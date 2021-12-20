State governments have a lot on their plates - especially in light of the COVID-19 pandemic. Yet what preoccupies state CIOs the most is cybersecurity, according to the National Association of State Chief Information Officers (NASCIO). In fact, for the 9th year in a row, cybersecurity held the top spot in the 2022 edition of the organization's "State CIO Top 10 Priorities."[1]

The need for such focus was again driven home just days after the survey's publication earlier this month, when yet another high-profile state government cyberattack made the news. In this case, a ransomware attack took Virginia's state legislature offline.[2]

The state and local government and educational (SLED) sector has been hit with increasing frequency since the beginning of the pandemic, when more than half of SLED security officers said it was "likely" to "inevitable" that an email-borne attack would inflict serious harm to their organizations, according to Mimecast's 2020 State of Email Security in the U.S. Public Sector.

As it turned out in 2020, one estimate showed that over 1,790 federal, state and municipal governments and schools in the U.S. were impacted by one of the most pernicious cybercrimes - ransomware.[1] While public-sector statistics are still being tallied for the current year, general trends show a 17% increase in reported data breaches of all kinds in the U.S. through the third quarter of 2021.[3] The SLED sector is generally hit harder than most,[4] mainly because its organizations hold highly sensitive information and have weaker defenses that make them an easier target for cybercriminals.[5]

Looking ahead to the new year, state CIOs expressed determination to take action in several key areas, according to NASCIO's annual survey for 2021,[6] which complements the Top 10 list. Over 80% said they intend to adopt or expand identity and access management solutions in the next two to three years. The same goes for performing continuous enterprise cybersecurity assessments (69%), introducing or expanding a zero-trust framework (67%) and conducting cybersecurity awareness training (56%).

But in the face of one of the biggest enduring changes brought on by the pandemic - remote work - the NASCIO survey also revealed little new funding heading to state governments in the coming year. Over 80% of CIOs reported no budget increases to address new or increased remote work needs, which have complicated security and expanded their states' attack surfaces.

Not only is cybersecurity the top priority of state CIOs, but many of their other priorities reflect specific security and privacy needs. For example, Priority No. 2 is "digital government/digital services," which is broken out to include identity management and privacy while "improving and digitizing citizen experience."

CIOs are also intent on "legacy modernization," a goal that made it back on the list for the first time in five years, coming in at Priority No. 5. Among its many values, updating legacy systems is recognized as a necessity for closing security gaps.

And so the list goes on through a range of security-relevant policies and management processes, including "identity and access management" as Priority No. 6. CIOs also emphasized the security, privacy and data governance aspects of other big priorities, such as "cloud services" (Priority No. 4) and "data and information management" (Priority No. 9).

In NASCIO's annual survey, CIOs described how their states' responses to the pandemic have changed their cybersecurity systems and procedures. Generally, the report said: "With the shift to an increasingly digital government and remote work here to stay, CIOs have evolved their approach to cybersecurity to further address the distributed environment and human element of cyber threats."

Specific survey results include:

67% have enhanced encryption and security for online work at home.

65% now have standards for cloud security.

57% see security driving their cloud strategies.

41% see disaster recovery and risk management driving their transition to the cloud.

60% have at least partially implemented identity and access management.

60% have accelerated the modernization of their insecure legacy systems.

Many state CIOs (57%) described ransomware as a key motivator for change. "Ransomware will continue to be a significant threat for government agencies," according to Cybersecurity in Government 2021, an Osterman Research report commissioned by Mimecast.

Yet ransomware is not the only threat to states' data and operations. "Governments are under attack from a wide range of cyberattacks, including ransomware, phishing, business email compromise, data breaches and misconfigured cloud storage accounts," the Osterman report said. Most attacks originate with email phishing, it said.

Cybersecurity budgets would have to stretch far to meet all the needs described in the Top 10 report. Yet state cybersecurity funding remains tight.

State governments allocate less than 3% of their IT budgets to cybersecurity, compared with about 7% in the federal Department of Transportation and 11% in the U.S. Social Security Administration, according to a 2020 NASCIO-Deloitte report.[7] While IT funding improved during the early part of the pandemic, as emergency projects were accelerated, CIOs polled in NASCIO's annual survey see this as a blip. As mentioned above, fewer than 20% expect an increase in 2022, even as remote and hybrid work arrangements are expected to continue.

Some help is on the way, with $1 billion in state and local cybersecurity grants included in the Biden administration's infrastructure package. The funds are expected to be rolled out from 2022 to 2025.[8] In another promising development for SLED CIOs, the StateRAMP cloud security standards group recently published its first list of authorized vendors, including Mimecast.[9]

For nine years running, CIOs serving state governments have listed cybersecurity as their top priority. They're taking many steps to reduce their risk, but tight budgets and legacy systems continue to make them more vulnerable than most organizations.

