A Practical Guide to Building a Whole-of-State Cybersecurity Strategy

If you asked the question “What is whole-of-state cybersecurity?” just a few years ago, the most common response would have been a puzzled look.

Today it’s a lot more on the radar now that state and local governments are under siege.

Cyberattacks targeting the government sector jumped by 95% worldwide in the second half of 2022 compared to the same period in 2021. Ransomware is virulent: 58% of state and local government organizations were hit by ransomware in 2021, a 70% increase over the previous year. And costs are skyrocketing: For local governments, the price of rectifying a ransomware attack, including expenses related to resources, downtime, lost opportunity, and ransom paid, averaged $1.64 million per attack in 2021.

Adopt a whole-of-state cybersecurity strategy to pool your disparate resources, strengthen your cyber posture, and serve the public interest.

Few jurisdictions have enough resources on their own to combat this unprecedented level of cybercrime. That’s why many states, municipalities, and K-12 school districts today are banding together and pooling resources to better defend against this growing wave of common threats. The strategies they’re utilizing are collectively known as whole-of-state.

What is whole-of-state cybersecurity exactly?

Whole-of-state cybersecurity is an approach in which state governments collaborate with their state’s municipalities, educational institutions, tribal entities, and other public organizations to shore up their cyberdefenses. It links these entities so they can strategize together, exchange data and resources, address workforce shortages, and secure state and federal funds, building an alliance against ransomware, supply chain attacks, and other shared cybersecurity threats.

They’re not working together because someone’s telling them they have to—they’re working together because they choose to.

“They’re not working together because someone’s telling them they have to—they’re working together because they choose to,” says Jennifer Pittman-Leeper, a whole-of-state strategist at the cybersecurity management firm Tanium. Government entities that don’t join forces despite facing the same cyber threats face a huge missed opportunity, she says.

How to start a whole-of-state cybersecurity strategy

The initiative to start working together can come from virtually any level of government, but it takes support from both the bottom and the top to flesh out a whole-of-state platform.

“Any one person can start by saying, ‘Hey, we need help,’” Pittman-Leeper says. “But success means having support at the highest levels of government, including elected officials, to enable you to work with other governmental entities. You’re also going to need to communicate with the folks in IT. Everyone needs to buy into the idea of working together.”

[Watch also: NACo’s recent webinar on a tale of two states—how whole-of-state is shaping the future of cybersecurity]

Relationships should be formalized into an independent cross-organizational cybersecurity team. This group can institute a place for regular stakeholder meetings, build a framework for making decisions, and draft effective cybersecurity policies. These don’t have to be created from scratch. They can be drawn from established policy frameworks such as those from the National Institutes of Standards and Technology (NIST) or the Center for Internet Security (CIS).

How to fund your whole-of-state cybersecurity plan

Federal grants and short-term funding increases are useful to jump-start a whole-of-state plan. Sustaining a plan beyond the first year will likely require access to a state’s general fund. In either case, Pittman-Leeper says it’s critical to talk dollars and cents upfront.

“Don’t hide from the money conversation,” she says. “Otherwise, you’re going to put together something amazing that won’t be sustainable.”

It’s like a neighborhood watch. When we all take part in patrolling the streets and looking into each other’s backyards, we keep everyone stronger and more secure.

What to include in a whole-of-state platform

Once stakeholders have garnered support, established basic policies, and discussed funding, they’ll need to build the specifics of their whole-of-state platform. Pittman-Leeper advises adhering to these four pillars:

• Information sharing—Whether it’s threat intelligence, compromise indicators, or just general updates, every participating organization must be willing to share data. Cross-organizational teams and communication processes to support them will be critical.
• An incident response plan—An effective plan should outline personnel roles and responsibilities and step-by-step procedures. And it must be practiced via simulated incidents until everyone knows their part. “Seconds matter during a cyber incident,” says Pittman-Leeper. “The faster you respond, the more damage you can mitigate.”

[Read also: 5 steps to a rock-solid incident response plan]

• Workforce development—Partnerships with community colleges and universities are an overlooked but important component of whole-of-state plans. By offering internships, government entities can relieve some staffing shortfalls and provide students with real-world IT experience that will give them an advantage when they enter the workforce. Such partnerships also allow the public sector to give ongoing feedback to schools. “It’s important,” she says, “to tell them what skillsets their students will need to meet today’s security challenges. And tomorrow’s.”
• Standardized tool sets—To share info across agencies, baseline tools are essential. “If you measure in feet but I measure in meters, we’re constantly going to be confused,” she says. “With one tool, it’s one set of instructions that goes out to everyone.”

How to manage whole-of-state for the long term

Three interdependent practices drive a whole-of-state strategy:

• Governance provides a framework for making decisions, deploying tools, and monitoring and reporting results in a way that’s fair to all. “You’ve got people working together for the first time,” Pittman-Leeper says. “You need to set up some guardrails.”
• Implementation is the action phase of whole-of-state. It’s where IT managers and engineers put the cybersecurity policies they developed earlier into practice, utilizing those standardized tool sets and processes.
• Validation is the final step, when your policies and practices are working effectively. Teams should be able to demonstrate compliance with security report data rather than self-attestations. Comprehensive, real-time monitoring and reporting should provide holistic visibility into your current strengths and weaknesses so you can quickly identify gaps and reinforce the security posture of the group.

[Read also: Implementing a whole-of-state cybersecurity strategy requires fine-tuning policies and communicating changes or concerns to key players—here’s how]

Every government agency in a state is interconnected, so it only makes sense that our cybersecurity strategy should be collaborative, notes Pittman-Leeper.

“It’s like a neighborhood watch,” she says. “When we all take part in patrolling the streets and looking into each other’s backyards, we keep everyone stronger and more secure.”