2023-2024 SLED Cybersecurity Priorities Report

Welcome to the 2023-2024 SLED Cybersecurity Priorities Report

A note to readers from the SLED CPR Executive Director Curt Wood.

Benefits of WoS cybersecurity for SLED

Adopting a WoS approach can strengthen and enhance cybersecurity infrastructure across state and local government and the education sector. A report examining WoS cybersecurity implementations notes that in one state, “The CIOs agree that a cooperative approach is the best way to ensure an adequate defensive posture across disparate state and local entities, where the availability of skills and resources can vary widely.”

The combined purchasing power of collaborative approach enables participating organizations to obtain more and better cybersecurity tools. Having the same solutions consistently and widely deployed simplifies and reduces complexity.

Information sharing and collaboration between various state agencies and departments and education institutions is a benefit of WoS cybersecurity that can lead to more efficient use of resources, and better coordination between various departments and agencies. The exchange involves shared situational awareness and common threat intelligence, which can help groups identify and respond to cybersecurity threats quickly and effectively.

“In a good Whole-of-State program, you can collect your data in such a way that you have uniform standards regardless of where that data sits, providing the opportunity to implement better and more reliable analysis with that data,” explains Tina Carkhuff, Industry Advisor at Splunk and former CIO for the City of Houston.

Risk awareness, management, and mitigation efforts are enhanced through WoS. The enhancement is accomplished by a comprehensive and coordinated approach to risk management, which can help identify and prioritize cybersecurity risks and develop effective risk mitigation strategies.

A WoS strategy also improves compliance with regulatory standards. Many states and local governments and education institutions must comply with various cybersecurity regulations and standards. WoS cybersecurity can help support compliance by promoting a more holistic, synchronized approach to cybersecurity, while not compromising individual agency compliance requirements.

For more information on the benefits and challenges of a WoS cybersecurity, download the 2023-2024 SLED CPR.

Strategies for implementing WoS cybersecurity

One of the key strategies for implementing WoS cybersecurity is to establish a governance framework. This framework should define the roles and responsibilities of various state agencies and departments, education institutions, and private sector partners, as well as the policies and procedures for information sharing and collaboration.

Another element of WoS strategy is to build an integrated cybersecurity strategy. This strategy involves a complete and collaborative approach to cybersecurity that includes shared situational awareness, common threat intelligence, and integrated risk management, combined with a standardized incident reporting and response framework. A well-defined cyber incident response playbook that outlines the basics of incident management protocols is helpful when coordinating responses across multiple agencies, jurisdictions, and incident locations.

Developing a culture of cybersecurity awareness is essential for implementing WoS cybersecurity. This involves educating employees, contractors, and stakeholders on the importance of cybersecurity, and promoting best practices for cybersecurity hygiene and awareness. Another essential component of cybersecurity culture is the need to ensure our political and executive leadership (state, local, and education level) own and lead on this front.

Effective WoS cybersecurity also depends on deploying advanced cybersecurity technologies. This includes threat intelligence platforms, security information and event management (SIEM) systems and endpoint detection and response (EDR) tools.

For more information on how to evangelize WoS Cybersecurity and the State and Local Cybersecurity Grant Program (SLCGP), download the 2023-2024 SLED CPR.

The landscape of cyber talent in state and municipal governments

Recent trends in staffing paint a picture of organizations struggling to close gaps in cybersecurity roles. A report from govtech.com notes, “CISOs are grappling with talent gaps and weak relationships with local agencies. The latter has emerged particularly as an obstacle to whole-of-state cybersecurity and new federal grants requiring collaboration with local partners.”

In a 2022 NASCIO report, 62% of CISOs surveyed agree that personnel don’t have the knowledge, skills, and behavior to meet all the current and anticipated cybersecurity requirements. In the same survey, 50% of CISOs shared that there just aren’t enough available cyber professionals.

Download the 2023-2024 SLED CPR for more information on the key challenges in attracting and retaining cybersecurity talent in SLED and the impact of staff turnover on cybersecurity operations.

Create a robust talent retention strategy

Recruiting and supporting candidates with diverse backgrounds and experiences can improve the odds of building skilled teams in this competitive market. SLED organizations that are succeeding with this strategy have four common practices including:

• Build a positive and inclusive cybersecurity culture
• Recognize and reward cybersecurity excellence
• Provide opportunities for professional growth and advancement
• Implement flexible work arrangements and work-life balance initiatives

Read more about these practices by downloading the full report.

Lessons from the field

As the Chief Information Security Officer for the state of North Dakota, Michael Gregg understood the importance of effective talent development and retention. He worked with leadership to promote cybersecurity education, embedding it into the curriculum from kindergarten through high school. The initiative not only builds a foundational understanding of cybersecurity but also nurtures future professionals.

Gregg emphasizes the value of engaging youth through innovative programs like Cyber Madness.

Additionally, Gregg stresses the significance of providing a comprehensive learning environment, offering exposure to a wide range of security tools and duties—a unique advantage of the public sector over the private sector.

Another key aspect of the strategy implemented in North Dakota is its focus on developing soft skills alongside technical expertise. By training cybersecurity professionals in effective communication and presentation, organizations are better equipped to articulate complex ideas and findings, an essential skill in this field.

