mobile devices (Indypendenz/

CISO-as-a-service for Michigan municipalities

To help municipalities across Michigan improve their cybersecurity posture, the state last year launched a CISO-as-a-service pilot that helps small and mid-sized government agencies assess their IT security the way a chief information security officer might.

Today, nine communities are participating, and two or three more may join before the pilot ends at the end of September.  As the pilot enters the final stages, the Michigan Department of Technology, Management and Budget (DTMB) will be working with the local communities to make the program permanent.

The program gives a community a scorecard it can use to benchmark its systems, prioritize risks and track progress.  The assessment uses controls from the state’s CySAFE program, which was developed based on controls from the Center for Internet Security, the International Organization for Standardization and the National Institute of Standards and Technology.

“We want to help people who don’t have a lot of experience with doing cybersecurity,” Chris DeRusha, Michigan’s deputy chief security officer, told GCN after a April 23 panel at the National State Association of State CIOs midyear conference. “The [CISO-as-a-service program] helps them to go through the documentation and an assessment of their maturity and then makes a judgment based on all of it where they are.”

Communities using CISO-as-a-service range from Springfield, a town with 13,000 and only one full-time IT employee, to Washtenaw County, which has a population of approximately 360,000 residents. Currently, the service is offered to communities for free, but DTMB is working to find ways to continue the program as a fee-for-service offering.

Depending on the level of interest from the community, DeRusha said there are also opportunities to get one-on-one advice and help. 

“CISO-as-a-service is designed to help communities that don’t have a lot of money,” Michigan CIO Dave DeVries said.  By demonstrating its value during the pilot phase, he said, the program can help communities “know what they need to ask for" in terms of funding from their local governing bodies.

Opportunities also exist to extend the cybersecurity support to other public sector agencies that depend on secure IT, such as health care and financial agencies, according to DeVries. 

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.