NASCIO says 'compliance' good for cybersecurity
Even as the word "compliance" gets increasingly weighted with negative connotations in federal cybersecurity, a report from the National Association of State Chief Information Officers says it should be a lever utilized by state chief information security officers when securing their own and contractor-based infrastructure.
"Regulatory compliance should be used to better communicate risks to business stakeholders and drive home the need for support to improve information security," says the report, which summarizes the results of a survey of state cybersecurity officials conducted with the consultancy firm Deloitte.
Ensuring compliance will likely become even more important during times of budget austerity, the report says--noting that of the 50 CISOs from 48 states and two territories who responded to the survey, 86 percent said that "lack of sufficient funding" is a key barrier to better cybersecurity.
That lack of funding, plus an inability to retain talented personnel, puts pressure on states to outsource services, the report says; the rise of cloud services has also led a number of states to move core services into the domain of private sector service providers.
However, transferring risk to a third party doesn't change the fact that states are responsible for their own data. "That's especially apparent if a partner falls short and state executives are left to explain the incident to the public," the report notes.
As a result, states must make it a practice to routinely inspect third parties for compliance with clearly defined cybersecurity measures, the report says.
The report also recommends states adopt a shared service model for cybersecurity to share costs effectively. The position of state CISO itself is typically one of a cross-agency resource coordinator, the report also says; most operate in a federated or distributed environment where IT and security resources are dispersed across various state agencies.
- download the Deloitte-NASCIO state cybersecurity study (.pdf)
Nationwide Cyber Security Review reveals low awareness of risks by state and local governments
OMB has authority to make federal cybersecurity more dynamic, says report
New White House cybersecurity strategy needs new ideas, says CSIS commission