In March 2018, the city of Atlanta suffered a ransomware attack that compromised the data of their employees and anyone who conducted business with the state and ended costing $2.6 million in emergency contract efforts[1]. When Louisiana was attacked in November of 2019, 10% of the state’s servers were infiltrated and some 1,500 computers were damaged.  These examples demonstrate cybersecurity should be a top priority for procurement officers to protect the sensitive information of both vendors and staff. Understanding the issues and goals of your state Chief Information Security Officer (CISO) can pave the road toward a more productive working relationship and allow procurement officers to address increasing cybersecurity threats as partners.

To gain insight into the current state of cybersecurity, Deloitte Insights and the National Association of State Chief Information Officers (NASCIO) partnered to publish a joint report, “2018 Deloitte-NASCIO Cybersecurity Study: States at risk: Bold plays for change.” This report is considered the most comprehensive study of state cybersecurity spend and all 50 states participated in the survey.

The three main challenges facing CISOs are:

• Lack of Sufficient Cybersecurity Budgets
• Inadequate Cybersecurity Staffing
• Increasing Sophistication of Threats

To address the challenges this survey identifies,  three “Bold Plays” to accelerate change are proposed:

• Advocate for Dedicated Cyber Program Funding: Approximately half of US states do not have cybersecurity as a line item in their IT budget. CISOs should advocate for cybersecurity to be included in the budget as a separate line item to secure dedicated funds for new security regulations. This draws attention to the disparity in cybersecurity funding between the public and private sector and makes it easier to set a goal to dedicate more funding for cybersecurity.
• CISOs as an Enabler of Innovation, not a Barrier: The report points out that an important aspect of the CISO’s job is to guide the states when they implement new technological innovations such as Cloud services. They should “actively participate with the state CIOs” in order to shape the agenda and help program leaders embrace newly available technologies in a safe and secure way.
• Team with the Private Sector and Higher Education: CISOs should consider outsourcing work to private institutions in order to address competency gaps and difficulties associated with staffing.  A potential avenue for new talent could include partnering with academic institutions to establish internships, co-ops and apprenticeship programs to address emerging cybersecurity technologies.

Cybersecurity has been a hot button issue for private companies and citizens and as Louisiana Governor John Bel Edwards said, “It is the new normal to be honest with you and it’s not going to go away.[2] Click here to read the full report by Deloittee and NASCIO or click here to watch the webinar presentation for more information about how procurement officers can work with their CISOs.

[1] Newman, L. H. (2018, April 24). Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare. Retrieved from https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/.

[2] Karlin, S. (2019, December 3). Some Offices Still Closed After Louisiana Ransomware Attack. Retrieved from https://www.govtech.com/security/Some-Offices-Still-Closed-After-Louisiana-Ransomware-Attack.html.