Survey signals call to CISOs, CIOs and business leaders to collaborate and move forward

Nashville, TN October 1 — Although nearly one-half (48 percent) of all state chief information security officers (CISOs) reported incremental increases to cyber security budgets, insufficient funding remains the leading barrier to battling cyber threats, according to the 2014 Deloitte-National Association of State Chief Information Officers (NASCIO) cybersecurity study, released today.

The third biennial Deloitte-NASCIO survey of CISOs and their equivalents also reveals an increasing sophistication of cyber threats and inadequate availability of cyber security resources as other top barriers to achieving adequate cyber security measures within state governments.

Three-quarters (75 percent) of the respondents cited lack of sufficient funding as their top barrier and 46 percent estimated security budget to be only between 1 and 2 percentage of the overall technology budget. Approximately 6 in 10 (61 percent) CISOs cited an increase in sophistication of threats, up from roughly half (52 percent) in 2012. The number citing a shortage of qualified cybersecurity professionals jumped from 46 percent in 2012 to 59 percent in 2014.

“State CISOs and CIOs are dealing with a myriad of complex issues related to cybersecurity – budget, increasing threat sophistication, talent and stakeholder communication” said Srini Subramanian, principal and leader of Deloitte & Touche LLP’s Risk Services practice to state governments. “The role of the CISO itself has matured and expanded – they are charged to do a lot, with inadequate resources.”

Ironically, another challenge cited in the report is a continued discrepancy in the confidence levels of CISOs and state officials. An accompanying survey of state business officials found that 60 percent had high levels of confidence in states’ ability to protect and defend against external cyber threats. Only one-quarter (25 percent) of state CISOs expressed a similar level of confidence.

“State business leaders need to be better informed regarding the gravity of the situation, and we believe that this gap significantly undermines a CISO’s ability to gain funding and support for cybersecurity programs. Communicating the cybersecurity risks and potential impact to the business and elected state leaders will likely help elevate the issue,” Subramanian noted. “But despite continuing challenges, CISOs are standardizing security practices, launching broad-based awareness campaigns, and looking for ways to attract the right talent to join them in their fight against cyber threats and protecting states’ critical infrastructure.”

Overwhelmingly, 9 in 10 (90 percent) CISOs point to the salary and pay grade structures states offer as one of the most substantial barriers to attracting and retaining skilled cybersecurity professionals. State cybersecurity professionals are also leaving for private sector careers (71 percent) and more than two-thirds (67 percent) cite lack of defined cybersecurity career paths and opportunities at the state-level.

“The survey provides a sobering assessment of continuing challenges of budget, talent and evolving nature of cyber threats,” said Doug Robinson, chair of NASCIO. “A key challenge facing states is how to both focus on the immediate need of securing their ecosystems against imminent threat while maturing their cybersecurity program that covers protection, early detection/containment and ability to bounce back from incidents.”

Key findings of the 2014 Deloitte-NASCIO Cybersecurity Study include:

• Maturing role of the CISO: State CISO role continues to gain legitimacy in authority and reporting relationships. The responsibilities of the position are becoming more consistent across states, yet expanding. CISOs today are responsible for establishing a strategy, execution of that strategy, risk management, communicating effectively with senior executives and business leaders, complying with regulators, and leading the charge against escalating cyber threats using various security technologies.
• Continuing budget-strategy disconnect: The improving economy and states’ growing commitment to cybersecurity have led to an increase – albeit small – in the budgets. CISOs have also been successful at tapping supplemental resources, whether from other state agencies, federal funding, or various agency and business leaders. Nevertheless, budgets are still not sufficient to fully implement effective cybersecurity programs – it continues to be the top barrier for state CISOs. In addition, survey responses show that there may be additional barriers to implementing successful initiatives: namely the lack of well-thought-out and fully vetted cybersecurity strategy and priorities.
• Ongoing cyber battle, regulatory complexity, and the confidence gap: State information system house a wide range of sensitive citizen data, making them especially attractive targets for cyber-attacks. CISOs are concerned about the intensity, volume and complexity of cyber threats that run the gamut from malicious code to zero-day attacks. They need to stay abreast of existing and developing threats to establish and maintain the security of an information environment that now increasingly extends from internal networks to the cloud and mobile devices. State officials however, are more confident than CISOs in the state’s safeguards against external cyber threats.
• Growing talent crisis: The skill sets needed for effective cybersecurity protection and monitoring are in heavy demand across all sectors. Private sector opportunities and salaries are traditionally better that those offered by government. Not surprisingly, state CISOs are struggling to recruit and retain people with the right skills, and they will need to establish career paths and find creative ways to build their cybersecurity teams. Furthermore, as states turn to outsourcing and specialist staff augmentation as a means to bridge their cybersecurity talent gap, it’s imperative for CISOs to manage third-party risks effectively.

