State CISOs aren't bullish on cybersecurity
Survey finds cut or frozen budgets are hurting efforts to protect systems
As threats to data continue to grow, many cash-strapped states are struggling to provide cybersecurity with stagnant or reduced budgets, a new study concludes.
In a survey by the National Association of State CIOs and Deloitte, 79 percent of state chief information security officers reported that their cybersecurity budgets were either cut or frozen, CivSource reported. And nine of 10 CISO’s cited a lack of funding as the biggest hurdle to securing systems.
Agencies’ big security weakness: Lack of money and people
A lack of money isn’t the only problem. The survey report, “State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust,” focused on five areas:
Governance. The report recommends that CISOs “continue to evolve this position to garner enterprise visibility, authority, executive support, and business involvement.”
Strategy. States need an enforcement mandate similar to Federal Information Security Management Act to push states toward compliance with the National Institute of Standards and Technology’s risk assessment framework for strategic alignment.
Budget. “Security budgets and resources available to state CISOs lag behind those of their private-sector counterparts,” the report states, warning that the gap could get wider in the current economic environment.
Internal, external threats and creating a cyber mindset. Threats to personally identifiable information and protected health information are growing, and states are in the “early stages of establishing programs and deploying technology to protect this sensitive data,” the report states. CISOs need to adopt a “cyber mindset” using education and raising awareness.
Security of third-party providers. States’ management of third-party providers for sensitive or critical services “may not be keeping pace with the escalation of threats.”
Eric Chabrow in GovInfo Security points out that the trend in government stands in contract to what the private sector is doing. As separate Deloitte survey has shown that the financial services industry spent more on IT security during the economic downturn, Chabrow writes.