Building a bigger table could be the guiding principle of state cybersecurity in 2021. The National Governors Association (NGA) Center for Best Practices has named whole-of-state cybersecurity as the theme of its 2021 Policy Academy, and participants are making it clear that they believe stopping threats requires engaging a broad array of partners.
“The unofficial slogan of our program is ‘Cybersecurity—it’s not just an IT problem anymore,’” said Maggie Brunner, NGA director for homeland security and public safety. “Cybersecurity is a homeland security threat, is an economic development opportunity, is a threat to elections and our democracy.”
The academy kicked off last month with five participants whose project proposals involve several NGA-recommended topics, with Indiana and Washington focusing on state and local government cybersecurity partnerships, Kansas and Missouri selecting cyber governance and Montana rounding out the group with an effort on cybersecurity workforce development.
The academy aims to help participants tackle initiatives that may be too complex for states to manage on their own, with the hope that the different projects will produce insights, models and warnings about potential problems that could guide other states in future work.
“With Policy Academy, we’re using this smaller group … to say, ‘How do we roll up our sleeves and really affect change in a very meaningful way?’” Brunner explained. “That smaller group is really our guinea pig, and then we take those ideas to the rest of the country.”
CONNECTING WITH LOCALITIES IN INDIANA
Indiana wants to boost its ongoing efforts to make cybersecurity accessible to local agencies. The state launched an Executive Council on Cybersecurity in 2017 to bring together representatives of various levels of government and sectors to develop a statewide strategy, said Indiana Cybersecurity Program Director Chetrice Mosley-Romero.
One of the council’s central focuses has been to learn about localities’ unique needs and then create and distribute cybersecurity materials that break down information into easily digestible tip sheets, toolkits and other resources. The term “cybersecurity” can seem overwhelming and highly technical to those outside the IT sphere, Mosley-Romero explained, so the council aims to demystify core principles so that more people understand how to maintain good security practices.
Mosley-Romero said she and others have become well aware of the dangers of assuming all local governments operate similarly and that simply publishing a standard set of tips and trainings often falls short of meeting needs.
“It’d be unfair and very inefficient to push out ‘Hey, these are deliverables, they worked for Indianapolis so you should just use them,’” she said. “A lot of times people just assume one size fits all because it’s cyber.”
With NGA’s help, Indiana hopes to understand how to tailor its supports to different localities and present them in useful ways.
“How do you figure out how to communicate [the information] across the board? We have 92 counties, which means we have 92 different ways we need to figure out,” Mosley-Romero said.
The council is looking to NGA for help with the complicated task of understanding how well its training materials work for different counties and municipalities, as well as estimating the time and financial commitments localities should expect when planning cybersecurity updates.
“We’re going to be tracking the time and resources and any additional costs so … [we’ll] know what it costs the full county at various offices and levels to implement these changes and deliverables,” Mosley-Romero said. “[Then] when we go to [other counties] we can say, ‘You’ll need this amount of support and this amount of money’ … Unless you put price tags on that stuff, it’s hard for people to move forward on it.”
NGA will educate Indiana about similar efforts in other states or federal departments, provide advice and connect the state with other resources to help guide the project in a more intentional and informed manner. Such assistance will allow Indiana to be smart and avoid “blindly going ahead assuming we know what we’re doing,” Mosley-Romero said.
FORMALIZING KANSAS’ STRATEGY
Kansas is newer to the state CISO scene, establishing the role and broader Kansas Information Security Office only in 2018, and it turns to the academy for support developing a clearer cyber response strategy and strengthening its collaborations with other parts of state government, said CISO Jeff Maxon.
“We’re just now getting our feet under us and are trying to communicate what we can do to other agencies that haven’t historically engaged with us,” Maxon said.
Maxon is working to define roles and responsibilities with other agencies so that if a cyber incident occurs, those offices will know who to alert and get help from, as well as know what counts as a “state of emergency” in the first place, he said. The Policy Academy presents an opportunity to hammer out a formal framework and emergency response plan.
Kansas’ initial focus is to improve cybersecurity collaboration and communication with other state agencies, such as the offices of the attorney general and secretary of state, before seeking to strengthen connections with local governments and the private sector, Maxon said. He intends to exit the academy with an emergency response plan ready for testing in 2022.
Kansas is especially looking to NGA for insights on the governance structures, policies and procedures that other states have considered to tackle similar challenges. Maxon noted as well that, with neighboring participant Missouri also engaged in cyber governance, the academy might lead to opportunities for longer collaboration even after the program ends.
BUILDING MONTANA'S CYBER WORKFORCE
Connecting residents with high-paying jobs in a growing field, while shoring up statewide defenses, is central to Montana’s Policy Academy project.
“We are losing a workforce to other states for higher-paying jobs,” said CISO Andy Hanks.
The state seeks to fight talent flight and connect residents with new opportunities through a three-pronged approach that includes giving school children a stronger cybersecurity education, building connections between college and university students and employers and connecting adults with opportunities to train for and find high-salary science, technology, engineering and math (STEM) jobs, Hanks said.
The payoff would be higher earnings for many constituents, with the additional benefit of filling the hundreds of vacant cybersecurity jobs statewide. Matching local talent to workforce demand is difficult, however, because participation in STEM classes tends to drop off as students advance through the education system, Hanks said.
“We have more students in STEM courses at lower levels like K-6, and we lose some from 6-12, and lose some more in first years of college and even more later on graduation,” he said.
Montana looks to combat this problem by incorporating cybersecurity into K-12 curricula through partnerships with schools and third parties, and NGA can be key to forging connections with the latter, Hanks explained. Students taught this way may go into cybersecurity professionally or may simply understand how to recognize and avoid cyberattacks — both good outcomes.
“Even if those students don’t go into cybersecurity careers, they’ll go into the Montana workforce,” Hanks said. “Having the workforce be cyber-aware will have tremendous benefits to our economic security.”
The state is also collaborating with higher education institutions and employers around tailoring academic training so it speaks to the skill sets employers need; encouraging co-op and internship opportunities; and promoting use of certain common language in coursework and job postings that could help applicants and recruiters better see how candidates’ qualifications match roles.
NGA could also be particularly helpful in assisting Montana with its final objective: creating a resource of half a dozen career pathway guides that can help residents seeking STEM jobs find skill-training road maps to follow to qualify for roles. These upskilling and reskilling strategy maps would be for residents in dwindling fields and underserved populations such as tribal members and veterans, Hanks said.
“Citizens can find … which career focuses match them best, then have a set of instructions to follow into high-paying cybersecurity jobs,” he said. “Let’s say you live in a rural area in Montana where the industry there has gone away. One of the outcomes of the NGA Policy Academy in Montana for Cybersecurity Workforce Development is a clear pathway for dislocated workers. This will help you match the skills you already have from previous experience with certain pathways.”
Jule Pattison-Gordon, GovTech Magazine
Jule Pattison-Gordon is a staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.