Cyber Exposure Meets Political Practicality

CyberScoop’s Opportunities for Improving Cybersecurity Visibility at State & Local Government Agencies is an outstanding summary of the current state of cyber preparedness in state and local government agencies. Like most survey summaries, it presents the results as cold, hard facts. It also, in some respects, is comparative, and in a way not unlike the study of comparative politics.  

In analyses of any subject related to IT in the state and local government sector, there are always unconscious comparisons to the private sector. The question many people ask when they encounter statistics related to state and local government is: “Why can’t the state (or city, or county) be run more like a business?”

The truth is that government – especially state and local government – can be more businesslike, but it will never be run like a business. The reason is practical political necessity.

There is one federal government, 50 state governments, 3,800 county governments and more than 18,000 local governments. As you move down that continuum, the amount of citizen (read: voter) involvement increases exponentially. Political practicality dictates that constituent issues be addressed with greater velocity as the size of the government entity gets smaller. This greatly affects the ability for government to address broader issues like cybersecurity. It also means that a greater proportion of the limited government funds are used to address the most pressing constituent issues, which leaves less for the IT line items.

Looking at the results of the recently released CyberScoop survey, Opportunities for Improving Cybersecurity Visibility at State & Local Government Agencies, through the lens of political practicality puts it in clearer context and suggests how the private sector can better assist state and local governments in improving their cyber hygiene and their Cyber Exposure posture. Let’s look at some of the findings:

“Half of state and local IT leaders face a shortage of skilled cybersecurity talent.”

Cyber analysts don’t put out fires, get cats out of trees or drive police cars and make arrests. The vast majority of city revenues go toward public safety. So, let’s put cybercrimes under the jurisdiction of the chief of police. This would certainly make it easier to request and appropriate funds. It would also make those jobs more attractive to those who want to work in local government to “serve and protect.” The private sector can create “weaponized” cyber tools for the exclusive use of local law enforcement.

“The findings clearly suggest a widespread, if not urgent, need for tools that can provide real-time situational awareness across a variety of networks.”

In the hierarchy of IT funding in state and local government, tools are always going to be underfunded because they don’t involve people doing things. It’s that simple: Local constituents see people – “feet on the street” – as the solution to local issues. Creating SaaS applications that minimize investments are critical to correcting this under-investment. Cooperatives of states or cities throughout a region are common, and a “cyber cooperative” would be a logical extension of that concept. For example, Southeastern Georgia has a “Cybersecurity District” that allows governments to pool cybersecurity resources.

“Adding to that challenge is the lack of control those officials have over systems and devices operating beyond their security infrastructure, including third-party contractors.”

Political winds change often, especially when new administrations come in with mandates to address specific issues. This often leads to IT builds that are purportedly “platform agnostic,” but also “disintegrated.” This “disintegrated” set of solutions creates an expanded cyberattack surface by increasing the number of patches and upgrades necessary to ensure compliance with standards. Suggesting a “cyber integrator” model that provides both tools and professional services to address this concern would be a breakthrough for local CIOs, especially. Adding the need to integrate – in advance – each new IT initiative with existing Cyber Exposure tools and approach would be a game-changer. It would likely require statutory or local ordinance enforcement, but it would create consistency in the ever-changing political landscape.

For a full look at the survey results, download the CyberScoop report today.

*** This is a Security Bloggers Network syndicated blog from Tenable Blog authored by Stephen Smith. Read the original post at: