Yes, threats are increasing exponentially in sophistication, intensity, diversity and volume. Cyber experts report significant escalation in external cyber attacks, especially from criminal organizations and foreign state sponsored activities.
Mobile devices do bring great utility in terms of convenience and allowing individuals to be “online all the time.” Governments have widely deployed mobile devices for accessing resources and greater workforce productivity. However, the use of mobile devices for communicating and for sharing data create inherent security issues and add more points of access to the network. Mobile malware threats are certainly growing and a significant security concern with mobile devices is the loss of the device. Additional risks related to mobile devices are personal devices being used in the workplace and authentication of the user. The National Institute of Standards and Technologies (NIST) publication “Guidelines for Managing the Security of Mobile Devices in the Enterprise” (SP 800-124) outlines a number of items for government organizations should follow.
Even as CISOs better define their roles and become an integral part of state government, they continue to face challenges, particularly in securing the resources they need to combat ever-evolving cybersecurity threats. Four-fifths (80 percent) of respondents say inadequate funding is one of the top barriers to effectively address cybersecurity threats, while more than half (51 percent) cite inadequate availability of cybersecurity professionals (figure 6). Survey evidence suggests that when CISOs develop and document strategies—and get those strategies approved—they can command greater budgets and attract or build staff with the necessary competencies.
Cyber security will require funding for creating the necessary capabilities that include tools and training for cyber security. However, cyber security must be “baked into” every project, program and management initiative – and not be an administrative afterthought. Cyber security must be understood as an inherent cost of doing business and must be a component of every budget. A direct correlation can be seen between having an established strategy and obtaining more full-time equivalents (FTEs) dedicated to cybersecurity, as well as year-over-year budget increases (figure 7). For example, 11 out of 33 states that have an approved strategy reported they have more than 15 FTEs dedicated to cybersecurity, and 16 out of 33 states with an approved strategy reported they had an increase in budget. An approved and proactively communicated strategy can also help CISOs overcome another barrier: “lack of visibility and influence in the enterprise,” an ongoing challenge in the largely federated governance model in state government.
Traditional approaches were focused on preventive and risk-based protective measures. Risk based meaning that the investment in security is a function of the perceived value of the information being protected. Those approaches continue to be necessary aspects of security. However, anymore state government must include two additional capabilities: vigilance and resilience. Vigilance is continuous monitoring for threats that gives early detection. Resilience is the ability to respond and recover. These capabilities must be continually enhanced to anticipate the growing threat landscape.