This document is a Call to Action for governors and state legislatures to improve their cybersecurity risk management capabilities by creating or strengthening their cybersecurity governance.
Executive Summary
Cybersecurity threats are an ever-present organizational risk on par with economic, legal, operational, financial, and political risks. They increasingly affect state assets. Managing these risks, and the threats from which they stem, must be part of a state’s overall risk management portfolio. To do this, state leaders must have effective cybersecurity governance.
Cybersecurity governance is the processes by which decisions are made about cybersecurity risk. Effective cybersecurity governance provides the mix of control and influence necessary and appropriate for a state, and includes mechanisms for mitigating and responding to risk.
While every state has implemented cybersecurity programs, few have cybersecurity governance that effectively ensures that a state’s risk is managed to a level and in ways that have been determined to be, through formalized governance processes, acceptable to the governor and legislature. An effective cybersecurity governance framework answers important questions such as:
- • What decisions need to be made about cybersecurity threats?
- • Who makes those decisions?
- • How are those decisions made?
- • What mechanisms exist to inform those decisions?
- • Who has responsibility for translating decisions made by cybersecurity governance into effective cybersecurity programs?
- • What processes exist to make sure that the cybersecurity programs are effective?
This Call to Action presents four steps to be taken by governors and state legislatures to establish or strengthen their cybersecurity governance:
- 1) Establish Authorities through Executive Order and Legislation
- 2) Formalize Key Processes
- 3) Assign Roles and Responsibilities
- 4) Monitor Indicators for Decision-Making and Adaptation
It also includes eight tools that states have found useful in strengthening their cybersecurity governance, as well as questions that governors and state legislatures can ask to help determine whether their cybersecurity governance is effective in addressing and minimizing the threats their states face.
Once established, cybersecurity governance must be agile, allowing cybersecurity programs to evolve as new threats that require adaptations in risk management strategies emerge. As smaller organizations become increasingly aware of their limits in understanding threats and managing their risk, they are looking to state partners for assistance. Expanding scope beyond executive level agency assets, to a “whole of state” perspective that engages stakeholders across multiple sectors and levels of government in a coordinated and collaborative process of risk management, is increasingly recognized as an important step in managing a state’s cybersecurity risks.
The Center for Internet Security (CIS), the Center for Technology in Government at the University at Albany, State University of New York (CTG UAlbany), the National Governors Association (NGA), and the National Conference of State Legislatures (NCSL) collaborated to create this Call to Action for state Governors and legislatures.
The four organizations conducted formal interviews with 13 sitting CIOs and CISOs and consulted with other organizations, Homeland Security experts, and cybersecurity experts to include: the National Association of State Chief Information Officers (NASCIO) and the University of Maryland.