On cybersecurity, governors and legislators are overmatched and overconfident, panel says
To confront tomorrow’s digital threats, experts say state leadership requires a new degree of cybersecurity awareness that demands regular updates, sustainable funding and long-term plans.
This was a key takeaway Monday at RSA’s Public Sector Day in San Francisco. In a panel discussion, Debbi Blyth, Colorado’s chief information security officer; Doug Robinson, executive director for the National Association of State Chief Information Officers (NASCIO), and Srini Subramanian, lead partner of Deloitte’s Cyber Risk Services, stressed that now — and especially in the future — it is critical that governors and legislators be given regular updates about cybersecurity issues.
“I really do think it is important to get in front of the governor and executive leadership monthly,” Blyth said. “It may not be in person but it may be in the form of reports that he is actually reading.”
Blyth, who serves under Democratic Colorado Gov. John Hickenlooper, said that in response to fluctuating risk assessments and the evolving nature of security projects, governors need monthly updates at a minimum, while state legislators require quarterly briefings. Considering the diversity and pace of modern attacks, Blyth said traditional state reports were simply not enough for proper decision making.
While not an issue in Colorado, survey data from Deloitte and a NASCIO cybersecurity report underscored a major disconnect between elected state officials and IT leadership. Subramanian said when Deloitte asked appointed and elected leaders to describe their level of confidence in their IT department’s ability to handle external threats, about two thirds said they were in great shape, whereas only about 22 percent of CIOs and CISOs felt the same way.
“That tells us that the level of risk communication that is reaching the appointed and elected leaders is not adequate, because they are going with the impression that things are pretty good,” Subramanian said.
Robinson said feedback from a NASCIO survey was equally striking for state legislators. When asked what was the number one source for cybersecurity news and updates, 85 percent of legislators named news outlets as opposed to agency reports.
“If that isn’t alarming, I don’t know what is,” Robinson said. “So right there we have a gap and we are working closely with our new cybersecurity taskforce [made up of state cyber experts from around the country] to improve this.”
Even so, Robinson said that bridging the communication gap with legislators far more difficult than it is with governors. Nationally, there are thousands of state lawmakers that constantly see turnaround with each election cycle.
“You have term limits so you’re constantly having to roll through that,” Robinson said.
Suggesting possible solutions, the three said in addition to regular reports, governor offices may need to take point as a convener, organizing meetups with legislators and IT leadership, drafting long-term cybersecurity strategies and creating cybersecurity commissions that can can help with policy, invent guidelines and plug communication holes.
Further, Robinson said long-term cybersecurity strategies were a great starting point as NASCIO’s research indicated states with plans usually were able to back the plans up with sustainable funding that wasn’t dependent on federal grants or one-time appropriations.