A few weeks ago, we came across an article in CIO magazine announcing that the National Association of State CIOs (NASCIO), a trade group representing Chief Information Officers of U.S. states, plans to ask Congress for help with cybersecurity and regulatory issues this year. Specifically, NASCIO wants the Department of Homeland Security to reinforce its state-level cyber programs.
Given media reports about the vulnerability of our nation’s infrastructure and concerns about state (as well as county and city) preparedness to deal with a cyberattack, we wondered how this situation compares with the challenges being encountered by private firms. The results were eye-opening, to say the least.
State Cybersecurity Budgets Are Large, but Still Underfunded: The CIO article indicated that state CIOs allocate, on average, approximately two percent of their IT budgets for cybersecurity, some of which is spent safeguarding federal programs that the states administer. Let’s consider Florida, a middle-of-the- pack state in terms of budget at $77.1 billion, or $77,100,000,000.
Two percent of that figure is more than $1.5 million, but with those dollars allocated among myriad agencies, departments and operations statewide, the amount isn’t as much as it might seem. As NASCIO Director of Government Affairs Yejin Cooke noted in the article, “We hope our federal partners understand that our state resources, when it comes to cybersecurity, tend to be very low.”
Many Private Sector Organization Are in Bigger Trouble: Private organizations appear to be in even worse condition. A May 2015 security spending and investments survey by the Ponemon Institute found that despite cognizance of threats at all levels (web applications and negligent insiders were the greatest threats reported), security practitioners are frustrated by approaches to and budgets for cybersecurity.
Key challenges respondents cited were:
• Security budgets are inadequate: 43 percent of respondents indicated security spending was less than adequate to achieve a strong security posture.
• Security programs are not matured: 58 percent of respondents said IT security programs are either defined but only partially deployed or not yet fully defined.
• Compliance is impractical: 58 percent of respondents indicated they do not have sufficient resources to achieve compliance with security standards and laws.
Overall, the takeaway for both public and private sector entities is that current security funding levels are too low. Resources are strained or insufficient, purchases are inappropriate, delayed, or ineffectively deployed, and the problem continues to accelerate.
We at InterDev find this information to be deeply concerning. Cybersecurity analysts are predicting a watershed year for hackers, with connected devices increasing 30 percent to approximately 6.8 billion. (Connected devices connect directly to the Internet without human intervention.)
These devices, which form the “Internet of Things,” are at the heart of an explosion in device-to-device and machine-to-machine attacks that will add to the already threat-laden landscape. In this environment, firms that are underfunded and/or lack expert support—or even worse, have leaders who still underestimate the problem—are almost certain to become victims.