When it comes to cybersecurity, local governments can rely on established partnerships and a security culture that values improvement over punitive measures, said a panel of local IT officials and experts during an event hosted by the National Association of Counties (NACo) and the Public Technology Institute on Monday.
Panelists at the event discussed some of the challenges unique to local government in comparison to industry or the Federal government.
“I think it’s a matter of how we see compliance and how we adhere to it, how we accept it, and how we make it part of our organizational structure and the culture in the IT environment,” said Luis Campadoni, director of IT & Facilities Management at the Metropolitan Washington Council of Governments. “In my 10 plus years in the Federal side, mainly the homeland security side, everything is compliance. Everything is adherence to cybersecurity frameworks as mandated. Coming to the local side, you don’t see the mandate as strongly enforced as you do on the Federal side.”
Campadoni said that difference adds a new dimension for local IT professionals in their work to improve cybersecurity. “You work more on the business side to try and create the culture, trying to link the mentality of the senior leadership to accept and adopt, so that we can actually improve our posture,” he said.
However, local government IT departments must take care not to overplay the notion of punishment in creating a carrot-and-stick approach for cybersecurity. Officials stressed the importance of avoiding harsh treatment of those who practice weak cybersecurity, but instead focusing on improving their posture.
“The worst thing you can do is actually punish somebody for failing to do something. If you want to punish somebody, it should be for failure to report,” said Alan Shark, executive director of the Public Technology Institute. “You don’t want to have it be punitive. You want people to run to you.”
Panelists also highlighted the importance of sharing threat information among different jurisdictions.
“I came to local government 11 years ago, and one of the things I learned is that local governments share, we share everything,” said Dale Worley, CIO of Greenbelt, Md. “At the municipal level, all of my peers in this area I can reach out to and get answers from.”
Chris Wlaschin, vice president of Systems Security at Election Systems & Software, pointed to active information sharing around election security.
During a recent spearphishing attack on Florida election officials, “within 20 minutes the rest of the nation knew about this,” said Wlaschin, touting the work of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).