Michigan’s CISO-as-a-service initiative is so popular the state might spin it off
Last year, Michigan began offering its smaller cities and counties cybersecurity help. The idea was that even if local governments became more reliant on technology, they might not be able to afford full-time information security personnel. Through offering assessments and remedies, the state effectively began offering its services as a chief information security officer for hire.
The program has been so successful for the nine local governments that participated, that the state’s top information technology officials are trying to find a funding model to continue it without having to worry about the finicky appropriations process run by legislators in Lansing.
“If you keep it at the state level, it needs to be appropriated every year,” Chris DeRusha, Michigan’s deputy chief security officer, told StateScoop. “One sustainable model is to turn it into a nonprofit.”
DeRusha said that after a presentation at the National Association of State Chief Information Officers Midyear Conference in Baltimore, where he and his colleagues described turning the CISO function into a shared service.
“They don’t come from counties that have a lot of money,” David DeVries, Michigan’s chief information officer, said of the communities that ask the state government for cybersecurity assistance. “How can they get at least an assessment?”
The program evolved from CySAFE, a program created in 2014 by the Michigan state government and five of its largest counties to develop a cybersecurity assessment tool for small and mid-sized agencies. As towns, cities, and smaller counties have started realizing their information security needs, though, they’ve sometimes struggled to come up with the funds to make upgrades.
“These [governments] have probably matured where they have the need, but not the money,” DeVries said.
The state IT office uses a chargeback model to pay for the assessments, collecting between $5,000 and $10,000 from each municipality that engages it, DeRusha said. The work actually patching cybersecurity holes incurs additional costs, though.
The smallest community using the CISO service is Springfield, about two hours west of Detroit with a population of 13,000 and a town government with only one full-time IT employee, said Andy Brush, the IT manager for Washtenaw County, one of the five counties that launched CySAFE. The biggest is Washtenaw County, which has a population of about 360,000 residents.
But DeVries doesn’t think his department can run this program directly forever. Thirteen of his employees are working on the CISO project, but with 83 counties and 533 municipal governments across Michigan, the potential list of clients might be too unwieldy for the state to manage on its own.
Spinning off the assessment service to a nonprofit endowment is one likely option, the Michigan officials said. That entity, in turn, could solicit the vendors that provide cybersecurity products and then report back to the local governments looking to make upgrades. But it’s crucial the organization conducting the initial assessments not be a for-profit concern, Brush said.
“The assessment being neutral is critical,” he said. “The services can come from wherever. If someone’s doing an assessment and selling something, that’s not neutral.”