Government

Why Isn’t Security Simple? (And What State and Local Agencies Can Do About It)

Security – it all comes down to protecting your people, your assets, and your data. 

It all seems so easy when you put it in those terms. However, if you take a step back and look at it from a state and local government perspective, it gets more complicated.

A Complex Array of Cybersecurity Products

For instance, how many software products are involved in those three categories above (people, assets, data)? Nearly 50% of IT leaders in state and local governments say they use separate products[1] for protecting their assets — from laptops to mobile devices to servers on premise in the data center and into the cloud —as well as the myriad of products that are used to control who can access the systems and the applications and data that drive government services to citizens. This is even true for smaller cities and county governments. The high number of software products controlling security is somewhat understandable, because there are multiple teams involved with securing the enterprise.

A Lack of Skilled Staff

Next let’s look at how many people within those state and local governments have as their primary and only responsibility managing the security of the organization. Security management can include anything from reacting to security incidents, to educating others within the government to implementing and supporting those myriad software products that control the security. In many of the larger state governments, there could be as many as five to fifteen individuals that have security responsibilities. Many of the smaller local city and county governments, however, could have two to three. Typically, security professionals have lots of options on where to work, and there aren’t enough well-qualified experts to go around.

Budgets are Limited, But Prospective Funding via the IIJA May Offer Some Reprieve

Budgets are limited within state and local governments, especially for the smaller cities and counties.  There is never enough money to do the things that need to be done.  Taken together, the sheer amount of security products, limited well-qualified experts, and inadequate budgets for security create significant risks for the local government enterprise. 

Enter the Bipartisan Infrastructure and Investment and Jobs Act (IIJA) signed by President Biden into law November 2021.  The State and Local Cybersecurity Grant Program within the IIJA provides grant funds of $1 billion, specifically directing funds to state, local and Tribal governments to address cybersecurity risks and threats to information systems. The terms outline that while the money will flow through the states, the majority of the money must go to local governments. The Notice of Financial Opportunity (NOFO) has not yet been published but is expected sometime during the summer of 2022.  While this may seem like a windfall for the local governments and Tribes, keep in mind that there are approximately 90,000 local government entities in the US.  If the money is distributed equally across them all, each would get about ~$11,000 —not much money to protect people, assets and data from security threats.

How to Prepare Your Cybersecurity Strategy for IIJA Disbursement

What can a state, city, or local government do to protect their organization from the increasingly sophisticated cyber threats and prepare for the disbursement of funds from the IIJA?  The first step is always a plan.  As Benjamin Franklin once said; “if you fail to plan, you are planning to fail.”  Putting together a plan may seem overwhelming when you’re dealing with multiple software products, multiple teams, and limited staff.  However, there are many vendors and government websites available to help — or for the smaller cities and counties, look to the state for their plan. Though this may seem like Security 101, having a cybersecurity strategy and roadmap is ranked as one of the top 5 highest priority initiatives across states, cities and counties.[2]

A cybersecurity plan is also important to prepare for the disbursement of funds from the IIJA, so that you can apply for your fair share as soon as possible after the NOFO is published. The critical components to consider when applying for the grant are:

  • Every application for the funds must include a security plan.
  • Understand your current cybersecurity posture, based on nationally recognized cybersecurity frameworks like the Cybersecurity Framework | NIST.  This framework doesn’t prescribe specific technologies to use but focuses on outcomes.
  • Focus on areas that will improve essential and critical services that are provided by governments — for example, emergency IT systems, election systems, water utilities, or anything that may make the news if that system was compromised.
  • Leverage a Zero Trust architecture and maturity implementation.

Protecting your people, assets, and data may not be easy, but it’s the foundation of trust that all government services must provide to citizens.

To dive deeper, listen to this 30-minute on-demand webinar from GovTech to get a viewpoint on how to leverage the IIJA funds to bolster your cybersecurity investments, and to learn best practices for getting started with a unified security platform. 

Look for my second blog post on leveraging the IIJA for municipal utilities, coming soon!


[1] Center for Digital Government, Cybersecurity Survey 2022; customer research commissioned by Vmware

[2] Center for Digital Government, Cybersecurity Survey 2022; customer research commissioned by Vmware

Comments

Leave a Reply

Your email address will not be published.