Cyber Resilience Framework for State Governments: A Call to Action

State government activities affect millions of lives every day, and central to all that activity is the collection, use, and storage of vast amounts and types of data. Protecting this data takes a herculean effort, but rather than planning strategically for cyber resilience, too often governments find themselves playing defense after a breach, data loss, or discovery of a critical vulnerability. 

Certainly, this reactive stance is not unique or limited to state governments; many organizations in the private sector primarily focus time and resources on responding to attacks already in progress. However, consumer demands – as well as escalating remediation expenses and reputational damage – are driving both private and public sector organizations to proactively manage their cyber risks.

Some state governments have started to heighten cyber security awareness throughout their constituent agencies and among stakeholders in a number of ways, including through policy changes. They are also collaborating with other government bodies as well as with the private sector to incorporate and implement best practices and cutting-edge technology.

A cyber resilience framework creates the foundation against cyber risk

Conducting a comprehensive cyber risk assessment is a proven best practice that is designed to prevent or mitigate attacks before they happen. However, many organizations, including state governments, struggle with knowing where to start and what to encompass in the assessment. In these cases, leveraging cyber-specific controls based on global standards and industry-recognized best practices can create an assessment framework that is robust, agile, and sustainable.

For example, the CIS Critical Security Controls are industry-recognized guidelines that are regularly refined and informed by a global community of experienced IT professionals. These 20 controls are designed to systematically lead organizations through key activities that will help them prioritize their strategy and resource allocation. The first five controls work to help the organization inventory their cyber assets, assess current network health, and concurrently address the most common cyber vulnerabilities. The remaining controls focus on further building resiliency by concentrating on policies, procedures, and technology-based solutions that work to remedy vulnerabilities, establish best practices, and continuously protect systems and data. These range from email and web browser protections, to limitation and control of network ports, to malware defenses and data recovery capabilities, to controlled access based on need to know.

Cyber resilience framework options

How the state implements the cyber resilience framework can take many forms, from the completion of detailed questionnaires to working through real-life scenarios via tabletop exercises facilitated by cyber experts. Tabletop exercises can be particularly helpful in that they often reveal areas of vulnerability, including points of failure, gaps in security, or confusion about individual responsibilities.

Among the many benefits of conducting a cyber risk assessment is the opportunity to build a tactical team comprising managers, support personnel, and other internal and external experts. For example, the team can draw members from internal departments such as IT, legal, risk management, human resources, and public affairs. Outside counsel and independent consultants who are experienced in cyber matters can also provide valuable guidance and insight.

Organization-wide input, collaboration, and buy-in are especially critical to help the state understand exactly what data it currently has and collects, where data is stored on its networks, and how it is used. The more state governments are armed with this knowledge, the more likely they will be able to apply, expand, or customize effective cyber security solutions.

Regardless of the format used, the cyber resilience framework must be part of a dynamic process that goes beyond yes/no questions. Ideally, it should provide a road map for conducting more in-depth inquiries into the state’s cyber security posture. By implementing a framework such as the CIS Controls or an internally driven risk-based scoring system, the state can use the results of its inquiries to prioritize and direct investments where they will have the most positive effect.

With millions of people counting on state governments every day for critical infrastructure and services, protecting the data driving these activities is imperative. However, cyber security that is mainly defensive in nature is not only ineffective, it is ultimately unsustainable. Taking a proactive approach to cyber security – starting with a cyber resilience framework – will help state governments safeguard lives and resources with long-term resiliency and strength.