I encourage you to read the entire report, but I'd like to focus on two specific issues: 1) technology modernization and its related component, technology debt (or "tech debt") and 2) organizational centralization of cybersecurity.
Tech debt essentially revolves around the idea that maintaining legacy software and hardware beyond its intended life cycle is not just inefficient but prolongs security vulnerabilities to the extent that they become unmanageable. The ongoing pandemic has illuminated legacy technology and security issues, such as the shortage of COBOL programmers needed to maintain decades-old state unemployment benefits systems and the reality that a lot of government organizations continue to use old, no-longer-supported operating systems, giving credence to the old saying that Microsoft's biggest competition is Microsoft.
While digital innovations march merrily along, producing technology advances that create vast efficiencies and enhance the ability of citizens to interact with their governments, tech debt is an anchor that limits the capability of CISOs to invest appropriately in keeping those interactions secure. In June 2019, the Government Accountability Office reported that the federal government had earmarked approximately 80 percent of that fiscal year's planned $90 billion IT budget to operate and maintain legacy systems. These numbers appear to be relatively consistent across governments at all levels and clearly reveal how funding deficiencies limit the ability to modernize.
Interestingly, while cybersecurity remains the top technology priority for state CIOs, information security continues to struggle for relevancy. The cybersecurity budget in many private-sector companies is over 10 percent of the overall IT budget, but most state government cybersecurity budgets are less than 3 percent of the greater IT budget. That's a number that needs to be balanced against the average cost of a data breach, which a recent IBM/Ponemon Institute report pegs at $3.86 million across industries both private and public.
And as significant as that cost is for most state and local governments, it doesn't begin to account for the disruption to citizen services and damage to citizen confidence when a government organization is out of commission for days or weeks. Many of the state government security breaches over the past decade — and even the recent wave of ransomware events targeting state and local governments — can be directly attributed to funding gaps associated with tech debt.
"It is imperative for states to modernize legacy technology infrastructure to elevate their cyberposture and implement modern integrity and anti-fraud controls," States at risk co-author Srini Subramanian, who leads the risk and financial advisory practice for Deloitte's State, Local Government and Higher Education sector, told me. "Cyber must be an integral part of these initiatives with state CISOs involved in every step as drivers and champions of modernization."
That leads to the issue of centralization of cybersecurity, the lack of which also inhibits modernization efforts along with threat remediation and response. It's been a controversial issue forever. I struggled with it when I was CISO for the state of Colorado in 2004 and again when I was CISO for the state of California in 2008. Fully 75 percent of state CISOs feel that a centralized organizational model for cybersecurity would improve their organizations' ability to function. Unfortunately, in states with dozens of separate agencies, departments, boards, councils and commissions, each with their own policies, personnel and budgets, territorialism is a real issue that often inhibits broader statewide collaboration.
In other sectors of the economy, integration and centralization of security have been underway for a decade, including the convergence of physical and industrial-control-system security. In the cyber domain, where threats and vulnerabilities grow at Moore's Law speed, the greatest challenge to centralization is individual desire for control. I believe that the ability to centralize budgeting and technology acquisition, staffing, and operational command and control far outweigh any territorial concerns.
"CISOs within a centralized cyberstructure reported that centralization helped them be more agile in their COVID pivot to more secure work from home, more robust multi-factor authentication, and enhanced employee security awareness and training," States at risk co-author Meredith Ward, who is director of policy and research at NASCIO, told me. "We also know that a more centralized cyberstructure helps consolidate resources, increase the state's cyberworkforce, and increase a state's cyberposture around risk assessments, security monitoring, and identity access management."
One of the more innovative ideas from the States at risk report is the creation of a "business information security officer" role at the agency/department level, with ultimate authority resting at the CISO level. But while this model has been used with great success in the private sector, it will lead to very controversial discussions across most state security organizations because no one likes to lose control or wants to give up the CISO title.
Back in 2018 in The New York Times, Tim Wu wrote about "the tyranny of convenience." Change is hard — it's inconvenient — and maintaining the status quo is easy. While Wu wasn't talking about tech debt or centralized security structures, I think technology leaders often fall into a tyranny-of-convenience mindset. But States at risk identifies some bold plays that would shake up the status quo in meaningful ways.
Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.