One of the many things that I love about my job as director of the Michigan Department of Technology, Management and Budget (DTMB) and state Chief Information Officer (CIO) is having the opportunity to speak to a wide variety of groups about how we’re improving technology to digitally bring state government to the people. At the end of my talks someone in the audience will inevitably ask, “What keeps you up at night?” and one of the first things that jumps to my mind is cybersecurity. After all, Michigan state government faces its fair share of cyber attacks. In fact, from January to April of 2014, more than 650,450 cyber attacks against the state of Michigan were blocked daily. That’s a twenty percent increase over the same period in 2013. As technology advances, so do the skills of would-be criminals.
Those of us who work in the Information Technology field know all too well the looming threat that a significant cyber attack poses to our nation. Just last August former Secretary of Homeland Security Janet Napolitano warned her predecessor that the United States will face, at some point, “a major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society.”
Let’s face it; while cybersecurity is hot a topic that is front and center for chief information and security officers across the country, it’s not an issue that weighs heavily on the minds of most Americans, across the nation. People who are concerned about being prepared for a possible disaster such as a tornado, wildfire, flood, hurricane or earthquake are grossly unprepared. In fact, according to 2013 State University of New York Institute of Technology/Zogby Analytics study, only one in four Americans are concerned about an emergency situation like a terrorist attack, natural disaster or health pandemic. Far fewer are thinking about, let alone preparing for, a possible cyberattack.
“United States will face at some point a major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society”
This is where we come in. As guardians of public data and private personal information, those of us working in government IT departments have to do everything possible to ensure that cybersecurity is a top priority for our enterprises. This is my opportunity to share some tips that have worked for the state of Michigan. One of the most important pieces of the puzzle for a successful cybersecurity initiative is executive buy-in. In order to launch and execute a successful cybersecurity strategy, you need support and commitment from your leadership. I’m extremely lucky in my position to have a boss (Gov. Rick Snyder) who not only fully understands the importance of funding IT, but who particularly understands just how vital cybersecurity is to public safety.
After securing executive support, make sure you partner with the private sector. In order to have a comprehensive cybersecurity strategy, it’s imperative to connect the dots between the two. Launched in November 2012, the Michigan Cyber Range allows for “live fire” exercises and simulations that will test the detection and reaction skills of participants in a variety of situations. The range has sites at Eastern Michigan University, Ferris State University and Northern Michigan University, a hub at the Michigan National Guard 110th Airlift Wing in Battle Creek, and two more hubs planned for unveiling later this year. The cyber range is a perfect example of how state government, public universities and the private sector (Merit Network) can partner together to prepare for possible real world scenarios. Successfully responding to a cybersecurity incident will require individuals from both the public and private sectors to work together and the cyber range, allows for and helps foster both cooperation and preparation.
Along the same line, another great tool to help drum up ideas and encourage cooperation across the state, is my “CIO kitchen cabinet.” This informal group of Michigan CIOs meets monthly to discuss a variety of issues, from cybersecurity policies to best practices to how to manage/implement a bring-your-own-device plan. While I originally started the group to help advice me in my new role as the state CIO back in 2011, the kitchen cabinet has transformed into an invaluable tool for me and the other CIOs involved. In 2012 I went to the group with the state’s cybersecurity challenge and came away with the Michigan Cyber Disruption Response Strategy to address significant cyber disruption events in the state.
Lastly, if you don’t already have a cybersecurity awareness training program in place to educate employees and ultimately help reduce security incidents as a result of user error, I strongly encourage you to consider the option. According to a recent study referenced by the Ecommerce Times, “an overwhelming 80 percent of corporate security professionals and IT administrators indicated that ‘end user carelessness’ constituted the biggest security threat to their organizations.”
People can have a significant impact in helping combat cyber attacks, but in order to achieve this goal you have to change user behavior, which requires making security awareness part of your enterprise culture. The awareness training program we’re using from Security Mentor has been well-received by our employees. To help change the culture in Michigan, we rolled out cybersecurity awareness training to roughly 47,000 state employees in 2012.
Cybersecurity is serious business, but with support, collaboration, partnership, education and forward-thinking, we can stand prepared for the challenges ahead.