Implementing Policies for a Whole-of-State Cybersecurity Strategy
In part three of this series on developing a whole-of-state cybersecurity approach, we cover the implementation phase of this important strategy
Cybercriminals are targeting municipalities and other local government organizations, in part because they know these organizations lack the resources of large commercial enterprises. To defend against these attacks, a growing number of local government organizations are exploring the advantages of working together and adopting a whole-of-state cybersecurity strategy.
In a whole-of-state cybersecurity strategy, a state government collaborates with its local National Guard, municipalities, K-12 schools, tribal entities, and other local governmental organizations, crafting cybersecurity policies, helping with funding and toolsets, offering guidance, and sharing intelligence. Through this collaboration, municipalities and other local government organizations that are traditionally underfunded and understaffed for cybersecurity functions can benefit from the resources and wisdom of larger, better-funded peers.
Take a deep dive into whole-of-state cybersecurity.
In the first blog post in this series, I offered an overview of what goes into a whole-of-state cybersecurity strategy. Three practices make up this strategy:
- Governance and policymaking
And in my previous post, I provided an overview of the governance and policymaking phase. Now I’m going to consider the implementation part of this strategy, which involves the following:
- Continuing the collaboration among cross-organizational governance teams established during the governance phase of this strategy.
- Selecting, purchasing, and deploying standard cybersecurity toolsets across multiple government organizations.
- Finding private organizations with strong consultation skills to help with the rollout and configuration of cybersecurity tools and the implementation of cybersecurity policies.
- Prioritizing which cybersecurity policies to implement first.
- Communicating successes to strengthen inter-organizational relationships and reinforce the value of collaboration.
Continuing the collaboration established in the policy-making phase
In the policy-making phase, state organizations, municipalities, and others worked together to draft cybersecurity policies that could be standardized across the state.
In this implementation phase, this collaboration continues. Now entities such as the state’s DMV or a municipality have the opportunity to fine-tune policies for their particular needs and to convey those needs to the cross-organizational team. They can also share their experiences solving cybersecurity problems, so everyone has a chance to learn from everyone else.
Throughout this process, it’s important that every government entity participating understand that:
- The cross-organization team will make recommendations, but ultimately every government entity is responsible for adopting its own policies and implementing those policies according to its needs.
- State-level organizations might help select, purchase, and provision IT tools, but they don’t control the daily use of those tools. Individual government entities such as municipalities are fully in control of the tools they use for monitoring, managing, and securing their own networks and other IT resources.
- Even if government entities are responsible for using cybersecurity tools, the state can help select and purchase them at bulk rates, to make provisioning modern tools more affordable for every entity in the state.
Purchasing tools at the state level
How tools are purchased and distributed is one of the main differences between a whole-of-state approach to cybersecurity and the ad hoc approaches that have prevailed in the past.
In a whole-of-state strategy, the state’s collaborative cybersecurity team picks common toolsets to be deployed across the state. Local government entities are still responsible for using those tools to manage their own networks and personnel. But the state purchases the tools, so that every government entity in the state can benefit from discounted prices and tool standardization.
This approach offers several advantages, including:
- Lower costs
Because the state is buying IT tools in bulk, it can negotiate lower prices than individual government entities can on their own.
- Reduced audit requirements
Instead of hundreds of purchasing departments acting individually, all purchasing is handled by the state’s purchasing team. Because fewer purchases are being made, fewer purchases need to be audited to ensure that funds are being allocated properly.
Because all municipalities are getting the same tools, no one is left out or forced to make do with less desirable alternatives.
- Streamlined management of cloud services
If the state decides to purchase cloud services for its government entities, the state can manage those services themselves, rather than forcing municipalities and school districts to take on the challenges of monitoring and managing new services.
- Standardized processes and improved information sharing
Because IT teams across the state are using the same tools, they can use the same processes for common cybersecurity tasks, such as installing patches. They can also share best practices and contribute to a shared knowledge base about threats and threat remediations.
Recognizing the importance of vendors and private partners
IT vendors play a significant role in the success of any whole-of-state strategy, and not just because of their products.
When commercial companies buy IT tools, they have internal communications teams that can share information about the tools, offer training, and help with the overall adoption of the new technology.
Public sector organizations rarely have those resources. Vendors can help make up the difference with consulting and training services to ensure the rollout of a new toolset is successful.
For example, a vendor that’s a good partner can help outreach efforts across organizations participating in the whole-of-state strategy. The vendor might even help create custom, integrated documentation for the various tools selected as part of the whole-of-state strategy, so that IT teams across the state can find all the information they need in one place.
Because training and documentation are so important to rollouts, when state organizations are evaluating IT vendors, they should be evaluating their training and consulting capabilities along with their software and hardware. States should ensure that training, documentation, and any other required communications are provided as part of the purchase, so small, overworked IT teams never have to figure out new toolsets for themselves.
If a state has standardized its cybersecurity tools, and the vendors for those tools have developed useful training materials for state organizations, those materials can be shared across all the organizations participating in the whole-of-state strategy. Vendors, of course, have an incentive to make sure these materials are useful and complete, since so many government entities are counting on them.
The importance of communication for implementing a whole-of-state cybersecurity strategy
There is no such thing as overcommunication in this work. Teams should work transparently, and stakeholders should be regularly reminded about next steps and requirements. Regular communication about decisions, purchases, training and so on will help build enthusiasm for the project overall.
That said, it’s important not to overwhelm team members. Team members should take things one step at a time, recognizing that everyone working on a whole-of-state strategy already has a full-time job.
In my experience, team members really appreciate the support and information-sharing that comes from participating in a program like this. Suddenly, even government entities with small budgets are getting new tools and regular information about threats and how to guard against them. They appreciate the difference.
When the State of Arizona set up a program like this, they made information sharing one of the program’s pillars. Government entities across Arizona now share information through the State Fusion Center. They’ve also set up Slack channels for inter-organizational communication. These lines of communication make it easy for government security teams across the state to securely and anonymously post information about indicators of compromise (IOC) they’ve encountered and other useful threat intelligence.
Speaking of threat intelligence, the federal government is including more useful information in threat intelligence feeds it sends to all the states. The more high-quality threat intelligence feeds a state has, the better its security posture will be overall. IT teams can even automate responses to this intelligence. For example, it’s possible to integrate alert systems with firewalls, so that if intelligence comes in about a dangerous IP address, the firewall rules can instantly block the address, providing instant protection.
In this post, I’ve covered the basics of what’s included in the implementation phase of a whole-of-state cybersecurity strategy. In an upcoming post, I’ll cover the final phase of this work: validation.
In the meantime, if you would like to learn how the Tanium Converged Endpoint Management platform can help your organization enact a more mature cybersecurity strategy, please contact us.