North Dakota: An innovative and leading cybersecurity state

North Dakota is addressing the cybersecurity skills shortage with policies and programs for government, education, and business.

When you think of U.S. states exhibiting cybersecurity leadership, which ones come to mind? For me, I’d place Maryland at the top of the list, followed by California, Massachusetts, Virginia, Georgia, and a few others. In my view, those states exhibit good efforts around cybersecurity innovation and public/private partnerships.

Now, if you pinned me down and asked me to continue my list, I’m not sure where I’d place North Dakota, a state with a population of 755,000. Until recently, I had no knowledge or opinion on the state’s cybersecurity position whatsoever. That changed when someone from the office of the CIO in North Dakota read one of my blog posts about the cybersecurity skills shortage and reached out to fill me in on the state’s cybersecurity efforts. As it turns out, North Dakota is doing quite a bit.

North Dakota Gov. Doug Bergum makes cybersecurity a priority

As my research has often indicated, a strong cybersecurity culture starts at the top with an active executive. In North Dakota, this responsibility falls to its governor, Doug Burgum. Gov. Burgum gets technology, as he is the former CEO of Great Plains Software, a mid-market ERP provider that was sold to Microsoft in 2001. Since his election in 2016, Gov. Burgum has made STEM, IT, and cybersecurity a major part of his agenda. 

So, North Dakota has IT chops at the top, and this is important for the future of the state. Good thing, since the state is a hub for unmanned aerial vehicle (UAV) R&D, energy, and agriculture – industries with heavy IT dependencies. Additionally, there is a fairly big military presence in the state.

Over the past few months, I’ve learned a bit about North Dakota’s four-pronged strategy – 1) Defend against threats, 2) Automate services, 3) Adopt a singular posture, and 4) Focus on computer science and cybersecurity education. 

In April of this year, North Dakota did something no other state has – it signed legislation to unify cybersecurity across all departments. This was seen as a way to protect 252,000 users who were already communicating across the state’s unified network (StageNet) and defend against around 5 million cyber attacks per month. Centralizing cybersecurity defenses and operations will allow the state to unify policies, invest in leading security technologies, and spread cybersecurity expertise across agencies and localities that may not have the skills or staff to manage cyber risk on their own. 

This program makes a lot of sense. According to ESG research, 53% of organizations claim to have a “problematic shortage” of cybersecurity skills (note: I am an ESG employee). Furthermore, the cybersecurity skills shortage is at its most acute for public sector and rural organizations. Since North Dakota meets both criteria, centralizing cybersecurity services may help the state improve cyber risk management, streamline operations, and scale to align cybersecurity defenses and processes with a growing attack surface.

Aside from governmental efforts, North Dakota is taking cybersecurity education much more seriously than other states. The state has adopted a program called K-20W, with a goal of “every student, every school, cyber educated." To develop its programs, North Dakota enlisted the help of the National Integrated Cyber Education Center (NICERC) and private companies like Microsoft. Teachers across the state are being trained on cybersecurity and developing a curriculum that will be used for all school districts from kindergarten through 12th grade.

At the college level, North Dakota State has a new PhD-level cybersecurity program, while Bismarck State College (supported by Palo Alto Networks) was recently designated as a Center of Academic Excellence in Cyber Defense by NSA and DHS. Finally, the “w” in K-20W extends cybersecurity education to the North Dakota workforce with 40 statewide organizations participating.

I’ve been researching and writing about the cybersecurity skills shortage for more than seven years. Early on, I was a lone voice and sort of the Chicken Little on this topic. More recently, many other analysts, pundits, and researchers have added their voices. I appreciate the company, but in my humble opinion, things continue to get worse (note: look for a new version of ESG’s research with ISSA for more data on this topic).  This is bad news for all of us.

It certainly appears like Gov. Burgum not only recognizes this problem, but he is also willing to rally his state to do something about it. Kudos to North Dakota. I’ll continue to track its programs and progress. I hope other so-called “progressive” states do so, as well. 

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!