State Governments manage and must protect a wide range of citizen information from cyber security threats, including credit card records, personal health information, employment records, revenue and tax information and election systems. With much of this information available online, State Departments and Agencies are a primary target for cyber-thieves. A 2017 cybersecurity report compiled by Verizon found that public-sector entities were the third-most common breach victims, behind financial and health care organizations.
Based on the number and severity of past cyber security breaches, States are keenly aware and have or are taking action to secure their networks and databases. According to a 2018 NASCIO Report – State CIO Top Ten Policy and Technology Priorities for 2018, security and risk management is the number one priority of State CIOs. While State Governments have acknowledged the security threat, different States are addressing the threat in different ways.
The Challenges: In addition to the increase in cyber security threats, States are challenged by limited budgets and competition for information security human resources. State Executives must determine how to protect not only State-level networks and information systems, but dozens of State Agencies that they oversee. While it is not cost effective for every State Agency to separately fund and manage their own information security systems and staff, States CIOs must determine what level of security services and support they can and should provide to their State Agencies.
Steps Taken: Over the past decade, State Legislatures have created state-wide Offices of Information Technology (OIT), and mandated the staffing of Chief Information Officers (CIO), and Chief Information Security Officers (CISO). A 2018 Deloitte-NASCIO Cybersecurity Study reported that all 50 states now have a statewide CISO or equivalent. Based on information sourced from 50 State Web Sites, 23 States now offer Managed Security Services, with the majority of States providing Security Governance, Compliance Audits and InfoSec Training and Consulting. The most frequently offered Managed Security Services are:
- Security Information & Event Management (SIEM)
- Incident Management and Response
- Firewall, Proxy and VPN Services
- Intrusion Detection/Prevention (IDS/IPS)
- Vulnerability/Pen Testing
- Malware, Spam & Virus Filtering
- Forensic Investigations
Alternative Business Models:
In addition to staffing State CIOs and CISOs with specific duties and responsibilities, an increasing number of States are consolidating oversight and management of State Agency IT resources under a single statewide Office of Information Technology. But there are different business implementation models offered by different States.
Education & Governance (only) Model, where State CISOs establish, oversee and facilitate statewide security management programs to ensure government information is adequately protected. Examples of responsibilities of the CISO position under state laws include:
- creating statewide security policies and IT standards,
- requiring information security plans and annual assessments or reporting, and
- requiring periodic security awareness training for employees
National Associations, including: NASCIO, National Conference of State Legislatures, National Association of State Chief Information Officers, and the Multi-State Information Sharing & Analysis Center, contribute significantly by identifying information security threats and best practices.
Brokerage Models differ depending on whether they are Sole Sourced or Multi-Vendor Sourced. The Texas Department of Information Resources (DIR), for example, contracted with AT&T to provide a comprehensive suite of Managed Security Services that give state agencies, local governments, school districts and other public entities access to resources to protect systems and data. Agencies can go to the DIR portal, identify the services they need and place an order for them.
An alternative model is to source a mix of security services from multiple vendors and coordinate the provision of these services to State Agencies. A 2018 NASCIO State CIO Survey showed 4 States already function as a broker of services, 5 see themselves migrating to primarily a broker of services and 16 see themselves offering some brokered services as well as providing services directly.
Managed Security Services: A number of States offer a range of managed security services to their State Agencies, most notably: Idaho, Iowa, Kentucky, Louisiana, Missouri, New Jersey, Pennsylvania, Tennessee, Vermont, but business models vary depending on whether they have centralized info security resources, including IT infrastructure, security systems and Infosec human resources, or whether infrastructure is centralized and Infosec resources are distributed, reporting to a centralized State OIT or reporting to a specific Agency.
Security Solutions for State OIT’s:
State Offices of Information Technology must balance the need for information security, with the availability of limited budgets and human resources, and the security software and services available from vendors that support their particular business model. Snare by Prophecy International is a Vendor Partner to State OITs – with over a decade of providing syslog collection, filtering and forwarding for Security Information & Eventlog Management (SIEM). Snare Security Solutions address the two primary challenges faced by State OIT organizations, offering cost-effective, easy to deploy, and easy to use solutions. Snare’s Business Intelligence Platform, built on an elastic.index, combines and correlates syslog events with a host of IT (ITSM, Patch and Backup Histories) and 3rd Party (STIX Malware Threats, Firewalls, DNS, IDS/IPS) security sources for threat-hunting forensics. It includes a prebuilt KPI monitoring dashboard and a smart user interface, so users can build and share queries and reports through a multi-tenant premise or cloud platform. Offered as an op-ex subscription, Snare complements any State’s primary SIEM platform, integrating with Active Directory and supporting Single-Sign-On.