Cybersecurity in the States 2012: Priorities, Issues and Trends

Cybersecurity in the States 2012: Priorities, Issues and Trends Commission on Maryland Cyber Security and Innovation June 8, 2012 Pam Walker, Director of Government Affairs National Association of State Chief Information Officers

About NASCIO National association representing state chief information officers and information technology executives from the states, territories and D.C. NASCIO's mission is to foster government excellence through quality business practices, information management, and technology policy. Founded in 1969 we re a legacy system

More Administrative Flexibility Needed for States Secure and Protect Citizen Data and State Digital Assets Support the Adoption and Expansion of the National Information Exchange Model (NIEM) Support State Role in Identity Management and Verification Solutions NASCIO 2012 Federal Advocacy Priorities

Fiscal recovery uneven, slow revenue growth, budgets are better, federal deficit reduction impact? CIOs seeking IT operational cost savings and alternative IT sourcing strategies Opportunities for change and innovation Living with the past - modernizing the legacy IT security and risk! Game has changed IT workforce: retirement wave, skills, recruiting State CIO positions major churn State IT Landscape Today

CIO Priorities, Trends and Perspectives

State CIO Priorities for 2012 1. Consolidation / Optimization: consolidating infrastructure and services, centralizing 2. Budget and Cost Control: managing budget reduction, strategies for savings 3. Governance: improving IT governance, authority, data governance, partnering, collaboration 4. Health Care: Affordable Care Act, health information and insurance exchanges, architecture, partnering, implementation, technology solutions, Medicaid systems 5. Cloud Computing: governance, service management, service catalogs, platform, infrastructure, security, privacy, data ownership, legal issues, vendor management 6. Security: risk assessment, governance, budget and resource requirements; security frameworks, data protection, training and awareness, insider threats, third party security 7. Broadband and Connectivity: strengthening statewide connectivity, public safety wireless network/interoperability, implementing BTOP grant 8. Shared Services: business models, sharing resources, services, infrastructure, independent of organizational structure, service portfolio management 9. Portal: maturing state portal, e-government, single view of the customer/citizen, emphasis on citizen interactive self-service, mobile apps, accessibility 10. Mobile Services/Mobility: devices, applications, workforce, security, policy issues, support, ownership, communications, wireless infrastructure Source: NASCIO State CIO Survey, October 2011

Cybersecurity in the States Critical infrastructure protection More aggressive threats organized crime, unorganized crime, hacktivism Spam, phishing, hacking, and network probes up Data breaches trust impact Insider threats, third party Executive support Inadequate funding Need more training, awareness

State governments at risk A call to secure citizen data and inspire public trust

Survey Results Deloitte and NASCIO issued the 2010 report of a national survey of state government cybersecurity focused on these key areas: information security governance, investments, use of security technologies, quality of operations, privacy, and identity and access management. 49 states responded to the survey

Governance The Enterprise CISO position is firmly established in the majority of states. To be successful, CISOs must continue to evolve this position to garner enterprise visibility, authority, executive support and business involvement.

1. To whom does your State s CISO, or equivalent responsible for information security, report? Secretary/Department head 8% General Counsel/Legal 0% Chief Information Officer (CIO), State IT Director or 76% Chief Financial Officer (CFO) 0% Chief Security Officer (CSO) 4% Homeland Security Director/Adviser Internal Audit 0% 0% Other 16% Not applicable/do not know 4% 76 percent of the respondents indicated that their State CISOs report directly to the Board of Directors or C- suite, with the largest number reporting to the Chief Information Officer (CIO). 11

2. Which functions are within the scope of the CISO or equivalent official? Information Security (IS) strategy and planning IS budgeting IS program measurement and reporting IS governance (architecture, policies, standards) IS compliance and monitoring IS risk assessment and management Incident management Network security and perimeter defense Technical infrastructure security User administration Identity and access management Vulnerability management IS monitoring IS communications, awareness and training Outsourced security functions Background checks Investigations and forensics Fraud management Disaster recovery planning Business continuity management Physical security Other Not applicable/do not know 10% 31% 29% 10% 4% 33% 24% 22% 14% 4% 43% 45% 49% 49% 57% 61% 67% 76% 82% 88% 92% 96% 94% The top five functions of the CISO includes: Information Security (IS) Strategy and Planning (96 percent), Incident Management (94 percent), IS Governance (92 percent), IS Communication (88 percent) and IS Risk Assessment (82 percent).

