This post is an excerpt from GovLoop’s recent Guide to Government’s Critical Cyberthreats. This research guide explains the various cyberattacks government endures and provides steps to safeguard your information systems.
State and local agencies face a number of significant challenges in educating, training and recruiting an adequate cyber workforce. There is a clear shortage of qualified personnel to go around. With limited resources, state and local governments have a harder time competing with the private sector to attract qualified cyber professionals to work. Additionally, many elected officials at the state and local levels remain uneducated about their cybersecurity postures, and, therefore, don’t advocate for agencies’ cyber needs.
Most IT managers at the county level find themselves facing low salaries and huge workloads. Take Arlington County, Va., for example. According to a recent article in Government Technology, Arlington has a population of 250,000 with about 4,500 users on the county network. That network processes some 1 trillion events every day. Yet the county employs just one IT security employee: Chief Information Security Officer David Jordan.
In an interview with GovLoop, Jordan shared his experiences as Arlington County’s CISO and insights on needed improvements in the state and local cyber workforce.
CYBER PREPAREDNESS THROUGH CISOs
One of the first things Jordan emphasized was the importance of states having an information security executive position. “The CISO position determines the whole future of the practice,” he said. “The CISO determines the quality, education, training, and longevity of the cyber workforce within government.”
As the sole IT security staffer at Arlington County, Jordan understands the importance of a well-placed CISO. In the absence of a formal cybersecurity workforce, Jordan meets with all the employees of the organization and regularly briefs IT help-desk workers on issues related to security. He stressed that in addition to being accountable to employees, the CISO should report to the county board or city manager.
“You don’t want to have the CISO compete for funding with other leaders within the organization, like the Chief Information Officer,” Jordan said. “For many agencies, placing the CISO optimally in your chain of command improves chances of success.”
When the CISO does not have visibility or voice within an agency, elected state officials are less likely to promote cybersecurity in their agendas or allocate needed resources for recruiting and training cyber professionals.
CYBERSECURITY THROUGH EVERY EMPLOYEE
Jordan emphasized that everyone who works in an agency has a security component. In Arlington, he combined the power of the county workforce as an extended security operation by enlisting the aid of 4,500 people.
To make sure every employee thinks about cybersecurity, Jordan goes out of his way to talk to every single person who is hired. “Each employee gets me for about 20 or 30 minutes,” he said. “We go over the rules of the house and explain the importance of basic IT security. They need to be aware of certain risks and certain best practices.”
Jordan established a set of 25 expected behaviors for employees to master in order to promote cybersecurity best practices. He wanted to be available to anyone with questions so he established a phone line. Employees can dial H-E-L-P should they have any questions about potential cyber issues or threats. For example, if an employee gets a suspicious email that could be a potential phishing attack, they can call the hotline to be advised on what to do.
“We also have three chiefs in our IT shop,” Jordan said. “We have an architectural design chief, a records management chief, and, myself, a security chief. Once a month, we open our conference line and let people call in and ask questions.”
Such methods of communication are efficient ways for cybersecurity leaders to strengthen a team’s cyber awareness and preparedness by helping all employees identify any potential scams.
CYBER BEST PRACTICES THROUGH PARTNERSHIPS
In addition to being available to all employees and training his IT staff, Jordan relies on regional partnerships to share information and best practices for cyber training and infrastructure. He collaborates with area peers through a CISO subgroup of the Metropolitan Washington Council of Governments, an independent nonprofit association that brings area leaders together to address major regional issues in D.C., Maryland and Northern Virginia and comprises 22 local governments.
The CISO subgroup communicates daily to share cyber workforce needs, struggles, and best practices. “We can pose questions to each other frequently,” Jordan said. “For example, if I’m ordering a new video system for buses, I can send a question to the 22 members and ask if anyone has done this recently or ask about particular vendors they’ve used.”
Regional partnerships are critical for state and local governments when resources are tight, because information sharing can cost-effectiveness in cyber training while also developing best practices for any cyber issues.
Through his CISO role, focus on training all employees and regional partnerships, Jordan demonstrates that there is hope for continuing to build the state and local cyber workforce. Having the right staff, such as CISOs, in an agency is critical to setting standards for cybersecurity personnel and infrastructure. Through proper employee education, training, and regional partnerships, state and local governments can have a better chance of harnessing their cyber workforces to better address the cybersecurity needs of today.