With state and local governments, healthcare organizations, and schools under attack from cybercriminals, some government cybersecurity leaders wonder if it isn’t time to band together and take a whole-of-state approach to cybersecurity.
In a whole-of-state approach, state governments work with municipalities, K-12 schools, tribal entities, and other governmental organizations in their respective states, providing funding and toolsets, offering guidance, and sharing intelligence. Through this collaboration, small organizations such as K-12 schools that are underfunded and understaffed for cybersecurity today can benefit from the resources and wisdom of larger, better-funded peers.
As I mentioned in an earlier blog post, a whole-of-state cybersecurity strategy comprises three practices that fit together like the legs of a stool. The three practices are:
- Governance and policymaking
In this blog post, I’m going to consider the governance and policymaking part of this strategy. Governance and policymaking involve the following four activities:
- Creating cross-organizational governance teams and communication processes to support those teams over time.
- Selecting and building on proven policy frameworks such as those from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST)
- Performing risk assessments to help define policies
- Establishing and taking advantage of funding resources to support the whole-of-state strategy.
Who creates whole-of-state cybersecurity policies?
Whole-of-state cybersecurity programs are ultimately collaborations among various government entities, each of which is responsible for its own cybersecurity policies. Some of these government entities report to the governor, but many, including school districts and the state’s MS-ISAC team, do not. In most states, these entities haven’t worked closely together on cybersecurity initiatives before. So, the first step is bringing representatives from these groups together, making introductions, and beginning to build trust among stakeholders.
In the past, much of the cybersecurity policy work at the state level was performed by outside consultants such as global system integrators. Even if consultants continue to help with this work, they should now report to this new, centralized cybersecurity team.
Setting up this team can take time. IT and security leaders of all these organizations are already busy. Now they need to find room on their calendars for new meetings, videoconferences, reports, and other cybersecurity activities. And they have to learn to trust the judgment and decision-making of leaders from other organizations, including organizations to whom they don’t officially report.
It’s important to remind all the leaders about the benefits of this joint initiative: improved cybersecurity for everyone and cost savings down the road.
It’s also important this cross-organizational team be an independent organization focused on governance and not simply a tiger team of IT engineers who have been traditionally responsible for implementing cybersecurity controls themselves. Policy makers should be distinct from those who implement the policies made. This helps ensures that policies are rigorous, based on industry best practices and the latest threat intelligence, and that compliance, however well intended, isn’t simply a matter of rubber-stamped reporting. Some states such as Florida, Arizona and New York have even set up their own Departments of Homeland Security to ensure that there is a separate, policy-focused body that can define and validate cybersecurity policies without being involved in implementing those policies directly.
In many states, this separation of duties represents a dramatic shift. IT teams might have been responsible for drafting policies, implementing them, and self-attesting that they are in compliance with those policies. By separating these duties, some states are striving to make policies more comprehensive and rigorous and to hold IT teams responsible for implementing them in a way that can be measured objectively. (I’ll discuss this approach to policy and validation further in my upcoming blog post on the validation phase of a whole-of-state strategy.)
Governance and policymaking for a whole-of-state strategy
State IT leaders don’t have to start from scratch when it comes to drafting effective cybersecurity policies. Instead, they can draw on established policy frameworks such as those from the Center for Internet Security (CIS) or the National Institutes of Standards and Technology (NIST). Using these frameworks, policy teams can:
- establish standards for good cyber hygiene.
- determine acceptable thresholds for risks.
- define policies that can be enforced over time to realize those standards and address high-priority risks.
The CIS and NIST frameworks provide templates for writing comprehensive, detailed security policies. Creating such comprehensive policies is a laudable goal, but implementing these policies might be beyond the means of organizations such as K-12 school districts in the short-term.
An alternative approach is to define comprehensive policies, but to also define a high-priority list of best practices for everyone to follow. This is the approach that the State of Arizona has taken with its whole-of-state strategy. The State’s cybersecurity team identified a “Top 18” list of CIS controls to implement, giving government entities of all sizes a manageable list of projects to focus on. Security practices improved, and no organization found itself overwhelmed by an exhaustive list of demands.
