A Tale of Two States and Counties: How Whole-of-State is Shaping the Future of Cybersecurity

We all know that cyberattacks in the public sector are mounting. Over 100 state and municipal governments and dozens of school districts were compromised by ransomware last year. And geopolitical tensions will only embolden both state-linked and financially motivated threat actors going forward. These are uneasy times for cybersecurity leaders at these government and education sector entities. But help is at hand.

The whole-of-state approach to cybersecurity is gaining traction as a useful way for organizations with a shared adversary to better manage their cyber risk. By pooling resources, sharing information and generally working together, they can strengthen their collective digital defense without breaking the bank. A recent Tanium webinar in partnership with the National Association of Counties has some fascinating insight.

The panel included local government experts Boulder County (Colorado) CIO, Ben Edelen, Pinal County (Arizona) CISO, Jerry Keely, interim State of Arizona CISO/Arizona Department of Homeland Security Deputy Director, Ryan Murray, and State of Colorado CISO, Ray Yepes.

An existential challenge

Why is a whole-of-state approach required? Because while states may have sufficient resources and capability to fend off serious cyber threats, many smaller entities — particularly school districts — can struggle.

“It’s about sharing our resources and delivering something of value to our small community partners, to our peer governments who are below some kind of ‘cyber-poverty line,’ so that when cybersecurity improves in our state, it improves for all of us and not only for the well-funded organizations,” says Edelen.

It’s also true that in many cases, cities, counties and other smaller state entities are facing off against the might of hostile state actors and well-resourced cybercrime gangs with annual budgets in the millions of dollars. That makes it more important still that those with more established programs and resources to share do so — especially given the stakes are nothing short of “existential,” according to Yepes.

“If a small city gets taken out with ransomware and they don’t have backups, they don’t have good defenses, and their cyber insurance company stopped covering them years ago, that city just basically ceases to be able to provide government services anymore, and we cannot let that be the case,” he argues.

How to make it work

The question is how to bring it all together. According to Murray, it’s not about reinventing the wheel but recognizing where a shared approach can actually drive efficiencies and economies of scale. He says the state of Arizona’s program has already seen benefits like these.

“Instead of many disparate groups saying, ‘I want this specific tool,’ or ‘I need this specific problem solved,’ we’re all coming together and trying to solve them at a larger scale,” he explains. “That way, we’re not having to manage 27 different tools in the state agencies and another 30 different tools for all the counties. We’re using all the same tools across the board — all managed by the state and supported by our local government partners.”

Other tips shared by the panelists include:

Listening to the smaller parties: Whole-of-state approaches are not owned by anyone, meaning the emphasis should be on helping out those who need it most, like cities, counties and K12s. States shouldn’t presume to know what they need, but listen and ensure that smaller voices are heard, says Yepes.

Talk to people where they are: Given the distances involved, it might make sense for state-level experts to do physical roadshows in order to meet stakeholders where they live and work rather than expecting them to travel to state capitals, says Murray.

Start small and think big: To get things started, it might be best to kick things off with a relatively small group of people interested in collaborating more, says Neeley.

“It’s okay to ask for help,” he adds. “Nobody should believe they know everything. Where we started in Arizona was with a very small collective of people that got together and said, ‘let’s start collaborating’.”

Kick things off with threat intelligence: This opens the door to some quick wins for whole-of-state advocates. Edelen argues that threat intelligence feeds from federal agencies, ISACs and the like can be slow because they require a lot of confirmation and checking for accuracy.

According to Edelen, it is important to set up something that is fast where you can quickly pivot and share potentially harmful information with your peers such as IP’s that might be interfering with their environments or an email address that is clearly compromised at the next city or county over.

Just get started: A lot of time is spent mulling over the right committees and task forces to build. This can detract from the bigger picture, Murray concludes.

“Administrations change, change, directorships change. We can’t be caught in the middle of this stuff and have to redo our planning every two or four years,” he says. “Just start doing something, and then the rest of it kind of falls into place. Everything else will come together.”

---

To watch the entire webinar, Whole-of-State 2.0: A Tale of Two States and Counties, check out the embedded video above.

Learn how to implement a whole-of-state security architecture to protect your citizens’ data by visiting our website and explore 25+ blogs, whitepapers, thought leadership interviews and more by visiting our resource library.