While every state and local IT leader hopes they never fall victim to a cyberattack, in today’s security landscape an attack seems like an inevitability.
During an April 17 GovLoop webinar, Michael Watson, CISO of the Commonwealth of Virginia, and Phil Bertolini, CIO of Oakland County, Mich., discussed securing needed resources to combat cybersecurity threats, how to balance modernization and cybersecurity, and the threats facing state and local agencies.
One of the main topics of conversation was GovLoop’s recent cybersecurity report, titled “Understanding the Dangers to Your Cybersecurity.” The report, authored by GovLoop’s Mark Hensch, details recent high profile cyberattacks, but also ongoing cyberthreats, what motivates attackers, the damage they can cause, and best practices for keeping agencies safe.
How do You Sell Cyber?
Both experts touched on cyber budgets and how IT departments need sufficient resources to secure state and local governments. But, when it comes to securing funding from their government, both of them touched on the importance of providing examples and highlighting why cybersecurity is so important.
“We have to be able to do a ton of education with all our elected leaders and our department leaders and then package it up in a concise way so we can sell it in a public meeting,” Bertolini said. He said he tries to frame the issue in a personal way, asking how many times their email or identity has been stolen. He said when it’s framed that way, people tend to “perk up” and pay attention.
Watson said his organization is trying to provide examples of when cyberattacks occur within other states and cities, saying that media attention of cybercrimes is actually very helpful. “We’re trying to walk that line of not giving away all of the issues we are dealing with while also making sure people understand that these are real problems,” he said.
CIO or CI-NO
The two men discussed the importance of balancing the desire for modernizing technology while also preserving cybersecurity. While modernization can lead to greater resources, easier workflow, and delivering better citizen services, new technology can carry new cyber risks.
While no one wants to be the stick in the mud who is opposed to new technology, Bertolini said that sometimes you “just have to say no. You have to balance risk versus reward.”
Bertolini said he believes governments are doing better when it comes to risk management – however, agencies just “can’t keep up” with cyber criminals.
Watson agreed with Bertolini’s assessment and said that agencies have gotten better with understanding risk management, but are still struggling to communicate with stakeholders about how much risk they face and how that risk will impact their day-to-day work. “It’s not just IT folks you’re having to convince these days,” Watson said. “The business units that are using IT services are having a rough time understanding that [their] business doesn’t function without IT.”
The Threat of Ransomware
One of the bigger threats facing state and local agencies right now is the risk of ransomware. Watson explained that agencies might just think it’s easier to pay out the ransom, rather than doing what needs to be done to protect and recover the corrupted files. However, agencies shouldn’t want to negotiate with the cyber criminals and instead should focus on securing their networks, Watson said.
Bertolini agreed with his colleague from Virginia, saying that even the smallest of governments are a huge target. He further said that ransomware attacks are really a people issue – what’s happening with phishing attacks, whaling attacks (when cybercriminals target executives and high-level leaders), or when people are giving out credentials when they shouldn’t. “We really have a people, technology, organization/process problem,” Bertolini said.
For states concerned about cyberattacks, help may be on the way from the Federal government. A piece of bipartisan legislation was introduced on April 8 in the House and Senate that would authorize the Department of Homeland Security to operate a grant program for states looking to implement better cybersecurity and recovery measures.