Government, Personal Data at Risk, Deloitte-NASCIO Survey Finds

More than three-quarters of chief information security officers in state government cite stagnant or cut budgets as top problem

A new survey from Deloitte and the National Association of State Chief Information Officers (NASCIO) found that the 49 of 50 state governments participating in the survey need to give cybersecurity a higher priority.

The study, State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust, found that many state chief information security officers (CISOs) say they don't have the funding, programs, and resources to protect government data adequately -- information that includes the personal information (PII) of their citizens -- that their private-sector counterparts have. "In tough economic times the gap is widening further exacerbating the issue," the report notes.

“Many state CISOs lack the visibility and authority to effectively drive security down to the individual agency level,” said Srini Subramanian, a director at Deloitte & Touche LLP and the leader of state government security and privacy services. “At the federal level, the President has recognized the critical nature of the problem and appointed a cybersecurity coordinator to address it; it’s imperative that governors and state legislative leaders make cybersecurity a priority.”

Steve Fletcher, president of NASCIO and CIO of the State of Utah, added: “Unprecedented budgetary cuts across state governments and growing reliance on contractors and outsourced IT services are creating an environment that is even harder to secure, and the report highlights the growing concerns of CISOs in this regard.”

According to the report

States increasingly are embracing strategic planning as part of their cybersecurity approaches and are converging on the National Institute of Standards and Technology (NIST) risk assessment framework for strategic alignment. However, without compliance audit and enforcement mandate, such as the Federal Information Security Management Act (FISMA) at the Federal level, compliance to the NIST framework across the enterprise is not likely to be achieved.

Threats to PII and personal health information (PHI) are on the rise, the survey showed. States must prevent accidental and intentional internal data breaches, and be prepared to address the increasingly sophisticated external security threats.

The report didn't have good things to say about states' use of third-parties, including contractors and managed service providers, warning that "states must better manage the security of the third party providers."

Deloitte and NASCIO include recommendations, including a suggestion to help state CISOs bridge some of the security gaps, such as partnerships within state government and standardization ideas.

According to Doug Robinson, executive director of NASCIO, “It’s clear CISOs have tough jobs without adequate resources. A staggering 88 percent of respondents mention lack of sufficient funding as a major barrier to effectively addressing information security.”

A full copy of the 40-page report in PDF format is available at no cost.

About the Author

James E. Powell is the former editorial director of Enterprise Strategies (esj.com).