For a copy of the full report, “2014 Deloitte-NASCIO Cybersecurity Study,” please visit www.nascio.org/DeloitteNASCIO2014CybersecurityStudy/

About the Survey
Deloitte, in conjunction with NASCIO, conducted an online survey of CISOs and state officials in May of 2014. Survey respondents included CISOs or equivalents responsible for the security oversight of 49 states. Additionally, Deloitte surveyed 186 U.S. state business officials to gain states’ business stakeholder perspectives about how government enterprise views, formulates, implements, and maintains its security programs.

About NASCIO
The National Association of State Chief Information Officers is the premier network and resource for state CIOs and a leading advocate for technology policy at all levels of government. NASCIO represents state chief information officers and information technology executives from the states, territories, and the District of Columbia. The primary state government members are senior officials who have executive level and statewide responsibility for information technology leadership. State officials who are involved in agency level information technology management may participate as state members. Representatives from other public sector and non-profit organizations may also participate as associate members. Private sector firms may join as corporate members and participate in the Corporate Leadership Council. For more information about NASCIO visit www.nascio.org.

About Deloitte’s Cyber Risk Services
Deloitte’s Cyber Risk Services help complex organizations more confidently leverage advanced technologies to achieve their strategic growth, innovation and performance objectives through proactive management of the associated cyber risks. With deep experience across a broad range of industries, Deloitte’s more than 1600 practitioners provide advisory and implementation services, spanning executive and technical functions, to help transform legacy IT security programs into proactive Secure.Vigilant.Resilient. Cyber risk programs that better align security investments with risk priorities, establish improved threat awareness and visibility, and strengthen the ability of organizations to thrive in the face of cyber incidents.

About Deloitte
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Nashville, TN., Monday, September 29 — The National Association of State Chief Information Officers (NASCIO), awarded the Thomas M. Jarrett State Chief Information Security Officer (CISO) Scholarship to three deserving CISO’s during the 2014 Annual Conference in Nashville.

This is the second year for the scholarship program, which was created to pay homage to Thomas M. Jarrett, past president of NASCIO (2004 – 2005), for his passion for cybersecurity. The scholarship grants current CISO’s the opportunity to attend the NASCIO Annual Conference.

The following individuals were selected to receive this year’s scholarship due to their dedication and leadership in cybersecurity:

Chris Letterman, Chief Security Officer, State of Alaska

“Chris Letterman took over the SSO in 2013 in the midst of a crisis,” said Jim Bates, CIO State of Alaska. “He has effectively, in that short time frame changed the security culture from what was perceived by our stakeholders ‎and customers as law enforcement to one of public safety. He has become the great collaborator and has brought needed focus to our State’s future in terms of Risk Management and Cybersecurity.”

Kevin Burns, Chief Security Officer, Commonwealth of Massachusetts

Bill Oates, Commonwealth CIO for the Commonwealth of Massachusetts said, “We in Massachusetts are fortunate to have a CISO with Kevin’s expertise, experience, and dedication. I am so pleased that Kevin’s hard work has been recognized by NASCIO, giving him the opportunity to meet and exchange ideas and best practices with peers from across the nation at this year’s conference. I am confident that the learnings Kevin brings home to Massachusetts will help us in our robust and ongoing cybersecurity efforts.”

