July | August 2017




Protecting Data Starts with Education and a Plan

by Vinay Dattu
All screens are frozen. Constituents cannot communicate with their government agencies via phone, e-mail or their websites. Questions arise, and many assume it is a glitch in the system. Unfortunately, there was an undetected flaw in your state’s system and it is now a prime subject awaiting exploitation by cyber criminals.
At any given moment, your data can be hacked and sold to the highest bidder. Very likely, sensitive data can be stolen and corrupted, possibly taking your entire organization to its knees. Neither of these outcomes is beneficial for your organization. In fact, the consequences can be devastating. It doesn’t take an information technology specialist to understand and be proactive in protecting your state’s cyber assets. In fact, assuring cybersecurity requires all members of an organization—including a state government—to protect themselves, their members and organization by asking a few simple questions and following procedures. What’s more, lawmakers share fiduciary responsibility to oversee the cybersecurity risks for a state.
This may seem overwhelming for state officials who don’t see themselves as technology specialists. But with some insight and education, leaders can develop a better understanding of the importance of and opportunity for cybersecurity development, producing a general framework that can aid in minimizing security risks for organizations, including state governments.
Cyberattacks are increasing in frequency and scope and are becoming more sophisticated, as evidenced in recent cyber breaches of dozens of banks and a New York dam by Iranian hackers that resulted in federal charges by the U.S. Justice Department. The potential for cyberattacks was also a point of discussion at the Nuclear Security Summit in Washington, D.C., where 29 participating nations pledged to establish a new initiative to address threats to nuclear cybersecurity.
The result of cyber breaches can be significant and far ranging. Impacts of a breach may include the loss and likely sale or publication of personal information such as Social Security numbers, home addresses, personal phone numbers, bank accounts, health records, emails and passwords. Customers, constituents, employees and households trust organizations—from private companies to state government entities—with this valuable information, and it is the responsibility of those organizations to ensure the protection of individuals’ information. Here is a quick snapshot of some recent cyberattacks and the scope of those affected by them.

Click to Enlarge
Most users are aware and have basic knowledge of cyberthreats and the consequences that follow. These threats are often found in headlines as many major corporations and institutions have been affected. Almost all computer users have dealt with the frustration of spam, viruses and cyberattacks. Even on a very small scale we all know how inconvenient it is to lose just a small amount of time, from home computers, tablets and smartphones.
How can leaders and state officials be better informed to make better decisions for their cybersecurity programs? Before we address the decision-making process, it would be beneficial to understand the definition of cybersecurity.
According to a 2013 report by the technology research firm Gartner, cybersecurity is the governance, development, management and use of information security, operational technology security, and IT security tools and techniques for achieving regulatory compliance, defending assets and compromising the assets of adversaries.

Click to Enlarge
Cybersecurity is a journey and state leaders must take an active role in learning, promoting and protecting a state’s assets. Start with small steps and continue to improve throughout your journey.
As a first step, embrace the problem by asking probing questions:
What is cybersecurity and why is it important to me?
To put it simply—you have information in your organization that is waiting to be exploited by cyber criminals. This information can be exploited for monetary or political purposes or terrorist activities. As a state leader, it is your responsibility to protect the information entrusted by your citizens.
Where do I start?
A good starting point is to contact your information security director about your state’s cybersecurity program. A brief conversation can help individual departments and the state as a whole. The following questions may aid you in understanding the current cybersecurity program. Each question should be easily answered in terms that any employee can understand. If answers are unclear, chances are your state is at risk.
Click to Enlarge
Once you have an understanding of your state’s cybersecurity program, then what? What are the next steps to take to ensure the state is taking appropriate action to deter cyberattacks? If one doesn’t already exist, request to have a committee developed for overseeing the cybersecurity program for your state. Ideally, the size of such a committee should be limited—consisting of no more than eight people—but having diversity in education and professional backgrounds is critical. A minimum of one high-level IT professional and a lawyer should be included in this committee for its success.
Clearly identify the purpose of the committee, which may include to:
Likewise, it is also critical to clearly outline the roles and responsibilities of the committee, such as to:
Enhancing security and protection of a state’s information system is a complex goal that requires the efforts of everyone—including leaders outside the office of chief information officer. To do so, however, state leaders should have a clear understanding of the definition of cybersecurity, the state’s current cybersecurity posture and, finally, a framework to promote and protect your state’s most valuable assets.
Cybersecurity is not all things IT, but it encompasses every aspect of state organizations. By understanding the current state, identifying gaps and challenges and creating a vision for the future of your state’s cybersecurity program, as a leader you will yield benefits that will keep your state, its employees and constituents safer. State employees responsible for protecting state information assets need you. Please lean in and help them!

About the Author

Vinay Dattu is the director of legislative information systems at the Tennessee Legislature, where he is responsible for managing and providing strategic direction and leadership in defining, establishing, supporting and operating the overall information systems infrastructure and services provided to the Tennessee Legislature. He previously served as the director of enterprise architecture for the Tennessee executive branch.