“Are we secure?” is a common refrain from state lawmakers and executive leadership to their state Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs). While the individuals asking that question expect a simple response, the answer is typically very nuanced.

Just like you can’t make a building completely fireproof, it’s impossible to completely secure all of a state's information technology systems, applications, and infrastructure. State CIOs and CISOs have to educate and work with lawmakers and agency leadership to tell them about taking a risk-based approach to cybersecurity so they can marshal their resources to protect what’s most critical. And in some states, the number of resources that need protecting is growing as the central state IT agency is starting to offer cybersecurity and other services to local jurisdictions and school districts. This “whole-of-government” approach is nascent, but proving more popular as these smaller jurisdictions and institutions struggle to secure their systems under constant threat with dwindling resources.

State CIOs and CISOs know they are responsible for protecting the information of their constituents while also providing readily available, easily accessible access to a range of state services online. To get an idea of the unique cybersecurity challenges the public sector faces, and to inform this paper, we spoke to current and former state CIOs and CISOs, as well as other executives and experts. They detailed the challenges they face in addition to what they need to perform their jobs, and the skills necessary to be successful.

Public sector organizations must meet a higher bar when it comes to security. This responsibility falls on the people and agencies that governments entrust with their cybersecurity. They work to ensure that when John Q. Public wants to buy a hunting license, enroll a child in school, or apply for Medicaid benefits through the state’s health department, the state can keep the transaction and their information safe.

This is important because the attacks just keep coming. Between 2014 and 2022, there were 822 public sector breaches affecting 175 million individuals.  In recent years, the number of breaches has slowed down, but the number of individuals impacted has remained steady with the total cost of the breaches estimated at $26 billion.

Public institutions like schools are at a high risk, according to a report from the Center for Internet Security, the Multi-State Information Sharing & Analysis Center, and the Nationwide Cybersecurity Review.  Local governments also have significant risk, and states are cutting back IT projects to reduce overall budget shortfalls.

As malicious actors are finding other targets more difficult to penetrate, attacks are shifting to local government and other small public institutions, like school districts. Most of these institutions don’t have the necessary resources to combat the evolving threat landscape, so some state governments are starting to offer services to smaller jurisdictions while other communities are banding together to pool resources and realize economies of scale.

These continuous attacks and resource challenges are leading some states to rethink how to provide cybersecurity services, and that was reflected in our interviews with current and former CIOs and CISOs. In the past, a central state IT agency would provide services to other state agencies. This approach has left local governments and other public institutions on their own – with fewer resources amid increasing threats -- when it comes to cybersecurity. Some states have realized this challenge and are starting to use a “whole-of-government” approach to cybersecurity services. A whole-of-government approach enables the state IT agency to provide services to state agencies, local governments, and other public institutions, relying on increased scale and visibility to threats to protect their state at all levels. This approach is not without its own share of challenges, but can ultimately lead to greater security across the state while reducing overall costs. Recommendations for implementing this approach include:

  1. Establish whether existing laws allow a whole-of-government funding model at all levels of the state for IT and cybersecurity; if not, enable this approach.
  2. Ensure appropriate resources so that the state IT agency can serve a larger set of stakeholders.
  3. Create a voluntary approach for providing services, rather than mandates.
  4. Equip state CISOs to integrate across the state and with local governments.

Consider best practices for cybersecurity and ensure consistency when proposing and passing state legislation, including legislation that would impact a broader set of constituents than just state government employees and systems. (Additional recommendations can be found in the appendix)

State cybersecurity priorities are diverse, including implementing zero trust, vendor management, and emerging issues like artificial intelligence (AI). But eventually it all comes back to following fundamental cybersecurity tenets, such as effective risk management, protecting data, and using trusted software and services. Aside from these more technical considerations, these state executives also need to think about how to recruit and retain cybersecurity professionals, explain how they operate to other state leaders and learn what they need, create effective partnerships, and educate policymakers in order to bring them along.

Heather West, Daniel Wolf, Zack Martin

Read Next

The Counter Ransomware Initiative with Hamish Hansford (DCP S2 E8)

In the latest Distilling Cyber Policy, Alex Botting and Jen Ellis are joined by our second-ever Australian guest: Hamish Hansford, the Deputy Secretary of Cyber and Infrastructure Security Group at the Australian Department of Home Affairs.

Building PQC and Crypto Resiliency Across the Public and Private Sectors

A webinar that featured industry leaders from AT&T, the National Institute of Standards and Technology (NIST), InfoSec Global, The White House, and Venable LLP, focused on cryptographic resilience and post-quantum transition.‍

Counter Ransomware Initiative Adds Private Sector Members

Earlier this month, more than 68 countries and organization members met for the fourth annual International Counter Ransomware Initiative (CRI), which included the addition of a public-private advisory panel.