1. Does your State (or agency) have a documented and approved governance for information security (i.e. defined responsibilities, policies and procedures)? Documented and approved 65% Documented but not approved 6% Intend to have one documented and approved within the next 12 months No 10% 12% Not applicable/do not know (please describe below) 6% 65 percent of the respondents indicated that they have a documented and approved governance for information security.

6. Does your State (or agency) actively engage both business stakeholders and technology decision makers in identifying requirements for the State s information security strategy? Lines of business decision makers only 2% Technology decision makers only 21% Both lines of business and technology decision makers 71% Neither lines of business nor technology decision makers 4% Not applicable/do not know (please describe below) 2% 71 percent of the respondents indicated that they engage both lines of business and technology decision makers to indentify the State s information security strategy. 14

3. Which of the following best describes the state of senior executive support (Governor s Office or CIO) for security projects to effectively address regulatory or legal requirements? Commitment and adequate funding 14% Commitment but inadequate funding 55% No commitment but provide funds 4% No commitment or funds Not applicable/do not know 12% 14% 55 percent of the respondents indicated that they receive commitment from the senior executives but lack adequate funding for security projects to effectively address regulatory or legal requirements.

2. Which statement best represents how you measure and demonstrate the value and effectiveness of your information security organization s activities? We have established metrics that have been aligned to business value and report on a scheduled basis 13% We are working on establishing metrics and aligning them to business value 25% We have established metrics that are technical but not well understood by functions outside of information security 31% Little, if any, measurement is undertaken 23% We do not measure 4% Not applicable/do not know 4% 31 percent of the respondents indicated that they measure and demonstrate their value of information security enterprise activities by using technical metrics that are not well understood by non-information security functions.

3. How effective are applicable Federal and State regulatory security requirements at improving information security posture and at reducing data breach risks in your State (or agency)? Very effective 4% Somewhat effective 81% Not effective 13% Not applicable/do not know 2% 81 percent of the respondents indicated that the Federal and State regulatory security requirements are somewhat effective in improving the state s information security posture.

1. What are your State s top five (5) security initiatives for 2010? Information security strategy Information security governance (e.g., roles, reporting 27% 29% Aligning information security initiatives with those of the 21% Information security risk assessments Data protection 58% 60% Operationalizing information security 15% Information security measurement and reporting 42% Information security talent management 4% Information security training and awareness 54% Information security regulatory and legislative 21% Security infrastructure improvement 33% Application security 42% Identity and access management Security related to technology advancements (e.g., 19% 19% Information security compliance (e.g., internal / external 29% Managing insider threats 4% Managing or outsourcing of security services Disaster recovery Business continuity Other (please specify below) 10% 8% 6% 4% Not applicable/do not know (please describe below) 0% The respondents indicated that their 2010 top five security initiative includes data protection (60 percent), information security risk assessments (58 percent) information security training and awareness (54 percent), application security (42 percent) and information security measurement and reporting (42 percent).

What are your State s top five IT security initiatives? 1. Data Protection 2. Information Security Risk Assessments 3. Information Security Training and Awareness 4. Application Security 5. Information Security Measurement and Reporting

Lack of management support 10% Lack of executive support 25% Lack of support from business stakeholders 38% Lack of clarity on mandate, roles and responsibilities 25% Conflicting federal rules and requirements 6% Lack of sufficient funding 88% Lack of procurement oversight and control 19% Lack of visibility and influence within the enterprise 38% Lack of an information security strategy (i.e., shifting Inadequate availability of security professionals Inadequate competency of security professionals Lack of State sector focused laws and regulations Lack of documented processes Lack of legislative support Increasing sophistication of threats Emerging technologies Inadequate functionality and/or interoperability of 15% 13% 10% 17% 23% 21% 23% 40% 56% 2. What major barriers does your State face in addressing information security? Other 15% Not applicable/do not know 0%

5. What percentage of your department s overall IT budget is allocated to information security? 0% 11% 1-3% 50% 4-6% 15% Greater than 11% 7% Not applicable/do not know 17% 50 percent of the respondents indicated that 1-3 percent of their department s overall IT budget is allocated to information security.

