5 Cybersecurity Hurdles Facing Public Sector (SLTT) CISOs (and 5 Way to Help)

Public sector Chief Information Security Officers (CISOs) face the same challenges as their private sector counterparts, but with the additional struggles that are unique to working in government.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) co-sponsors the Nationwide Cybersecurity Review (NCSR), an annual survey of cybersecurity preparedness.

The NCSR is an anonymous self-assessment designed to measure cybersecurity capabilities among U.S. State, Local, Tribal, and Territorial governments (SLTTs). It is based on the NIST Cybersecurity Framework and is also sponsored by the Department of Homeland Security (DHS).

The 2019 NCSR summary report, soon to be released, gathered responses from more than 3,100 participant organizations. Notably, the top five security concerns remained the same for the fifth consecutive year. Clearly, these perennial challenges are not easy to solve. Recognizing these shared concerns can be helpful for public sector CISOs as they develop their own cybersecurity solutions.

5 Cybersecurity Hurdles for Public Sector CISOs

The NCSR survey recognized five hurdles that were shared by SLTTs and their CISOs:

1. Lack of Sufficient Funding

NCSR survey respondents again indicated that a lack of sufficient funding is their top concern. Obtaining funds for government programs is a Byzantine process under the best of circumstances. However, the economic disruptions of 2020, with the resulting loss of tax revenue, means his will likely remain an ongoing concern in the absence of additional state or federal funding.

2. Increasing Sophistication of Threats

Cybercrime is big business. While the precise cost to the public sector is impossible to measure, some believe the annual loss to be in excess of $13 billion.

3. Lack of Documented Processes

The average maturity level for the state peer group surveyed in the NCSR was identified as “Partially Documented Standards and/or Procedures” in the 2019 survey. This means that while they have formal cybersecurity policies, they are still developing standards and procedures for consistent implementation.

Local and Tribal government maturity level, meanwhile, is described as “Documented Policy.” This means they have formal cybersecurity policies in place, but are informally performing cybersecurity functions without documented standard operating procedures.

4. Emerging Technologies

New cybersecurity technologies are constantly being introduced . A common concern t heard from IT professionals is that their organizations’ employees use more sophisticated tools at home than they do at work. The pressure to introduce emerging technologies is so strong that third-party solutions are often introduced without being fully vetted by IT or security.

5. Inadequate Availability of Cybersecurity Professionals

The lack of qualified personnel is a key area of concern that arises in the NCSR each year. A majority of survey participants in 2019 reported their organization has fewer than five full-time security employees. With limited staffing, it is difficult to assess and implement an appropriate cybersecurity program.

5 Ways to Help CISO’s of SLTTs

Making efficient use of existing available resources will be more important than ever. The support provided by an MS-ISAC membership can surely help. These resources and services are delivered to SLTTs at no or low cost by the Center for Internet Security. MS-ISAC members can help advise all SLTT CISOs on best practices that will meet their specific needs. Here are just some of the ways this membership can help:

  1. Resources like the Weekly Top Malicious Domains/IP Report and Cyber Security Advisories help educate SLTT IT and security teams on how to protect their organizations against existing and emerging threats.
  2. Tools such as Albert sensors and Malicious Domain Blocking and Recovery (MDBR) can play an important role in an overall in a Defense-in-Depth strategy for continuous monitoring and reporting of cyber threats.
  3. Free CIS SecureSuite Membership provides no-cost access to best practices and tools that can help them in their cybersecurity program in the absence of staff.
  4. A 24/7 Security Operations Center (SOC), monitoring activity and communicating to SLTTs on malicious activities within the entire membership
  5. Members-only webinars for continued education and updates

Participate in the NCSR

The deadline for the 2020 Nationwide Cybersecurity Review has been extended through February 28, 2021. SLTT CISOs are encouraged to participate in this no-cost and anonymous self-assessment.

Participation in the NCSR is a requirement for grant recipients and sub-recipients under the State Homeland Security Program (SHSP) and Urban Area Security Initiative (UASI).

Tell us your top-five security concerns!

Participate in the 2020 NCSR

CIS is thankful for the partners who help develop and conduct the NCSR: the Cybersecurity and Infrastructure Security Agency (CISA), the National Association of State Chief Information Officers (NASCIO), National Association of Counties (NACo), and GMIS International.

CISOs and/or others with responsibility for SLTT cybersecurity who have not yet joined the MS-ISAC, should learn how to make the most of the resources available to them.