Cybersecurity Governance: State CISO Roles - Past, Present and Future
What does a state government Chief Information Security Officer (CISO) actually do? What is the scope of their authority? Who do they report to? What training and/or certifications are required? How has the role changed over the past decade? Most importantly, what’s next? That is, what is likely to happen regarding cybersecurity management and roles in the states over the next decade?
To help answer these questions and many more, I am commenting on a recently published report (May 2010) by the University of Kansas for the IBM Center for the Business of Government. The title is: Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers. This paper is a part of their “Strengthening Cybersecurity Series.”
But before I dive into this topic, I want to show you why this issue is so important – right now. I believe we are about to enter a new period, not just for cybersecurity management and state government online security governance, but also for governance of the Internet as a whole. The private sector understands what is at stake, as we can clearly see in the debates surrounding pending federal legislation. Want some evidence?
As the US Senate debates the merits of the latest Cybersecurity Act of 2010, most of the focus has been on provisions that give the President emergency authority to shut down private sector or government networks (or not) in the event of a cyber attack capable of causing massive damage or loss of life. There is also a vigorous debate over government roles regarding cybersecurity. Many legislators and security experts support this legislation. But Richard Stiennon, popular security speaker and author of Surviving Cyberwar, wrote in Forbes that this is a “very bad bill.”
I am steering clear of most of Rich’s arguments in this column, with the exception of reiterating that we are talking about close to $2 billion (additional) dollars being dedicated to cybersecurity. Where, when and how will this money be applied to help secure state and local government networks – if indeed some version of this legislation is implemented? What tangible results will follow? How will command and control work in a local cyber emergency or an “event of national significance?” As Stiennon asks, will the end result improve things going forward?
Now I realize that I can’t possibly do justice to this complex topic in one blog. So I urge you to read the report issued by the University of Kansas. The history section is very well done – and I really like the case studies from the six states. As a previous executive board member of the MS-ISAC for many years and Michigan’s CISO for almost seven years, I think the summary of duties, interactions and accomplishments listed for each state is helpful and provides insight into the various CISO roles in the states – and how they differ. I personally know five of the six security leaders mentioned, and I can vouch for the fact that they are outstanding public servants who have built excellent security programs and strategies.
But I’m not writing this piece to just praise my friends. I want to focus in on what’s next and the recommendations for the future (beginning on page 30 of the report). This is where the linkage occurs with new federal legislation and this is where I have some disagreements.
Here is a brief summary of the five recommendations in the report:
1) State cybersecurity officials should increase the use of collaboration and networks.
2) State cybersecurity officials should evaluate their formal and informal relationships with federal cybersecurity officials.
3) State cybersecurity officials should devote increased attention to and receive training in multidisciplinary problem solving.
4) State cybersecurity officials should receive training in collaboration competencies and those competencies should be recognized and rewarded.
Previous Post: Security Career Problem 7: Perspective Stuck in a BoxNext Post: Technology Priorities Are Still Consolidation and Security
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
