With the rise in cybersecurity threats and successful attacks, one particularly popular trend growing in the state and local government community is “whole-of-state" cybersecurity.
Whole-of-state cybersecurity is an approach that emphasizes partnership among different levels of government, educational institutions, tribal entities, and other organizations in the public and private sectors to mitigate cybersecurity threats. By breaking down governmental silos, this methodology enables entities across an entire state to share cybersecurity resources and information to improve their collective resilience posture.
For example, most states provide cyber guidance and resources free to localities. Many participate in the Multi-State Information Sharing and Analysis Center (MS-ISAC )and Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). Almost all have a state managed cyber grant process (e.g., CISA/FEMA grants) to assist localities.
Several states have added enterprise level resources to help. For example, Texas has Regional SOCs that leverage Higher Ed resources. The Texas Department of Information Resources (DIR) and San Angelo-based Angelo State University (ASU) will partner to operate the pilot Regional Security Operations Center (RSOC), which aims to provide Texas local governments with cybersecurity support.
Additionally, Utah has the Utah Statewide Information and Analysis Center (SIAC), California has the Cybersecurity Integration Center (Cal-CSIC), New York has the Joint Security Operations Center and North Carolina has the Information Sharing and Analysis Center (NC-ISAC).
But how can governments implement “whole of state” while building resilience for the inevitable cyber attacks in an increasingly complex threat landscape? In a webinar with Government Technology, cybersecurity experts from Iron Bow and GuardSight discussed how governments can build resilience through whole-of-state cyber tactics and what this method looks like in practice. This three-part blog series will break those insights down, taking us along what a cyber resilience journey can look like for governments.
Speakers included Kevin Finch, Senior Director of the Global Security Practice at Iron Bow, Nelson Moe, sales Strategy Principal for SLED at Iron Bow and former CIO of the Commonwealth of Virginia, and John McGloughlin, Founder of GuardSight, Inc., an Iron Bow company that specializes in cybersecurity-as-a-service.
The Most Pressing Cybersecurity Concerns
During the webinar, over 200 audience members were polled on their “greatest cybersecurity concern for their agency, department or overall government.” Over 50% of respondents identified all three of these challenges combined as their top concerns:
- Lack of understanding or visibility into cyber posture
- Resource constraints with a lack of people, processes, and funds to effectively respond if attacked
- No plans in place to respond if and/or when attacked
Unfortunately, this lack of preparation persists in the public and private sector alike. “Generally, most organizations are constantly under-prepared,” said McGloughlin. “Bigger metro areas tend to have more resources available than their smaller suburban or rural counterparts. That’s why getting the necessary expertise, experience, and plans in place is extremely important.”
On top of these pressing cybersecurity concerns, audience members across government levels expressed low levels of confidence in their ability and preparedness to fend off any cyber attacks. When asked how confident they felt in their organization's current capabilities to fully recover services and operations in the event of a major cyber incident, less than 20% expressed feeling “highly confident” while roughly 50% felt "somewhat confident.” At least 30% of attendees expressed feeling “not confident” or “unsure of their current state.”
Visibility remains a persistent problem across every agency. According to Finch, many agencies still can’t answer these questions in the face of a cyber attack:
- Do we understand the impact?
- Do we understand what was affected?
- Do we have the right people with the right authority levels engaged?
- Do we have the right tools to recover and restore services and data if we experience an impact?
“There’s a natural tendency for organizations to vastly overestimate how prepared they are until they get ‘punched in the face,’” said Moe. “It takes true discipline, professionalism, and honesty to identify your gaps. All this effort is needed to ensure rapid and efficient recovery. That’s why your tabletop exercises must be extremely rigorous. You won’t know until you’ve actually walked through every scenario.”
Why is the Resilience Journey so Difficult?
There are many traditional challenges governments face when it comes to cyber and overall resilience. These include resource constraints, lack of the right skillsets as well as lack of adequate tools and technologies.
Most organizations often don’t focus on operational resilience and instead treat cybersecurity as its own siloed problem. However, it’s necessary to take a comprehensive approach to resilience, including understanding the mission and business functions of your agency as well as outcomes and tracing those back to assets, data, systems, and infrastructure dependencies that support them.
Overall, securing today’s new operating model requires a shift in thinking in addition to new skillsets, processes, services, technologies, and deployment models.
“In today’s world, we’re dealing with new architectures and methods that go well beyond disaster recovery,” said Finch. “Before, if you had disaster recovery in place, you felt pretty good. However, the advancement of threats has created a new shared responsibility among agencies where it’s no longer just a cyber problem. It’s an overall business continuity problem.”
Whole of state and resilience require a comprehensive view into your current cyber posture. “Take my backyard for example,” said Finch. “I have about 40 cameras at my house, and I know who’s coming and going at all times. At the government level, you need to know your backyard. Visibility is the holy grail for cyber teams.”
Stay tuned for part two of this series where we’ll delve into services-based approaches and how they can help government improve resilience and services.
Ready to take the first step on your cyber resilience journey?
Reach out to our team of cyber experts at firstname.lastname@example.org.