Whole-of-State Cybersecurity: What it Means and Why it Matters

Originally published by CXO REvolutionaries.

Written by David Cagigal, Former CIO of the State of Wisconsin.

You’re the CIO of a state. Your charter is to secure, as fully as possible, all data and services used at the state level and to advise a variety of agencies and groups at the local level who may need to access those resources.

You’re well aware that state, local, and educational agencies juggle a dizzying assortment of technologies, processes, best practices, implementation hurdles, and varying cyber skill capacities. The result is an unpredictable hodgepodge of security capabilities statewide.

Of course, there are larger cities, the “haves” as I call them, which are well funded by a substantial tax base and therefore better able to tackle the challenges posed by today’s cyber threat landscape. Often, these cities have their own CIOs and sophisticated technology teams giving them a leg-up over their rural, “have-not” counterparts. They are often capable of turning sophisticated strategic planning documents into actual action plans.

State CIOs are charged with somehow uniting these entities – defined by their own contexts, strengths, and weaknesses – to execute their charter of comprehensively securing data and services in a race against the clock. I call it a race because the average tenure for a state CIO is 30 months. That’s not a long time to undertake a transformative initiative.

The best way to succeed in this uphill endeavor lies in what’s called a “whole-of-state” security strategy. It’s called that precisely because it fosters collaboration across the entire state, among all relevant players, in a way that spans every geographical region and every logical level of government infrastructure. But creating and implementing such a strategy is, needless to say, not always straightforward.

Let’s consider some of the available resources and related complexities.

Cash is sometimes available, but never a cure-all

In accordance with the standard business maxim that money talks, it certainly helps that substantial federal funding is available. Specifically, the federal government recently allocated one billion dollars to be divided among all fifty states, based on population size and delivered via grants, with the specific goal of bolstering and fortifying security statewide.

However, as with most federal grants, there are strings attached. Eighty percent of the grant within each state must flow down to local governments, and a quarter of that eighty percent must in turn flow out to rural areas.

An illustration of the flow of cybersecurity resources from top to bottom

I have long advocated for the importance of advising and assisting this bottom (local) level with all of the resources state-level IT and security leaders can muster. It is, in numerical terms, enormous. We’re talking about every one of the municipalities in your state that, at any time or for any reason, accesses state-level data and services. Wisconsin, for instance, where I served as CIO, is made up of 72 counties, 190 cities, 400 villages, and 1200 towns.

No two work in exactly the same way using exactly the same technologies. Many struggle to stay up to speed with recent vulnerabilities or breach methodologies, fail to routinely install security patches, need assistance with detecting and resolving gaps in identity management, or face another of the myriad challenges with modern cybersecurity. Some are more eager to hold onto their autonomy than improve their cybersecurity, which can lead to regional pockets of reduced cyber readiness compared to the state as a whole.

I’d like to be clear. Few are actually to blame for this regressive cybersecurity posture. There are simply too few resources – in terms of time, talent, and treasure – spread across too many entities for them all to be effective. That is, without some way of concentrating influence.

So, even when you obtain your share of the federal funding, what then?

State CIOs often cannot presume with confidence that federal money will be distributed and spent state-wide in an optimal way. It is difficult to ensure this assistance aligns with security best practices, is applied consistently across regions and agencies, and positions the state to be able to protect data and services. Distributed cash, per se, does not yield a true whole-of-state solution.

With a true whole-of-state approach, SLED organizations capitalize on economies of scale by uniting behind a state-level strategy. Comparatively well-resourced states can devise strategies, conduct RFPs for the necessary solutions, assist with incident response, and offer better pricing because of the large number of users they must provision. These are familiar economic principles, but for reasons commonly tinted by politics, adoption is harder at the local level.

A more significant underlying problem is that traditional technologies deployed to support remote work, such as VPNs, have long since outlived their utility. They assume a traditional moat-and-castle network topology that no longer applies — not just because of remote work, but other factors like the rise of cloud computing and an increasing need to provide third-party partners with access to internal applications.

Moving to a zero-trust strategy

Does it make sense, given these sea changes, to assume that your network is secure and that everything within it can be trusted? If so treating your state’s data center(s) as a castle and securing it (or them) with a security moat would still prove effective.

In fact, the opposite idea makes much better sense. It is never wise to assume any form of network transaction, regardless of its origin or nature, is secure. The identity of the parties involved in any network transaction should always be established by rigorous verification that aligns with best security practices (for example: via a security certificate that authenticates each party, not via a simple password or even MFA).

Furthermore, it’s also essential to not treat incoming connections — even if they pass the rigorous authentication check — as fundamentally trustworthy to the point that you provide comprehensive access to the entire protected network and every resource within it. Instead, the goal should be to determine exactly which resources are required for a transaction, and (assuming security checks are passed) create a connection only to those resources.

Finally, because this security architecture would be leveraged statewide, by a large population of users and agencies, it is also essential its performance is top-tier. It must scale in direct proportion to fluctuations in demand without breaking the bank by requiring an enormous capital investment to implement.

Technologies and best practices like those I’ve described, if implemented statewide, would go a long way toward creating a whole-of-state solution. Fortunately, in my experience, everything I’ve described is well within reach for state CIOs, given a trusted partner with proven expertise in zero trust architectures and a broad set of related capabilities.

Organizations at any stage in their journey should benchmark their progress against CISA’s Zero Trust Maturity Model. Organized around five key pillars, this framework helps teams understand where they can score quick wins and which initiatives should be planned for further down the road.

True, effective zero trust includes capabilities beyond those that I have described to also include:

• SSL traffic inspection. Since malicious actors are getting smarter in encrypting their malware, security strategies must respond by inspecting all inbound traffic. Furthermore, since that’s a computationally challenging thing to do, it has to happen in an incredibly efficient way to create more value than it subtracts.
• State infrastructure shielding. Since the security architecture acts as a kind of access buffer, that hides the state network and assets from the public internet, the total attack surface is tremendously reduced. A dramatically smaller target is harder for attackers to hit.
• Support for every conceivable network topology. While you’re probably thinking right now about remote workers, cloud services and, possibly, third-party partners with access credentials, you should also be considering how all those factors will scale up in years to come. A zero trust specialist can show you how every network topology you need, whether today or tomorrow, is protected, no matter how complex or sophisticated it becomes.
• Training and support. You’ll definitely need this to bring diverse agencies and municipalities up to speed in everything pertaining to the whole-of-state solution, their particular roles in it, and the changes they’ll need to make (which are less than they might imagine).