State workers more engaged with security since pandemic, CISOs say
October is National Cybersecurity Awareness Month, one of those bureaucratic observances that looks good on an organizational calendar, yet is only as effective as people allow it to be. But in an environment in which working from home is the new normal, state employees have actually become more aware about cybersecurity, two statewide chief information security officers said during a webcast Thursday.
Speaking during a Scoop News Group event about post-pandemic IT, Colorado CISO Deborah Blyth said that her team, even with everyone working remotely, has become more engaged with other state agencies, especially those involved in rolling out new digital government services.
“We have a heightened awareness of how important security is,” Blyth said, noting that a near-universal remote-work environment means there are far more endpoints for malicious actors to target. “[Other agencies are] reaching out to me and asking, ‘Can you please get involved? Come to our staff meeting.’”
Blyth said that effect has been especially true with a new agency Gov. Jared Polis created earlier this year to tackle digital service delivery.
“We’re constantly trying to shift left, to get the security team engaged a lot sooner in projects,” she said. “Making sure all those innovative products they’re creating have security.”
Texas CISO Nancy Rainosek said her state government, too, is placing greater emphasis on IT security in its long-term planning. While Texas is more federated than Colorado — with each agency containing its own in-house tech shop — Rainosek said that the Department of Information Resources recently got the budgetary and legislative go-ahead to implement multi-factor authentication statewide.
Working remotely on an open-ended basis has influenced DIR’s strategic planning, she said.
“It kinds of make us stretch ourselves and think more strategically about the future,” she said. “Thinking about the workforce, thinking about how we go about making changes, particularly during our budgeting cycle and legislative cycle.”
One proposal under consideration, Rainosek said, is to train a group of employees at each government organization to be “cybersecurity champions” who would help train their coworkers on cybersecurity hygiene and to be mindful of security protocols in new applications and new contracts, potentially relieving the burden on overstretched IT teams.
“I go back to the education piece,” she said. “You can’t be in every meeting when it comes to developing an application or a contract. Coming up with a program to train people further through tools we have available or what you can find through the federal government, they can help in the meetings you can’t be in.”
Despite the constant challenges COVID-19 has thrown at the public sector, the pandemic has made the culture of state government much more security-focused, Blyth said.
“We’re in such an exciting time,” she said. “We’ve been able to accelerate the digitization of so many government services. While people are thinking about security, remote workers, it’s just a wonderful opportunity for security to be involved in this process.”