State Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) are under increasing pressure to enable a digital-first presence for their state agencies while also ensuring the highest levels of security to protect employee and constituent data.

Because of the challenges faced by state technology leaders, and the increasing pressure on state and local governments, The Center for Cybersecurity Policy and Law reached out to current and former State CIOs, CISOs, and other executives about their priorities and the challenges they face. The results are in the newly released paper: “Prioritizing Cybersecurity for State Government: How a ‘Whole of Government’ Approach Benefits All.”

In recent years, state governments have become increasingly aware that cybersecurity risk is not limited to a state’s enterprise technology systems, and that other important pillars of their state are left to fend for themselves. Most states have a central IT agency that manages services for state agencies, but local government, higher education institutions, K-12 public schools, and other institutions typically don’t fall under that umbrella and must address the same cybersecurity challenges, with even fewer resources to solve them. This can leave critical public sector systems vulnerable to malicious actors across a state putting all state systems and constituent data at risk.

This approach has left local governments and other public institutions on their own – with fewer resources amid increasing threats -- when it comes to cybersecurity. Some states have realized this challenge and are starting to use a “whole-of-government” approach to cybersecurity services. A whole-of-government approach enables the state IT agency to provide services to state agencies, local governments, and other public institutions, relying on increased scale and visibility to threats to protect their state at all levels.

This approach is not without its own share of challenges, but can ultimately lead to greater security across the state while reducing overall costs. Recommendations for implementing this approach include:

1. Establish whether existing laws allow a whole-of-government funding model at all levels of the state for IT andcybersecurity; if not, enable this approach.
2. Ensure appropriate resources so that the state IT agency can serve a larger set of stakeholders.
3. Create a voluntary approach for providing services, rather than mandates.
4. Equip state CISOs to integrate across the state and with local governments.
5. Consider best practices for cybersecurity and ensure consistency when proposing and passing state legislation, including legislation that would impact a broader set of constituents than just state government employees and systems.

The paper also recognizes that state cybersecurity priorities are diverse. including implementing zero trust, vendor management, and emerging issues like artificial intelligence (AI). But eventually it all comes back to following fundamental cybersecurity tenets, such as effective risk management, protecting data, and using trusted software and services. Aside from these more technical considerations, these state executives also need to think about how to recruit and retain cybersecurity professionals, explain how they operate to other state leaders and learn what they need, create effective partnerships, and educate policymakers in order to bring them along.

The full report can be downloaded here.

‍