Money’s great, but it’s not everything, state CISOs say

Federal aid is welcome, but organizations need to be mindful of their maturity levels, the CISOs of Illinois and Washington said during an online event.

A pair of state chief information security officers said Wednesday that while the prospect of more cybersecurity funding is always welcome, it’ll take more than a blank check to defend government networks and infrastructure. Recruiting professional talent and developing security models that can be repeated by less-mature organizations, like local agencies, is also essential, especially as government emerges from the COVID-19 pandemic, they said.

“Being able to bring forward legacy systems, there is now and will remain a funding issue,” Illinois CISO Adam Ford said during the panel hosted by the Advanced Technology Academic Research Center, a government IT think tank. “It’s funding and staffing.”

State and local governments are currently receiving $350 billion in federal aid that passed as part of the $1.9 trillion American Rescue Plan that President Joe Biden signed earlier this year. State IT officials, like New Hampshire Chief Information Officer Denis Goulet, have called that money a “huge opportunity” as it — unlike previous rounds of coronavirus relief — can be used flexibly across government.

Yet when the ATARC moderator, former Michigan Chief Security Officer Dan Lohrmann, polled the virtual audience on how their agencies would use their funds, a 39% plurality admitted they did not know. Vinod Brahmapuram, Washington state’s CISO, said that’s a good thing.


“Do we want funding? Of course. Who says no?” he said, adding that it was an improvement that the American Rescue Plan funding has fewer constraints on how it can be applied.

But, recalling how he approached the job after his October 2019 appointment, Brahmapuram said government organizations need to evaluate their cybersecurity progress before signing checks.

“The first thing I wanted to do here was take that high-level view of the entire landscape,” he said. “Where are we on that timeline?”

Brahmapuram said that as he started developing a cybersecurity plan in Washington, he also realized that what might work for the state government might not translate to local governments that ask for assistance during a breach. One solution, he said, is to develop processes that can be scaled to fit a less-mature entity.

“How do we create a repeatable process? What can we do at a state level that can be done by local agencies without having to reinvent the wheel?” he said.


One way that philosophy manifests itself, he explained, is that while the state Office of CyberSecurity follows the framework published by the National Institutes of Standards and Technology, Brahmapuram advises less-resourced local governments to follow the less complex — but still widely recognized — set of controls recommended by the nonprofit Center for Internet Security.

Meanwhile, the field of challenges that state CISOs face continues to get bigger and nastier, Ford said, especially in light of the pandemic.

“We’ve had to adapt to threats that five years ago I don’t think state government was ready to face,” he said. “It’s been a year none of us expected we’d run into. It just keeps escalating.”

In particular, Ford pointed to the rising number of ransomware attacks against local governments, schools and — most recently — critical supply chains. “They’ve attacked a pipeline, and this week, maybe worse, they attacked bacon,” he said.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed is the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He has written extensively about ransomware, election security, and the federal government's role in assisting states, localities and higher education institutions with information security.

Latest Podcasts