Cybersecurity Governance: State CISO Roles – Past, Present and Future

What does a state government Chief Information Security Officer (CISO) actually do? What is the scope of their authority? Who do they report to? What training and/or certifications are required?  How has the role changed over the past decade? Most importantly, what’s next? That is, what is likely to happen regarding cybersecurity management and roles in the states over the next decade?

To help answer these questions and many more, I am commenting on a recently published report (May 2010) by the University of Kansas for the IBM Center for the Business of Government. The title is: Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers. This paper is a part of their “Strengthening Cybersecurity Series.”

But before I dive into this topic, I want to show you why this issue is so important – right now. I believe we are about to enter a new period, not just for cybersecurity management and state government online security governance, but also for governance of the Internet as a whole. The private sector understands what is at stake, as we can clearly see in the debates surrounding pending federal legislation. Want some evidence?   

As the US Senate debates the merits of the latest Cybersecurity Act of 2010, most of the focus has been on provisions that give the President emergency authority to shut down private sector or government networks (or not) in the event of a cyber attack capable of causing massive damage or loss of life. There is also a vigorous debate over government roles regarding cybersecurity.  Many legislators and security experts support this legislation. But Richard Stiennon, popular security speaker and author of Surviving Cyberwar, wrote in Forbes that this is a “very bad bill.” 

I am steering clear of most of Rich’s arguments in this column, with the exception of reiterating that we are talking about close to $2 billion (additional) dollars being dedicated to cybersecurity. Where, when and how will this money be applied to help secure state and local government networks – if indeed some version of this legislation is implemented? What tangible results will follow? How will command and control work in a local cyber emergency or an “event of national significance?” As Stiennon asks, will the end result improve things going forward?

Now I realize that I can’t possibly do justice to this complex topic in one blog. So I urge you to read the report issued by the University of Kansas. The history section is very well done – and I really like the case studies from the six states. As a previous executive board member of the MS-ISAC for many years and Michigan’s CISO for almost seven years, I think the summary of duties, interactions and accomplishments listed for each state is helpful and provides insight into the various CISO roles in the states – and how they differ. I personally know five of the six security leaders mentioned, and I can vouch for the fact that they are outstanding public servants who have built excellent security programs and strategies.    

But I’m not writing this piece to just praise my friends. I want to focus in on what’s next and the recommendations for the future (beginning on page 30 of the report). This is where the linkage occurs with new federal legislation and this is where I have some disagreements.

Here is a brief summary of the five recommendations in the report:

1)      State cybersecurity officials should increase the use of collaboration and networks.

2)      State cybersecurity officials should evaluate their formal and informal relationships with federal cybersecurity officials.

3)      State cybersecurity officials should devote increased attention to and receive training in multidisciplinary problem solving.

4)      State cybersecurity officials should receive training in collaboration competencies and those competencies should be recognized and rewarded.

5)      State cybersecurity officials should devote increased attention to data management.

While I don’t disagree that these are all relevant things to do, my main concern with these recommendations is that they are too weak. In my personal opinion, this was the list of priorities for the first decade of the 21^st century – not urgent priorities for the second decade. I remember discussing a similar list about five years ago as Michigan CISO. This list maintains and/or tweaks the status quo. It is the list of priorities that the top CISOs have already implemented – not where we need to be in 2015. 

Don’t get me wrong, all states can benefit somewhat from following this advice. But it seems to me that there are currently three groups of states. A third “get it” and are making cybersecurity a strategic state-wide priority despite limited funding. A third don’t seem to “get it” when it comes to cybersecurity or getting serious about protecting their government businesses, networks and systems. (Or if they do, their actions certainly aren’t matching their words.) Another third in the middle seem to be “playing the hokey-pokey.” That is, they have one foot in and one foot out – depending on a variety of factors such as whether there’s been a recent security breach. When the smoke clears, they go back to the way they were.

These behaviors are demonstrated repeatedly by varying levels of participation in local, state and federal security organizations and associations. More importantly, they are still addressing the same issues as five or more years ago. Meanwhile, DHS, the MS-ISAC, NIST, US-CERT, NASCIO and others have a myriad of documented policies, best practices regarding security, free training, case studies on what it takes to be successful, and more. Nevertheless, the implementation of these best practice processes, procedures, tools and expertise continue to lag in many states.   

My fear is that as more CISOs retire or leave government service for the private sector, we will keep starting all over again. Our states face a huge transition of state executive administrations early next year with 37 Governors up for reelection – and many current Governors being term limited. These facts, along with the legislation going through Congress now, provide a unique opportunity to shape the cybersecurity landscape in the states for next decade. We need to build cybersecurity into the culture of government. 