Comprehensive visibility for policymaking
A question that quickly comes up when drafting IT security policies is determining just what IT assets need to be protected. After all, you can’t create policies for protecting assets if you don’t know what assets you have. So, one of the requirements for effective policy making is creating an inventory of all the IT assets across all the organizations participating in the whole-of-state program.
Project leaders can ask IT leaders in organizations to compile inventories of all the endpoints (devices such as laptops and servers) in their respective IT environments. When compiling these inventories, be sure to standardize terminology so that agencies and IT leaders can really understand what assets they have. If you’re counting Windows 10 laptops, for example, you might want to decide on the way to count Windows 10 laptops, so there’s no chance of them being confused with Windows 8.1 laptops.
One reason for performing this work early in the policy and implementation phases of this project is to ensure that the policy team has drafted policies for all the types of devices under management. You don’t want to skip over IoT devices, for example, and then later discover they play a key role in a forward-thinking municipality’s transit system.
Risk assessment for policymaking
The NIST and CIS frameworks stress the importance of risk management. Risk management is the practice of measuring the effect of uncertainties on an organization’s objectives and then taking steps to reduce the effects of those uncertainties.
For IT security, risk management comes down to identifying and protecting the IT assets and processes that are most important for supporting an organization’s mission. For a state’s Department of Motor Vehicles (DMV), for example, being able to securely store and manage applicant’s records is of critical importance. So is ensuring that license fees paid by credit card are protected by systems that comply with PCI-DSS standards.
Risk management, in this case, involves identifying all the IT resources and processes involved in creating and managing department records, identifying all the risks associated with these resources and processes, identifying the likelihood of each risk, and then applying people, processes, and technology to address those risks. For example, if having secure, off-site backups would help protect the integrity of department records, then setting up those backups would be part of that department’s risk management strategy.
Even the most comprehensive whole-of-state cybersecurity program can’t afford to protect every IT asset and IT process to the greatest extent possible. IT investments will have to be prioritized. So it’s a good idea to measure risks across all organizations involved in the whole-of-state program, so that teams can draft reasonable policies and allocate reasonable sources for protecting what’s most important to each organization.For some helpful guidelines on measuring risk, see the Tanium eBook Expert Advice on Measuring Risk.
Special funding considerations for a whole-of-state cybersecurity program
Some final questions to consider in the policy-making phase concern funding. State leaders might wonder how to fund a whole-of-state cybersecurity initiative in the first place. They might also wonder how to set up budgets so that all financial burdens don’t fall to a few centralized teams.
To help fund a whole-of-state cybersecurity initiative, SLED organizations should take advantage of every funding source they can find. Look for grant programs that might help municipalities, schools, tribal organizations, or even the state itself fund a suite of standardized cybersecurity tools and services. In addition, the federal government is offering states some short-term funding increases to address cybersecurity. States should take advantage of those federal funds while they’re available.
Second, the whole-of-state cybersecurity team should work to get state funding to support the whole-of-state cybersecurity initiative. A few states have already done this. With a dedicated, multi-million-dollar fund to draw on, they can purchase the IT equipment and training services school districts and other organizations need, ensuring that purchases are made with volume discounts and that software and hardware are as consistent as possible across government entities. This additional funding provides another incentive for organizations to participate in the initiative overall. By applying for grants for modernizing and securing their IT infrastructure, organizations such as school districts can improve their cyber hygiene while also freeing funds for use on other cybersecurity related projects.
Finally, it’s worth pointing out that a successful whole-of-state cybersecurity program should save states, municipalities, K-12 schools, and other local organizations money. If improved security eliminates the need for multi-million-dollar ransom payments or eliminates outages that lead to lost revenue, those upfront investments will pay for themselves.
This post is part of a series examining each of the three practices – governance, implementation, and validation – required for realizing a whole-of-state cybersecurity strategy.
If you would like to learn how the Tanium Converged Endpoint Management platform can help your organization enact a more mature cybersecurity strategy, please contact us.