State vs. Private Cybersecurity: A League of Their Own
* This article originally ran on StateScoop on March 12, 2013.
One of the frequent questions we get from state CIOs is about benchmarking:
“How are our cybersecurity efforts stacking up against other states’ initiatives, federal policies, and private-sector implementations?” our customers will ask.
It’s a difficult question to answer, especially considering how vast and varied the efforts of individual state governments and federal departments tend to be. However, thanks to some in-depth analysis from Deloitte and the National Association of State Chief Information Officers (NASCIO), we have a reasonably clear picture of how states and the private sector compare.
Sadly, that comparison isn’t pretty.
Deloitte’s study (presented at NASCIO’s conference in October) shows state governments significantly behind similarly sized private-sector entities in securing sensitive data.
(The Deloitte/NASCIO study can be downloaded here.)
Moreover, many states and private organizations (particularly large financial services firms) handle the very same types of personal financial information, and yet the IT security funding allocated by state governments is dramatically lower.
We’re not even in the same ballpark. And that, from an industry perspective, is a major problem.
For one thing, state government agencies sit near the top of the list of targets for cyber criminals. In fact, we’ve already witnessed a handful of very public health information breaches in recent months.
To shed more light on the subject, Symantec has done some internal benchmarking (in both financial and health-related areas) and found the same basic pattern as Deloitte: Even though states are managing information that’s every bit as sensitive if not more so, state investments in—and planning for—cybersecurity have been lagging significantly.
To make matters worse, most state government IT operations are still deeply federated—with each internal agency running its own IT security. Thus, when disparate IT security infrastructures struggle to communicate, it makes the state’s security posture weaker still.
On the bright side, cybersecurity issues are gaining traction among state legislators and governors. Quite often, private sector benchmarking can play an important role in making this case—reminding state officials of both steady improvements and lingering weaknesses.
And that’s a useful exercise in any sector, at any level.