So what do I recommend? I thought about listing five different recommendations, but I decided cut down to three recommendations. What are the things we could do to improve the national cybersecurity picture for state and local governments in lasting ways? Yes, we need more funding – but funding alone won’t help without specific governance changes leading to meaningful, ongoing results in cyber emergency situation.

Side Note: Michigan has had the worst economy and funding picture of all the states over the past decade, and yet we have one of the top ongoing cybersecurity programs amongst the 50 state governments, as measured by externally verified sources, federal/state cybersecurity relationships, industry benchmarks, compliance efforts and awards. A big part of this success flowed from our creation of a centralized “center of excellence” for security under the Michigan CISO – with authority and accountability for specific results and improvements.

The Michigan technology and cybersecurity model can work in other states, and indeed many other states are consolidating their infrastructure, data centers, governance, security and more to gain efficiencies and develop centers of excellence. In addition, the national cybersecurity initiative lists requirements for federal agencies with projects like Einstein and reduced numbers of Internet access points. Why not implement the same projects within state governments that are custodians of sensitive federal data?  

Before I list my three recommendations, I want you to think about this question: What proven model works in state governments to address other emergency situations? What if the feds need to get involved and/or help as emergencies grow? How do processes and procedures work in those situations – as well as the need for the allocation of federal funding and/or additional, cross-state or federal assistance?

The answer is of course the emergency management functions in each of our states. We have a model which works to enhance communication, set priorities, and direct response in the event of forest fires, tornadoes, hurricanes, bombs, chemical attacks, white powder showing up in letters and more. So what am I suggesting? We need to expand that model.

Here are my cybersecurity recommendations for state governments for the next five years:

1)      Using the state Homeland Security Advisors/Coordinators as a model, each Governor should create a CISO with real clout that can work across local/state/federal lines. Most importantly, cybersecurity authority needs to be in a centralized function in the states under a CISO that is recognized by both Governors and the legislative branches.

Note: in my view, the Governor or chief executive can certainly designate that someone else appoint this person, such as the CIO in Michigan. Who this person actually reports to is open for discussion, but the authority to act quickly in emergency situations (such as breaches) must be clear and cover all areas of state government. Some discussion can be made regarding legislative and judicial branch separation, but I believe it must include authority over all executive branch agencies and functions as a minimum – with communication links to all branches of government.

2)      Each state needs to build a comprehensive cybersecurity plan which is modeled after the Federal Cybersecurity Initiative (and currently mandated for all federal agencies.) State modifications will be needed, but federal funding should be made available that cuts across traditional funding silos and addresses enterprise-wide cybersecurity priorities – even helping local governments within states where feasible. This plan should encompass traditional law enforcement issues as well include cyber issues within new state and local fusion centers.  

3)      Establish clear command and control for all cybersecurity incidents. Cyber emergency situations should follow the processes and procedures directed in our National Incident Management System (NIMS). A command and control structure must be established which will work to prepare and respond to a variety of different circumstances. This will allow local, state and federal efforts to be coordinated and escalated as appropriate in cross-boundary situations which cover multiple states and or government jurisdictions. Within states, this function must be centralized – in the same way as emergency management dictates response to pandemic health-related emergencies  (such as the H1N1 virus) or other sector emergencies such as nuclear and transportation.

Just as our armed forces recognized the importance of cyber by establishing a cyber command, we need similar mechanisms and support structures established for state and local cyber emergencies. Cross-functional issues such as electricity grid (smart grid) security as well as cybersecurity challenges in each of the critical infrastructure protection (CIP) areas will mean that emergency management will evolve in this century – as the recent hurricanes and response to the Gulf of Mexico oil crisis has demonstrated.   

The recently published guide that addresses cyber events of national significance is a good start, and a similar model can be applied to state-level cyber situations that do not rise to this national threshold. Again, think of weather and other emergency management situations which start local, can lead to a Governor-declared state of emergency and can even lead to a Presidential Declaration of a disaster area. This same model can be instituted for cyber.

 The details of how these proposals could work must be addressed in another article. Most importantly, we need new, bold action to improve our cyber defenses. However, the traditional emergency management model can serve as the basis for this action.

One final comment: I appreciate the effort that the University of Kansas and the IBM Center for the Business of Government put into this topic. It is clearly a well researched paper, with good interviews and helpful references. I want to thank them for their work. I would enjoy further dialogue with this team and others regarding this important topic and the future of cybersecurity governance in the states.