Deborah Snyder, Acting Chief Information Security Officer, State of New York

“Deb Snyder is an accomplished government policy and cybersecurity industry leader, and brings a wide range of knowledge, skills and experience to the challenges of dealing with today’s rapidly changing information management landscape,” Brian Digman, CIO, State of New York. The recent transformation of New York State’s information technology services necessitated a clear vision of the role and value of information security in enabling the State business needs. As Acting NYS Chief Information Security Officer, Deb established our Enterprise Information Security Office organization and core functions, and set the strategic direction for business-aligned security risk management, consistent standards and practices, enhanced threat monitoring and incident management capabilities, skills training and awareness. Her passion, dedication and leadership in cybersecurity have enabled us to progress efforts quickly and effectively. She is an invaluable resource to our senior leadership team, and an outstanding choice for this well-deserved recognition.”

Learn more about the recipients at www.nascio.org/awards/tjcs/

LEXINGTON, Ky., Thursday, September 18 — Acknowledging the importance of protecting citizen data and raising awareness of security threats, the National Association of State Chief Information Officers (NASCIO) endorses October 2014 as National Cyber Security Awareness Month. This October marks the 11th Anniversary of National Cyber Security Awareness Month and for this observance, NASCIO has updated its Resource Guide for State Cybersecurity Awareness, Education, and Training Initiatives. The Resource Guide is now available at www.nascio.org/publications/. Visit NASCIO’s Cybersecurity Awareness resource page to learn more www.nascio.org/advocacy/cybersecurity/.

“NASCIO is excited to kick off National Cyber Security Awareness Month at our 2014 Annual Conference this year in Nashville,” said Craig Orgeron, NASCIO president and Mississippi chief information officer. “With cybersecurity remaining a top issue for our state CIOs, it is critical that we continue to bring attention to the significance of online safety and security. States across the country are creating programs to ensure that every citizen has the resources they need to stay safer and more secure online. The month of October allows us to highlight each state’s initiatives and understand our shared responsibility.”

NASCIO has joined forces with the Department of Homeland Security’s Office of Cybersecurity and Communications, the Multi-State Information Sharing and Analysis Center and the National Cyber Security Alliance in supporting National Cyber Security Awareness Month, which is designed to increase the public’s awareness of cybersecurity and crime issues so citizens can take precautions to avoid those threats on the Internet. Public relations activities, educational programs, events and initiatives that target home users, small businesses, education audiences (K-12 and higher education), and child safety online will be featured throughout October. To find out more about participating in National Cyber Security Awareness Month, please visit www.staysafeonline.org.

LEXINGTON, Ky., Tuesday, September 9 — Top state information technology leaders for the National Association of State Chief Information Officers (NASCIO) have selected to adopt a new strategic plan aimed to put a stronger emphasis on areas such as leadership and business innovation that are key factors in the evolving role that CIOs play as transformative government leaders.

“The NASCIO Executive Committee held a strategic planning session focused on the priorities and future vision of the association,” said Craig Orgeron, Ph.D., NASCIO president and Mississippi chief information officer and executive director. “The new strategic plan reinforces the association’s mission, vision, and guiding principles and strengthens NASCIO’s ability to support CIOs as state leaders and visionaries.”

NASCIO relies on its strategic plan to guide the development of the annual business plan and supporting performance measurement. Strategic initiatives to be addressed are determined by the Executive Committee after assessing state member priorities, as well as emerging national trends and issues. The complete strategic plan is available at www.nascio.org/aboutNASCIO/StrategicPlan/.

