Byron Acohido writes:
This should come as no surprise. State government agencies aren’t devoting nearly enough resources to protect citizens’ sensitive data from hackers and data thieves.
Some 49 out of 50 states report that a lack of budget is crippling efforts to manage cybersecurity effectively. One state chose not to participate.
That’s the upshot of a survey titled “State Governments at risk: A Call to Secure Citizen Data and Inspire Public Trust” conducted by consulting firm Deloitte & Touche and the National Association of State Chief Information Officers.
Read more on The Last Watchdog.
The key findings of the report:
1. Governance: The Enterprise CISO position is firmly established in the majority of states. To be successful, CISOs must continue to evolve this position to garner enterprise visibility, authority, executive support, and business involvement.
2. Strategy: States increasingly are embracing strategic planning as part of their cybersecurity approaches and are converging on the National Institute of Standards and Technology (NIST) risk assessment framework for strategic alignment. However, without compliance audit and enforcement mandate such as the Federal Information Security Management Act (FISMA) at the Federal level, compliance to the NIST framework across the enterprise is not likely to be achieved.
3. Budget: Security budgets and resources available to State CISOs lag behind those of their private-sector
counterparts. In tough economic times the gap may be widening as the private sector is increasing its investment in security.4. Internal, External Threats and creating a cyber mindset: Threats to PII and PHI are growing—both from the inside and the outside. States are still in the early stages of establishing programs and deploying technology to protect this sensitive data. Further, CISOs expect to face a host of threats over the next 12 months, ranging from “zombie” networks to social engineering and employee lapses. For this reason, CISOs recognize the importance of creating a “cyber mindset” within their respective enterprises, and are turning to education and awareness to combat these threats.
5. Security of Third Party Providers: States use the services of contractors, managed service providers, and other third parties to deliver sensitive and critical constituent services; managing the security of these
third-party providers may not be keeping pace with the escalation of threats.The 2010 Deloitte-NASCIO Cybersecurity Study compares state responses against Deloitte’s bellwether survey in the financial services industry, as well as against other external sources and benchmarks. These comparisons serve to demonstrate the divide that exists between the private sector and the states.
Report: State governments at risk: A call to secure citizen data and inspire public trust (pdf)
Cross-posted from PHIprivacy.net