State CISOs: Doing More With Less in the COVID-19 EraMeeting Security Needs During a Budget Crunch
State CISOs are finding it challenging to meet the needs for risk management and new cybersecurity investments at a time when tax revenue continues to shrink during the COVID-19 pandemic and agencies are expecting budget cuts.
In a panel discussion at Information Security Media Group's Virtual Cybersecurity Summit: Government on Tuesday, CISOs and security experts talked of possible 30% cuts to state and local IT budgets, which means cybersecurity leaders will need to devise cost-effective ways to secure infrastructure as cybercrime and hacking incidents continue to grow (see: Global Cybercrime Surging During Pandemic).
The shuttering of many small businesses during the pandemic is having a major impact on states' tax revenues, says Jeffrey Brown, CISO of the state of Connecticut. "But I look at it not as a lack of resources - it's a lack of resourcefulness," he said.
Brown is hopeful Congress will pass pending legislation to provide $28 billion to state and local governments to assist with IT modernization and cybersecurity (see: $28 Billion for State Security, IT Upgrades Proposed). But even if the funds are unavailable, "we will carry on," he said. "We just have to be very, very thoughtful and deliberate in terms of what we're spending our time, resources and money on. That's my plan going into the next two years."
Cybersecurity evangelist and consultant Chuck Brooks noted that the COVID-19 pandemic has exacerbated the budgetary problems that state and local government IT and security teams face.
"There will be more breaches, there will be damage, and maybe there'll be other things that will happen," Brooks said. "There will be outraged citizens saying 'Why did this happen?' But in the meantime, we have to figure out what we can do to make it work. And that's where looking at your strategy is really imperative right now."
Frameworks and Risk Management
Michael Anderson, CISO for Dallas County, Texas, noted that his office has put more emphasis on following information security frameworks as a way to ensure that projects and resources are kept within budget while following best practices.
"Sometimes you have a plethora of security tools to choose from, and you don't know which one to choose," Anderson said. "When I talk to other [CISOs], I try to gently guide them in the direction of using frameworks and making sure they align their budgets with their human resource needs, platforms and services. ... I'm being asked personally to use my exact same team to keep the lights on, do cross-functional support and then do all these projects I have on the roadmap."
Brown said he's relying on the National Institute of Standards and Technology's cybersecurity framework to help ensure that risk assessments are being done properly.
"Given the kind of budget crunches that could be coming, there's going to be a little bit of triage that we may have to do," Brown said, describing the need to carefully prioritize projects and technology investments.
Jim Richberg, field CISO at security firm Fortinet, noted that many CISOs are good at responding to tactical issues but find it tougher to do high-level enterprise risk management assessments and learn to do more with less.
"We're really bad at coming up with meaningful metrics," Richberg said. "And that's part of what complicates your ability to do smart risk management."
Anderson, the Dallas County CISO, noted that he's focusing more on educational issues, including building "awareness around social engineering and phishing campaigns and keeping those things top of mind. So while we're spending less, we're still addressing many of the most common threats that all of our enterprises are facing."