LEXINGTON, Ky., Tuesday, August 19 — The National Association of State Chief Information Officers (NASCIO) has selected 33 IT initiatives in 11 categories as finalists for the State IT Recognition Awards. This year’s high quality of nominations shows that states continue to innovate and achieve great results.

This is NASCIO’s 26th consecutive year of honoring outstanding information technology achievements in the public sector. Finalists in NASCIO’s prestigious awards program were recently announced and one initiative in each category will be recognized at NASCIO’s upcoming Annual Conference in Nashville. Projects and initiatives from NASCIO member states, territories, and the District of Columbia were eligible for nomination, and finalists were selected by NASCIO’s Awards Committee from a field of more than 100 nominees.

“Being a part of the NASCIO awards process was a privilege and an honor,” said David Behen, CIO for the state of Michigan. “As co-chair of the Awards Committee, I can assure everyone that the winners of these coveted IT awards will be both deserving and hard earned. The selection process is sound and strong.”

“As a longtime NASCIO member, I always look forward to the awards process each year,” said Claire Bailey, CTO and Director for the state of Arkansas and Awards Committee co-chair. “I continue to be amazed by the innovation and leadership that is showcased in the submissions. All submissions illustrate the dedication across the states to improve access and delivery of government services. Congratulations to the award recipients and thanks to all who took part in this process.”

To ensure states can access the innovations and best practices of their peers, details about all the nominated projects are posted on NASCIO’s website at www.nascio.org/awards/sit

Awards finalists in the 2014 program are as follows:

Cross Boundary Collaboration and Partnerships
State of Ohio: Ohio Integrated Eligibility System
State of Oregon: Oregon Interoperability Service Project
Commonwealth of Massachusetts: Tracking Towards a Greener Tomorrow

Data, Information and Knowledge Management
State of North Carolina: Electronic Rounds Tracking System
State of Connecticut: ConneCT – Modernization of Client Service Delivery
State of Tennessee: Tennessee Controlled Substance Monitoring Database
State of Texas: TXMAP, Flex Version 2.0

Digital Government to Business (G2B)
State of Washington: Automatic Infrared Roadside Screening (AIRS) System
State of Oklahoma: Construction Project and Portfolio Management Tool Implementation
State of Oregon: Oregon Employer Portal Project

Digital Government to Citizen (G2C)
Commonwealth of Kentucky: kynect: Kentucky’s Healthcare Connection
State of New Mexico: Unemployment Insurance (UI) Tax & Claims System
State of Washington: Washington Healthplanfinder Facilitates Health Insurance Exchange

Enterprise IT Management Initiatives
State of California: California Highway Patrol Statewide CAD Replacement Project
State of Georgia: Desire2Learn Implementation
State of Michigan: Enterprise Portfolio Management Transforms State IT

Fast Track Solutions
State of California: Corpsmember Recruiting System (CoRe)
State of Connecticut: Expedited Licensing for Healthcare Providers
State of Missouri: Health Home Performance Enhancement through Novel Reuse of Syndromic Surveillance Data

Improving State Operations
State of Oklahoma: Docket Search and Investigative Reporting Suite of Services
Commonwealth of Virginia: Outside VDOT
Commonwealth of Pennsylvania: Posted and Bonded Roads Mobile App
Commonwealth of Massachusetts: Preventing Health Care Fraud

Information Communications Technology Innovations
State of California: Consolidated Patrol Vehicle Environment
State of Ohio: MARCS in School
Commonwealth of Pennsylvania: Automated Text Messaging of Outbound Communication for Child Support

Open Government Initiatives
State of Oregon: Centralized Public Meeting Notices Project

Cybersecurity
Commonwealth of Virginia: Barring Open Doors to Threats
State of Oregon: Oregon-Montana Disaster Recovery Phase I
Commonwealth of Pennsylvania: Portal Storm: A Cyber/Business Continuity Exercise

Special CIO Recognition Award
Commonwealth of Pennsylvania: IT Central
State of Michigan: MiPage
State of Texas: Texas Data Center Services Governance Model