Making Cal-Secure Work for California Government Agencies

State and local governments are increasingly a target for global threat actors because of the critical services they provide and frequent contact they are expected to maintain with constituents. According to its NASCIO submission, the California Cybersecurity Integration Center states that 70% of all ransomware attacks in the United States continue to target governments at the state and local levels.

In a recent webinar about Cal-Secure, a cyber maturity roadmap for State of California entities, the following speakers had a panel discussion about what it means to organizations:

• Vitaliy Panych, California State CISO
• Ty Shepard, Joint Task Force Cyber Commander, California National Guard
• Richard Harmonson, Information Security Officer, California Natural Resources Agency
• Webinar moderator Chris Cruz, Tanium Public Sector CIO, and former California State Deputy CIO

The webinar provided great insight into how government organizations of any size should leverage Cal-Secure to possess a strong set of security capabilities to ensure availability for the residents of the golden state.

What is Cal-Secure?

As the world’s largest sub-national economy, California IT leaders sought to prioritize a sustainable cyber future with Cal-Secure, a roadmap for any organization within California’s multi-layered government system to reach a high level of cyber maturity, from the largest state agencies to the smallest towns. The framework contains specific goals related to people, process, and technology as well as having different expectations for state, local, education and private sector entities requiring strong collaboration to ensure its success.

At the Virtual Cybersecurity Education Summit in 2021, Gavin Newsom kicked off Cybersecurity Awareness Month by underscoring the importance of the Cal-Secure plan:

“Hackers steal our time, money as well as our peace of mind. So protecting our data, as well as other peoples’ data are among the most important things we can do to prevent disruption in our daily lives.”

Why compliance is challenging

Attendees on the webinar pointed out persistent IT and security workforce shortages that exist in the state as one of their biggest hurdles – in fact, California CISO Vitaliy Panych cites figures claiming there are currently 83,000 industry job openings in the state. And the skills challenge extends beyond IT security. Government agencies also need to hire and train staff to be security conscious.

Another challenge is reducing the duplication of effort. Richard Harmonson mentions that a large part of his role as it relates to Cal-Secure has involved centralizing controls, gathering teams and expertise together from several departments and improving intra and inter-departmental knowledge sharing. He believes the roadmap will help mature CNRA’s information security posture over time.

This effort duplication can also proliferate in the management of security and IT operations tooling. Tanium research reveals that global organizations use, on average, 43 separate security and operations tools to manage their IT environments. This perpetuates departmental and data silos, making it difficult for government entities to get a clear picture of – for example – the actual number of endpoints in their environment. Without this insight, endpoints go unpatched, stay misconfigured and expose the organization to unnecessary cyber risk.

Start With Measuring IT Risk

California government entities can gain a better understanding of the gaps in their IT environments by partnering with the private sector to perform an IT risk assessment such as the one Tanium offers at no cost.

“I encourage and implore organizations to really look at and understand their own internal risk posture,” says Panych. “Have a governance process, where you’re communicating and talking about risk, talking about your gaps, your issues that are, hopefully, identified by a vulnerability management lifecycle or process that you have. If you don’t, you should have one.”

The Tanium Converged Endpoint Management (XEM) platform enables government IT leaders to get accurate, real-time answers about their endpoint estate to deliver exactly this type of intelligence – and then to build on top of it seamless vulnerability, patch, and asset management programs, at speed and scale. Tanium has also built a guide that outlines how the multi-tiered California government system can achieve many of the Cal-Secure key capabilities – from anti-malware protection to continuous patch management.

That’s the kind of platform-based approach designed to minimize security and compliance risk, reduce tool bloat, and simplify and accelerate the Cal-Secure roadmap.

---

Learn more about Cal-Secure and how Tanium’s XEM platform can help you meet these directives.

You can’t protect what you can’t see. Get a no-cost, no-obligation IT risk assessment from Tanium today.