The Deloitte-NASCIO cybersecurity study finds that many state Chief Information Security Officers (CISOs) lack the funding, programs and resources to adequately protect vital government data and the personal information of their constituents, especially when compared to their counterparts in private sector enterprises.
“Many state CISOs lack the visibility and authority to effectively drive security down to the individual agency level,” said Srini Subramanian, director, Deloitte & Touche LLP and leader of state government security and privacy services. “At the federal level, the President has recognized the critical nature of the problem and appointed a cybersecurity coordinator to address it; it’s imperative that governors and state legislative leaders make cybersecurity a priority.”
“Unprecedented budgetary cuts across state governments and growing reliance on contractors and outsourced IT services are creating an environment that is even harder to secure, and the report highlights the growing concerns of CISOs in this regard,” said Steve Fletcher, president of NASCIO and CIO of the State of Utah
The Deloitte-NASCIO study is based on a survey in which 49 of the 50 states responded. The key findings include:
* Governance: To be successful, CISOs must continue to evolve this position to garner enterprise visibility, authority, executive support, and business involvement.
* Strategy: States increasingly are embracing strategic planning as part of their cybersecurity approaches and are converging on the National Institute of Standards and Technology (NIST) risk assessment framework for strategic alignment. However, without compliance audit and enforcement mandate, such as the Federal Information Security Management Act (FISMA) at the Federal level, compliance to the NIST framework across the enterprise is not likely to be achieved.
* Budget: Security budgets and resources available to state CISOs lag behind those of their private-sector counterparts. In tough economic times the gap is widening further exacerbating the issue.
* Internal and External Threats: Threats to PII and Personal Health Information (PHI) are growing. In addition to preventing accidental and intentional internal data breaches, states need to prepare to tackle the increasing sophistication of security threats from outside.
* Security of Third Party Providers: States use the services of contractors, managed service providers, and other third parties to deliver sensitive and critical constituent services; states must better manage the security of the third party providers.
Based on the findings, Deloitte and NASCIO provide a set of recommendations that state CISOs might use to help bridge some of these gaps, including partnerships within state government, executable strategies, ideas for standardization and tips for better preparing staff and others.
“State CISOs and CIOs recognize the threats and realize all government leaders need to be better informed on the risks,” said Doug Robinson, executive director of NASCIO. “It’s clear CISOs have tough jobs without adequate resources. A staggering 88 percent of respondents mention lack of sufficient funding as a major barrier to effectively addressing information security.”
In a letter introducing the report from the Honorable Tom Ridge, the nation’s first Secretary of the Department of Homeland Security, Ridge notes, “The 2010 Deloitte-NASCIO Cybersecurity Study confirms that large amounts of Personally Identifiable Information (PII) that the states maintain may be at risk, but barriers identified in the study make securing PII a daunting task.”
For a copy of the full report, “State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust,” please visit www.deloitte.com/us/stategovatrisk.com
For more information about Deloitte’s U.S. State Government practice, please visit http://www.deloitte.com/view/en_US/us/Industries/us-state-government/index.htm.
The National Association of State Chief Information Officers is the premier network and resource for state CIOs and a leading advocate for technology policy at all levels of government. NASCIO represents state chief information officers and information technology executives from the states, territories, and the District of Columbia. The primary state government members are senior officials who have executive level and statewide responsibility for information technology leadership. State officials who are involved in agency level information technology management may participate as state members. Representatives from other public sector and non-profit organizations may also participate as associate members. Private sector firms may join as corporate members and participate in the Corporate Leadership Council. For more information about NASCIO visit www.nascio.org.
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.