Cyber success is about building ‘muscle memory,’ experts say
Just_Super via Getty Images
By
Chris Teale
Working with jurisdictions that have varying degrees of cybersecurity preparedness can be a challenge, cyber leaders said last week, so coordination and partnerships are key.
Over two years ago, New York Gov. Kathy Hochul unveiled the state’s cybersecurity strategy, with an emphasis on the whole-of-state approach that prioritizes information sharing and recognizing common threats across the various levels of state government.
In practice, that means the state Division of Homeland Security & Emergency Services supports around 17,000 governmental organizations, from the largest cities to the smallest villages, as well as school districts and critical infrastructure, among others.
That can be challenging given their different needs, said Meghan Cook, director of the Cyber Incident Response Team and assistant director in the Office of Counter Terrorism, as it can mean helping a large city carry out a risk assessment, or a small village curb a phishing scam. Having workers at the state capable of handling those differing maturity levels is key for cyber resiliency, she said.
“When you have to be prepared for everything across the gamut, you really do need people who are able to help all types of organizations,” Cook said during a panel discussion at last week’s Rubrik Public Sector Summit. That means “constantly changing the message” depending on an organization’s cyber maturity, she said.
Whole-of-state cybersecurity strategies have gained popularity in recent years, especially as the federal government emphasized that states need to plan better for cybersecurity as part of the State and Local Cybersecurity Grant Program. Many state governments credit that popular $1 billion four-year initiative with helping them get all public sector agencies and organizations on the same page and thinking more deliberately about how to keep themselves safe.
But it hasn’t been an easy year in some other areas. Federal funding ran out earlier this year for the Multi-State Information Sharing and Analysis Center, a key place for governments to share information on threats and best practices. But even though that organization has moved to a membership fee-based model and the future role of the federal government in cybersecurity is unclear, states are pushing forward.
Eric Rotondi, New York City Cyber Command’s chief operating officer, said there are still plenty of resources to take advantage of, even indirectly. He pointed to the various advisories issued by the Cybersecurity and Infrastructure Agency, which the city uses as a “guidepost” for its own advisories and helps agencies develop that “muscle memory” around cybersecurity. But even in a well-resourced city like New York, it can be challenging, as agencies may not have the money or staff to act on those advisories. Cyber Command, then, helps fill those gaps and give agencies the support they need, Rotondi said.
Cyber Command also meets with each agency every year to build a roadmap matching their cybersecurity priorities, capacity and funding.
“That's really been a key way in which we've been able to align priorities, but also hold each other accountable, making sure that when either party says they're going to accomplish something, that we're able to do that,” Rotondi said. “That's been extremely effective, and I think has really allowed us to, in really short succession, raise the security posture across the board across all the city agencies.”
Both agreed that there are more conversations around cybersecurity, risk and resiliency being held by leaders across government organizations, not just by their technologists. Cook said that when finance directors understand the financial and business risks associated with a cyberattack, that makes it real for them.
“When I think about resiliency, I could talk about tools, but for me, it's the fact that there are more people in the organizations paying attention to this,” she said. “It's being discussed at a governance level. People are understanding risk in a different way, and when everyone is participating in that conversation and wanting to figure out how what they do in their job plays a role in protecting the organization, to me, that's progress. I have seen a tremendous amount over the last two years in that space.”