP 2

Agenda Introduction The maturing role of the CISO Budget-strategy disconnect Cyber security complexity Talent crisis Q&A 3

State governments are a target, citizen trust ` impact is top concern States collect, share and use large volumes of the most comprehensive citizen information. Makes states an attractive target for both organized cyber criminals and hactivists. Cybersecurity needs to be a governor and a business executive level issue. 4

The Third biennial study 2010 2012 2014 The study is based on surveys and comparisons, and offers suggestions to: Provide state leadership with insights and identify trends to help states set informed and strategic cybersecurity direction Assess elected and appointed business leader input with a state officials survey Compare responses from CISOs and state officials, along with relevant results from the 2010 and 2012 studies 5

An outstanding response and result State CISO Survey: 49 state CISOs responded to an online survey containing 58 questions State Officials Survey: 186 elected and appointed officials from 14 affiliated organizations answered 14 questions: Results 1. Cybersecurity Study 1. National Association of State Auditors, Controllers & Treasurers (NASACT) 2. National Association of Attorneys General (NAAG) 3. National Association of Secretaries of State (NASS) 4. National Association of State Personnel Executives (NASPE) 5. National Association of State Chief Administrators (NASCA) 6. National Association of State Budget Officers (NASBO) 7. National Association of State Procurement Officials (NASPO) 2. Benchmark Report 8. American Association of Motor Vehicle Administrators (AAMVA) 9. National Association of Medicaid Directors (NAMD) 10.National Emergency Management Association (NEMA) 11.Adjutant General Association of the United States (AGAUS) 12.Governors Homeland Security Advisors Council (GHSAC) 13.Federation of Tax Administrators (FTA) 14.International Association of Chiefs of Police (IACP) Division of State & Provincial Police (S&P) 6

Findings from the study

Key themes from the study Maturing role of the CISO Budget-strategy disconnect Cyber complexity challenge Talent crisis 8

I. Maturing role of the CISO

Maturing role of the CISO 98.0% Of states have a CISO The CISO role is gaining legitimacy 89.8% CISOs report to CIOs 49.0% CISO authority established by statue or law 55.1% CISO authority established by secretary or CIO 10

Maturing role of the CISO 39.6% Governors Communication to business leaders is mostly ad hoc 25.0% Secretary/ deputy secretary 40.4% State legislature 43.8% Business stakeholders 98.0% Of states have a CISO 49.0% CISO authority established by statue or law 89.8% CISO report to CIO 55.1% CISO authority established by secretary or CIO 11

Maturing role of the CISO 100% Awareness and training Top CISO function have standardized 100% Strategy and planning 95.9% Risk assessment and management 98.0% Incident management 98.0% Of states have a CISO 49.0% CISO authority established by statue or law 89.8% CISO report to CIO 55.1% CISO authority established by secretary or CIO 98.0% Governance (architecture, policies, and standards) 12

Moving forward Role and governance Governance, Risk and Compliance: CISOs could continue to manage the strategic, risk management, and regulatory/compliance functions Privacy: Enterprise-level privacy officers can help determine which data needs to be protected and why Security technology and operations: A security executive could manage technical and operational aspects of security 13

II. Budget-strategy disconnect

Budget-strategy disconnect Cybersecurity budgets are increasing year over year 47.9% 14.0% Additional funding sources are helping with the increase Percentage of CISO respondents 2012 2014 47.9% 32.7% U.S. Department of Homeland Security Business/program stakeholders 15

Budget-strategy disconnect Funding is still the #1 barrier to effective cybersecurity Security allocation as part of IT budget remains unchanged 75.5% Lack of sufficient funding Senior Executive commitment is there, but funding still insufficient IT budget 46.8% of states have only 1-2% of IT budget for cybersecurity 65.3% 16

Budget-strategy disconnect Approved strategies are still largely missing Absence of businessaligned metrics 45% Absence of approved strategy 47.9% Majority of CISOs continue to work on establishing business-aligned metrics 17

Moving forward Strategize & achieve appropriate funding Communicate and collaborate with legislators and state business/program leadership to build a business case for security as a line item in the budget Effectively collaborate with agency-level program and business leaders to get cybersecurity included in program budgets Work with CIOs to: Allocate a reasonable percentage of new business and technology initiatives for cybersecurity Identify creative ways to include cybersecurity as a critical part of enterprise data center consolidation initiatives 18

III. Cyber complexity challenge

Cyber complexity challenge Confidence Gap Ability to protect against external attacks; Only 24% CISOs vs. 60% State officials Top barriers State officials and CISOs agree #1 Funding State officials CISOs #2 Sophistication of threats 20

Moving forward Unravel the complexity Use both increasing regulatory requirements and audit findings to gain the attention of business and agency/program leaders Clearly communicate the nature and severity of cyber risks and impacts to business stakeholders, agency/program leaders and legislative leaders State cybersecurity approach needs to evolve can t rely on protection or securing efforts alone 23

IV. Talent crisis

Talent crisis FTE counts are increasing 49% 6 to 15 FTEs Competencies have increased, training has improved 7 out of 10 states agree Inadequate availability of cybersecurity professionals 25 Barrier #3 59%

Talent crisis Top challenge is staffing Salary 9 out of 10 CISOs Collaboration needed with HR to define cybersecurity career path 25% States with appropriate job descriptions documented by HR Leading challenge in workforce development 67.3% CISOs choose "Lack of a defined cybersecurity career path" 26

Talent crisis Top three actions to improve workforce Top functions outsourced 57.1% 46.9% 42.9% Non-salary benefit Cross-train IT workforce NICE framework University relations 38.8% Forensics/ legal support 36.7% Threat management and monitoring services 36.7% Threat risk assessments 35.4% CISOs are reviewing 27

Moving forward Get creative & gain on talent Attracting Millennials is a whole new ballgame: Millennial are likely to be an important source of talent in the cybersecurity arena Partner with Human Resources: States need a career development path for cybersecurity talent Partner with private sector to supplement cybersecurity teams: CISOs should provide training to their staff to effectively manage teams that may include members from third parties 28

Questions & answers

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information