 National association Pamela Walker, Director of Government Affairs National Association of State Chief Information Officers NLC Congressional City Conference: Status of Cybersecurity with States and Congress

Fiscal recovery uneven, slow revenue growth, budgets are better, federal deficit reduction impact? CIOs seeking IT operational cost savings and alternative IT sourcing strategies Opportunities for change and innovation Living with the past - modernizing the legacy IT security and risk! Game has changed IT workforce: retirement wave, skills, recruiting State CIO positions – major churn State IT Landscape Today

CIO Priorities, Trends and Perspectives

State CIO Priorities for Consolidation / Optimization: consolidating infrastructure and services, centralizing 2. Budget and Cost Control: managing budget reduction, strategies for savings 3. Governance: improving IT governance, authority, data governance, partnering, collaboration 4. Health Care: Affordable Care Act, health information and insurance exchanges, architecture, partnering, implementation, technology solutions, Medicaid systems 5. Cloud Computing: governance, service management, service catalogs, platform, infrastructure, security, privacy, data ownership, legal issues, vendor management 6. Security: risk assessment, governance, budget and resource requirements; security frameworks, data protection, training and awareness, insider threats, third party security 7. Broadband and Connectivity: strengthening statewide connectivity, public safety wireless network/interoperability, implementing BTOP grant 8. Shared Services: business models, sharing resources, services, infrastructure, independent of organizational structure, service portfolio management 9. Portal: maturing state portal, e-government, single view of the customer/citizen, emphasis on citizen interactive self-service, mobile apps, accessibility 10. Mobile Services/Mobility: devices, applications, workforce, security, policy issues, support, ownership, communications, wireless infrastructure Source: NASCIO State CIO Survey, October 2011

Cybersecurity in the States  Critical infrastructure protection  More aggressive threats – organized crime, unorganized crime, hacktivism  Spam, phishing, hacking, and network probes up  Data breaches – trust impact  Insider threats, third party  Executive support  Inadequate funding  Need more training, awareness

Growing IT Security Risks in the States  Protecting legacy systems  Expansion of wireless networks  Adoption of cloud services  Online transactions  Use of social media platforms  Mobile devices and services  Use of personally-owned devices (BYOD)  Miscellaneous devices (USB, digital cameras, MP3 players, etc.)  Third-party contractors and managed services

What are your State’s top five IT security initiatives? 1. Data Protection 2. Information Security Risk Assessments 3. Information Security Training and Awareness 4. Application Security 5. Information Security Measurement and Reporting

What major barriers does your State face in addressing information security?

Today’s State IT Workforce: Under Pressure  State CIOs say % of state IT employees eligible for retirement within the next five years  Fiscal stress - hiring freezes and elimination of vacant positions  Nearly two-thirds say they anticipate having to reduce IT staff  IT Security positions are difficult to recruit and retain

Challenges Recruiting IT Security Professionals Source: NASCIO State IT Workforce: Under Pressure, January 2011

Business objectives GovernanceAcquisition strategyJurisdictional issues Security and privacy concerns Policy and legal issuesExit strategy

Social Media: Connecting Citizens, Presenting Risks securitylegal issues with Terms of Serviceprivacyrecords managementacceptable use Social media adoption rates are broad across state governments - 98% use free social media tools on hosted, third party platforms. Social media pose challenges to states in the areas of:

NASCIO Cybersecurity Call to Action Key Questions for State Leaders  Have you created a culture of information security in your state government?  Have you adopted a cybersecurity framework, based on national standards & guidelines?  Have you acquired continuous vulnerability management capabilities?  Have you documented the effectiveness of your cybersecurity with metrics and testing?  Have you developed security awareness training for workers and contractors?

Looking Ahead  More IT consolidation, shared services  Outsourcing: more steering, less rowing  IT implications of healthcare reform  Demand for performance, results  Extending the enterprise: locals?  Massive collaboration - Web 2.0  DHS, MS-ISAC and NASCIO collaboration – NCSR  More intra-state and inter-state collaboration; state homeland security advisors  State Centers of Excellence for cyber education & research  Funded research, scholarships, internships  Sharing best practices, recognition Looking Ahead: Leveraging State Assets

More Administrative Flexibility Needed for States Secure and Protect Citizen Data and State Digital Assets Support the Adoption and Expansion of the National Information Exchange Model (NIEM) Support State Role in Identity Management and Verification Solutions NASCIO 2012 Federal Advocacy Priorities

Congress and Cybersecurity  The Cybersecurity Act of 2012 (S. 2105) introduced by Sens. Lieberman and Collins  Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 or ‘‘SECURE IT” (S. 2151) introduced by Sen. McCain  Focus on critical infrastructure, information sharing, FIMSA reform, cyber workforce and international cooperation.  House taking a piecemeal approach.

Connect with... youtube.com/nasciomedia linkedin.com facebook.com twitter.com/nascio nascio.org