For Nancy Rainosek, Texas’ Chief Information Security Officer, cybersecurity directly affects an agency’s mission and constituent service. And whether that involves helping people pay their water bills or allowing law enforcement to preserve crime data, the cost of IT security is worth it, she believes.
“When you think about budgets, a lot of organizations will spend the majority of their money on meeting the mission. … And they really need to think about if they lost their IT systems, what would that do, and make sure they get the best security in place to protect citizens’ data and services,” she said.
Here are her suggestions to keep government agencies cyber-secure.
Have a Plan, and Practice
In August 2019, 23 local governments, from one end of Texas to another, were hit by ransomware. But because Rainosek’s department had created a central incident response team and developed and practiced a “what-to-do-when” plan, her people helped all 23 local governments recover in eight days.
But then Rainosek’s team thought, “Well, what if there had been 100 ransomware attacks? How well would we have done?”
To help prepare for even that possibility, Rainosek’s department partnered with a state university to establish a regional security operations center that monitors the web traffic of a vast array of public entities — school systems, counties and municipalities, water districts, police departments and more. The center also provides “boots on the ground” to help agencies in need.
Manage Your Data Intelligently
Rainosek stressed the importance of understanding the data under your control and then managing it effectively. In Texas, a recent law requires any agency with more than 150 employees to have a data management officer. She said agencies must “classify their data, know what data they have and know when to delete it as well.”
The quality of data management staff is important, of course. Rainosek knows that public agencies can’t offer the same salaries that the private sector can, but she believes government has something special to offer. “There’s more to this world than money,” she opined. “There’s the feeling, especially in public service, that you get when you really get to solve a problem.”
Require Training, and Mean It
Every government employee in Texas must take a certified cybersecurity training program, and because compliance at the local level was poor, Texas recently put teeth on that requirement.
“What they’ve done now is that if agencies haven’t had their employees take this certified training, they can’t apply for law enforcement grants through the governor’s office,” Rainosek said. “And, if they have had grants in the past, and they don’t take their training, [the agencies] have to pay back two years’ [worth] of grants.”
No agency wants to return money. Overall, Rainosek believes that cyber protection involves everyone: “Cybersecurity is a team sport,” she said, “and everyone’s on the team.”
This article is an excerpt from GovLoop’s upcoming e-book entitled “Stuck in Neutral: How to Jumpstart Change at Your Agency.”