2012 Deloitte-NASCIO Cybersecurity Study: State governments at risk: a call for collaboration and compliance

Executive Summary

Cybersecurity continues to be one of the most pressing challenges facing State Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) today. Security threats to states have been widely reported, however the nature of the game has changed. Cybercriminals and hacktivists—a new breed of hacker with a political or social agenda—use increasingly sophisticated methods involving rapidly evolving technologies to target cyber infrastructure for monetary gain and to make political statements.

As states progress towards a future of internet-hosted applications using new technologies, like big data, mobile solutions, and cloud computing, and continue to grow their electronic repositories of valuable citizen data, addressing the issue of protecting personally identifiable information (PII) and state systems is of utmost importance.

Consider the staggering statistics:

million records of citizens since 2009, according to a recent Rapid7 report on the “Data Breaches in the Government Sector.”1

• The average cost per lost or breached record is $194 per the Ponemon Institute’s 2011 Cost of Data Breach Study.2

Recognizing that security breaches can be far more costly than cybersecurity programs—especially when coupled with the incalculable cost of regaining lost citizen trust—government leaders must focus their attention on developing and implementing proactive and innovative approaches and solutions.

In these times of escalating threats and increasing accountability, the 2012 Deloitte-NASCIO Cybersecurity survey identified three significant core findings:

• Problems persist: As in our 2010 report, CISOs recognize the importance of cybersecurity, but continue to struggle to gain adequate budgets and stakeholder buy-in. Cybersecurity governance and strategy continue to challenge states.

• People change but results have not: Despite 31 new state CIOs and 22 new state CISOs since 2010, the challenges reported in this survey are consistent with the 2010 survey results, highlighting ongoing problems.

• State officials acknowledge the importance of security: In a parallel survey targeting a limited cross-section of state business and elected officials, 92% of respondents ranked cybersecurity as “most important (81%),” or “very important (11%).”

The results of the 2012 Deloitte-NASCIO Cybersecurity survey show clear evidence of commitment and support from public sector business leaders. CIOs/CISOs must leverage this support by better articulating the risks and impacts to overcome the challenges related to governance, authority and budget—and effectively tackle cyber threats.

In this report, we propose a set of strategic action items for states, in addition to a compelling business case based on survey findings. CIOs and CISOs are encouraged to use these recommendations to build greater awareness and support at each level of state government. We hope this document is a catalyst for CIOs/CISOs and their state official partners to drive their mutual cybersecurity initiatives to even greater success.

In closing, we acknowledge the efforts of the state CIOs and CISOs in their endeavor to protect data and champion the topic. Consider the impressive response to this 2012 survey:

• 50 CISOs (48 states and two territories) or their equivalents responded to the long version of the CISO survey, which also included a self-assessment to measure the maturity of cybersecurity services in their states

• 63 responses to the state officials survey that resulted in a broader understanding of the business stakeholder perspective

0 yorum: