In March 2018, the city of Atlanta suffered a ransomware attack that compromised the data of their employees and anyone who conducted business with the state and ended costing $2.6 million in emergency contract efforts. When Louisiana was attacked in November of 2019, 10% of the state’s servers were infiltrated and some 1,500 computers were damaged. These examples demonstrate cybersecurity should be a top priority for procurement officers to protect the sensitive information of both vendors and staff. Understanding the issues and goals of your state Chief Information Security Officer (CISO) can pave the road toward a more productive working relationship and allow procurement officers to address increasing cybersecurity threats as partners.
To gain insight into the current state of cybersecurity, Deloitte Insights and the National Association of State Chief Information Officers (NASCIO) partnered to publish a joint report, “2018 Deloitte-NASCIO Cybersecurity Study: States at risk: Bold plays for change.” This report is considered the most comprehensive study of state cybersecurity spend and all 50 states participated in the survey.
The three main challenges facing CISOs are:
Lack of Sufficient Cybersecurity Budgets
Inadequate Cybersecurity Staffing
Increasing Sophistication of Threats
To address the challenges this survey identifies, three “Bold Plays” to accelerate change are proposed:
Advocate for Dedicated Cyber Program Funding: Approximately half of US states do not have cybersecurity as a line item in their IT budget. CISOs should advocate for cybersecurity to be included in the budget as a separate line item to secure dedicated funds for new security regulations. This draws attention to the disparity in cybersecurity funding between the public and private sector and makes it easier to set a goal to dedicate more funding for cybersecurity.
CISOs as an Enabler of Innovation, not a Barrier: The report points out that an important aspect of the CISO’s job is to guide the states when they implement new technological innovations such as Cloud services. They should “actively participate with the state CIOs” in order to shape the agenda and help program leaders embrace newly available technologies in a safe and secure way.
Team with the Private Sector and Higher Education: CISOs should consider outsourcing work to private institutions in order to address competency gaps and difficulties associated with staffing. A potential avenue for new talent could include partnering with academic institutions to establish internships, co-ops and apprenticeship programs to address emerging cybersecurity technologies.