2. Does your enterprise provide training to employees (at least annually) to identify and report suspicious activities? Yes 56% Yes, but only where mandated by laws/regulations 11% No 22% Not applicable/do not know (please describe below) 11% 56 percent of the respondents indicated that they provide training (at least annually) for employees to identify and report suspicious activities

4. Which of the following are the top three privacy concerns to your State? Unauthorized access to personal information 89% Managing third-party (contractors, service providers, 38% Intra-governmental sharing of information 20% Managing individual agency privacy requirements Aligning operational practices with policies Web-enabled systems and services 29% 27% 33% Cross-border flows of personal information 13% Internal privacy awareness and training 22% None of the above 2% Not applicable/do not know 7% The top three privacy concerns are the unauthorized access to personal information, (89 percent), followed by managing third-party(38 percent) and aligning operational practices with policies(33 percent).

1. Which statement best describes the level at which your State handles third party (contractors, service providers, business partners) security capabilities, controls & agency dependencies? Third-party security capabilities and controls are unknown 23% Knowledge of third-party security capabilities, controls and agency dependencies are identified 36% Knowledge of third-party security capabilities, controls and agency dependencies are identified and assessed 18% Knowledge of third-party security capabilities, controls and agency dependencies are regularly reviewed and tested 7% Not applicable/do not know 16% 36 percent of the respondents indicated that they have identified the knowledge of third-party security capabilities, controls, and agency dependencies; 23 percent indicated that the third-party security capabilities and controls are unknown.

2. How confident are you in the information security practices of your third parties (contractors, service providers, business partners)? Not very confident 20% Somewhat confident 69% Very confident 7% Extremely confident Not applicable/do not know 2% 2% 69 percent of the respondents indicated they are somewhat confident in the information security practices of their third parties whereas only seven percent indicated that they are very confident in the third party information security practices.

Growing IT Security Risks in the States Protecting legacy systems Expansion of wireless networks Online transactions Use of social media platforms Mobile devices and services Use of personally-owned devices (BYOD) for state business Adoption of cloud services; rouge cloud users Consumer digital devices in the workplace Third-party contractors and managed services

Business objectives Governance Acquisition strategy Jurisdictional issues Security and privacy concerns Policy and legal issues Exit strategy

Apply existing security framework and policies Consumer cloud vs. industrial strength Test drive: start with private cloud 3 rd party contracts protect state interests Enable legitimate business use Monitor & control unauthorized use Leverage FedRAMP

Today s State IT Workforce: Under Pressure State CIOs say 21-30 % of state IT employees eligible for retirement within the next five years Fiscal stress - hiring freezes and elimination of vacant positions Nearly two-thirds say they anticipate having to reduce IT staff IT Security positions are difficult to recruit and retain Source: NASCIO State IT Workforce: Under Pressure, January 2011

Challenges Recruiting IT Security Professionals Skills and disciplines that present a challenge to fill Secuity 52.4% Project Management App & Mobile App 47.6% 50.0% Architecture 47.6% Analysis and Design 42.9% 40% 45% 50% 55% Comparison of total percentage of responses Source: NASCIO State IT Workforce: Under Pressure, January 2011

DHS National Cyber Security Review (NCSR): 2011 Baseline Assessment of the States Comprehensive risk-based survey of states and large urban areas Focus on 12 control areas using maturity model approach Key findings: identification of capabilities and gaps Potential areas to focus security programs for improvements Tool that can be used for additional cybersecurity reviews Metrics for cybersecurity investment justifications Reports to each respondent providing best practices and recommendations to improve cybersecurity posture What did we learn? States have major gaps in key areas

Looking Ahead: Action Items for States Looking Ahead More education and awareness of the risks More IT consolidation, shared services Consider NASCIO s Core Services Taxonomy for IT Security programs Outsourcing: more steering, less rowing IT implications of healthcare reform More intra-state, inter-state and federal collaboration Demand for performance, results State Centers of Excellence for cyber education & research Extending the enterprise: locals? Massive collaboration - Web 2.0 Funded research, scholarships, internships Sharing best practices, recognition

NASCIO Cybersecurity Call to Action Key Questions for State Leaders Have you created a culture of information security in your state government? Have you adopted a cybersecurity framework, based on national standards & guidelines? Have you acquired continuous vulnerability management capabilities? Have you documented the effectiveness of your cybersecurity with metrics and testing? Have you developed security awareness training for workers and contractors?

Connect with... nascio.org facebook.com linkedin.com youtube.com/nasciomedia twitter.com/nascio