There is a growing debate about the state of cyber security within state and local governments around the country. Despite huge investments by many over the past few years, many argue that the situation is getting worse. A recent article in the LA Times pointed to different points of view.
Meanwhile, the grades given to federal agencies are improving, even if the overall grade is still a "C."
But before I give you my view, I'd like to hear your opinion. Is cyber security improving in your government office, agency or state? Are operational plans working? Is enough being done to protect sensitive information? Is too much attention being paid to this topic? Should more money be spent on identity management or other aspects of computer security?
There are many metrics and various ways to measure cyber security, but one important measure is user experience. So what's your view? Are things better or worse than a few years back? I'd love to hear from you and get a dialogue going.
Subscribe to this blog's feed
I believe that security in government is improving and that the resources dedicated to the effort are paying off. However, with that said, most government entities are clearly not where they need to be to address the complex set of risks that they face today.
As the CISO of a mid-sized state, I see firsthand the security challeges that we face. However, improving technical controls is just part of the solution. Government entities need to get much better at collaboritng to solve problems. There simply is not enough money continue addressing security problems on an agency by agency basis. There also needs to be a concerted effort to help government executives understand today's threat landscape.
But I am optomistic that those of us in government have the wherwithall to take the bold steps that are needed to secure our nations' technology infrastructure.
I agree with Chris in that I too believe that cyber security is improving, but that we are nowhere near where we need to be. I have seen changes that many government entities (Federal, State and local) have made in improving their infrastructure. I have seen an increase in the number of risk assessment that are being performed on critical systems, and I have noticed a marked improvement in the depth or granularity that these risk assessments have attained. I have witnessed an emphasis on security awareness training for all types of users, be it system administrators or citizens using our eGovernment services. Yet, it feels as though the sand continues to shift beneath our feet. Our network perimeter no longer exists and our new workforce is driving us towards new technologies that we simply are not yet equipped to handle.
I strongly believe that the next task that lies before us as cyber security practitioners will be to adopt a new mindset for protecting our data and other critical assets. I don’t have the answers, but it seems to me that we need to take a fresh look at how we are addressing areas like identity management or privacy while still providing 24x7x365 access for our staff and our constituents.
I still have more questions than answers, but I’m encouraged that I’m not facing this problem alone. Along with many of my colleagues we have been sharing information back and forward, and together I do believe that we will continue to improve our cyber security posture.
Thanks for your comments Steve and Chris. You both share a very important characteristic of successful CISOs - optimism. In our current cyber security environment full of new battles, I don't think security professionals can move forward without your "can do" attitudes.
Any other thoughts? I'd love to get a few more viewpoints before I move on to my next blog entry.