Local governing bodies, from school systems to local and tribal government, to even state government, tend to be critically underfunded. This is especially true when it comes to cybersecurity and the protection of sensitive constituent data, which is why a whole-of-state cybersecurity approach is gaining traction.
The State of Arizona was prioritizing cybersecurity before it was cool, and they’re doing SLG security right: Here are 5 tips that Arizona’s Deputy CISO, Ryan Murray, shared with Virtru in a recent Voice of the Customer conversation.
1. Enlist Your Team — Statewide
“[Cybersecurity] is something that we all have to participate in, and... an attack against one of us in Arizona should be seen as an attack against all of us in Arizona. And that includes all of our local governments, all of our private-sector companies. We should be looking at this from a holistic, really, truly whole state approach.”
Action Item: Prioritize Easy Security Tools for Busy Government Employees
If you don’t already have cybersecurity awareness training at a state, local, and municipal level, prioritize it. Furthermore, deploy easy-to-use tools like email encryption and secure file transfer software to give employees the ability to do the right thing with the constituent data they’ve been entrusted with. From government forms to criminal justice data, student transcripts to job applications — SLG departments need truly easy tools to get the job done.
2. Treat Cybersecurity Like Homeland Security
“Governor Ducey said that cybersecurity is Homeland Security,” said Murray. “Arizona is a border state. So that's very heavily top of mind and something that Homeland Security is heavily involved with. There's the drug crisis happening across the nation. We've got other issues that our Director has to focus on, which is one of the main reasons I exist in the first place, is so I can focus solely on the cyber mission. But realistically, it's something that's sort of unique here in Arizona, having that elevated perspective and that elevated voice to be able to take [cybersecurity] directly to the policymakers and executives who can help drive that mission.”
Action Item: Apply for Cybersecurity Funding and Advocate for Budget
Advocate for cybersecurity dollars at every level of government, and take advantage of grant programs like the SLCGP (State and Local Cybersecurity Grant Program) when they arise. Cybersecurity is a critical need that deserves buy-in and budget. There’s plenty of evidence that Zero Trust security is a priority from the federal level on down, with White House executive orders and increasingly strict regulations for government contractors. Nation-state-sponsored cyber attacks are also on the rise, and SLG organizations house information that his highly valuable to hackers. It’s urgent to advocate for proactive data protection and breach prevention.
3. Align Efforts to Established Standards and Frameworks like NIST
“It needs to be an open line of communication with the community to talk about what are our next priorities and whether that's aligning to the NIST cybersecurity framework, whether that's looking at other frameworks like the CIS critical controls, how do we prioritize, what do we look at next. And what controls do we want to add that can greatly reduce the additional risk across the state of Arizona?” said Murray.
Action Item: Don't Reinvent the Wheel — Lean on NIST Standards and Zero Trust Architectures
While starting from zero with whole-of-state efforts can be daunting, you already have organizations like NIST creating frameworks that you can align to, helping you prioritize the highest-impact areas. A few good places to start when it comes to your state’s data:
-
- Determine the necessary frameworks and compliance standards (e.g., NIST, CJIS) that your state’s organizations need to meet.
- Map out what constituent and agency data lives where (e.g., PII, PHI, CJI, CUI, and other sensitive information).
- Determine what identities need access to that data, and consider how you can restrict access to sensitive data to those who have a true need to know.
- Explore how you can create a framework across similar organizations and entities, without teams needing to reinvent the wheel. Additionally, explore technologies and platforms that are extensible, scalable, and versatile, allowing you to reduce vendor sprawl.
4. Turn Attention to School Systems
“[K-12 schools] are significantly underfunded across the nation, just sort of as a baseline,” said Murray. “The typical funds that they get for school districts come through E-rate, which specifically does not cover cybersecurity protections … We made this a specific focus as part of our Cyber Readiness Program, as well as ensuring that was included as part of [our SLCGP application], because we know that they're seeing the same threat actors attack them, the same nation-state actors, the same cyber criminals. And they're woefully unprepared to defend against those, just like other local governments.”
Action Item: Assess Educational Cybersecurity Practices, Student Data Protection, and Risk
Examine the disparate systems and data protection methodologies across school systems across your state, and look for opportunities to consolidate efforts. What tools and practices can you deploy across multiple systems and technology platforms? What state- and federal-level data security standards are they expected to meet (e.g. FERPA, HIPAA, or New York Ed Law 2-D)? You’ll also want to look for interoperability in the tools you select: Choose solutions that work on Mac and Windows, Outlook and Gmail, and for internal and external data-sharing needs. Teachers and admins often need to share things like Individualized Education Plans (IEPs) with parents and families, so take those end users into account, as well.
5. Turn Up the Heat On Layered Security
“Looking at those assumptions of trust between… our systems, our people, our data, and how do we best protect those? I think we can absolutely at least make it way more difficult for attackers, for these threat actors to try to come after Arizona and frankly, they'll go elsewhere … if we make Arizona, let's say, financially unfeasible for attackers to go after, they will stop, for the most part, coming after us. And as we start looking more and more at — let's put people behind bars, let's start looking at convictions, let's work with law enforcement to share information with them … To make it infeasible for threat actors to do significant damage or significant harm to both our public sector and our private sector and our critical infrastructure. And, you know, hopefully that's a reality sometime in my lifetime.”
Action Item: Put Protections on the Data Itself, Not Just Networks
Make it tough — even “financially unfeasible” — for bad actors to access your sensitive data. If you’re following Zero Trust standards, you also want to make it tough for internal employees — well-meaning people — to access sensitive data they don’t need to access. This will help reduce your risk. One area where security strategies go wrong is that they focus only on the perimeter of an organization. You want layers of security that protect your perimeter as well as endpoints, applications, and — critically — the data itself.
Strengthen Your Whole-of-State Approach with Virtru
Ready to protect your state, local, municipal, and tribal government organizations with data-centric security? Virtru makes it easy, with a suite of solutions trusted by hundreds of state and local government organizations, school systems, and federal agencies:
To book a demo and see how Virtru can support your state and local government needs, contact our team to start the conversation.