The programs in North Dakota also emphasized efforts in promoting diversity and inclusion, particularly in increasing participation from underrepresented groups. This focus underscores the importance of a diverse and inclusive cybersecurity workforce.

The programs and initiatives implemented in North Dakota by Michael Gregg offer a holistic and innovative approach to addressing the challenges of recruiting and retaining cybersecurity talent in SLED organizations, blending education, skill development, diversity, and technological advancement.

Benefits and pitfalls of cyber insurance

We have found that cyber insurance can be a valuable tool in some cases, but it’s essential to fully understand the potential pros and cons to make an informed decision. Here are some of the key advantages and potential challenges of cyber insurance facing public sector organizations.

Benefits of cyber insurance

• Financial risk mitigation
• Incentive for enhanced cybersecurity
• Expertise and post-breach services
• Training and awareness resources

Potential pitfalls of cyber insurance

• Limited and varied coverage
• Potential for complacency
• Rising costs and affordability
• Complex claims and disputes
• Overreliance on insurance in decision-making

Learn more about these benefits and pitfalls, determining the right amount of cyber insurance, hybrid approaches to insurance and more, by downloading the full report.

Leveraging partnerships and collaborations

An increasing number of SLED institutions are leveraging partnerships and collaborations to enhance cybersecurity capabilities. By sharing threat intelligence, best practices, and resources, public institutions can build a more robust defense against cyber threats. These collaborations typically provide access to expertise and technologies that individual institutions might not be able to afford on their own. These partnerships can take various shapes, from formal agreements with government agencies and industry partners to informal networks of cybersecurity professionals. Collaborations can also extend to participating in national and international cybersecurity initiatives, which can provide additional resources and insights.

What's Working?

Finding, applying, and maintaining good threat intelligence is a complicated task. When threat intelligence is good, its useful shelf life is short because adversaries change tactics quickly to evade detection. For stale threat intelligence sources, it’s important to remove those from inventory to prevent false positives. Despite complexities, there are a few techniques that are gaining traction.

1. The constellation SOC

The Constellation SOC (security operation center) is named after the graphical view of a network map connecting disparate SOCs for the purpose of shared threat intelligence. Each SOC may have its own technology, staff, and mission. However, there’s value in sharing intelligence between SOCs for the collective good of the region. This could be sharing threat intelligence between a community college system and state government or water utility and a research lab. The thinking is simple. Regionally or industry specific, these organizations see events that others should know about and sharing the emerging intelligence only stands to benefit all stakeholders. Some of the most successful sharing consortiums have set up a memorandum of understanding between like-minded entities. This includes leveraging technologies such as Sigma to connect disparate systems for sharing emerging indicators of attack or indicators of compromise.

2. Sharing meta data or better yet, sharing the search

One concern of everyone is oversharing. It’s critical to have some parameters on information sharing to avoid sharing sensitive information. Historically we’ve relied on Stix or Taxii feeds as our vehicle. However, for some organizations and agencies with similar security analytics stacks, sharing the search format allows a little more detail than a regular threat feed. When it comes to search format dissection the results can be of more value to Security Analysts. An analyst can see the log source required, the expected data source extracted, and perhaps the characteristics of the indicator of attack. This allows the analyst to adjust the search format to match local instantiations and indexes of security analytics tooling for relevant and timely identification of emerging intelligence.

3. Leaning on MSSP's and MDR providers

When an MSSP (managed security service provider) or MDR (managed detection and response) company has expertise in one vertical and has multiple clients under management, it can create a scenario where emerging threat intelligence at one organization benefits all other clients. This of course comes with the caveat that one service provider is capable of threat aggregation, so it’s up to each consumer to ask the right or relevant question and conduct a thorough purchase evaluation. The benefit of this approach is that it moves a conversational threat brief to a technical and tactical identification of attack, which is the most valuable form of cyber intelligence.

Prediction 1: Target on their backs

In the SLED sphere, organizations will face increased cyber attacks from nation-state actors and hacktivists, who will target their critical infrastructure, sensitive data, and public services. These attacks will aim to disrupt operations, extort ransom, or influence political and social agendas. SLED organizations will need to invest in advanced threat intelligence, incident response, and cyber resilience capabilities to counter these threats.

Prediction 2: AI-driven threat hunting becomes standard

With the increasing sophistication of cyber threats, SLED agencies, which often operate with limited resources, will likely turn to AI-driven threat hunting tools. These tools can autonomously sift through mountains of data to identify potential threats before they manifest as actual breaches. By 2024, such proactive measures will become a standard part of the cybersecurity toolkit within the SLED market segment, not just a nice-to-have feature.

Prediction 3: Education sector targeted by Ransomware-as-a-Service (RaaS)

Schools and universities are gold mines of personal information and intellectual property, yet they're traditionally under-protected. We foresee a sharp rise in targeted ransomware attacks, particularly through RaaS models, which enable lower-skilled hackers to lease ransomware from more experienced attackers. This could result in an increase in disruptions to educational institutions, prompting a more aggressive cybersecurity posture.

Prediction 4: Trust nothing, verify everything

SLED organizations will embrace zero trust as a security paradigm, shifting from perimeter-based to identity-based security models. Zero trust will require entities to verify the identity and context of every user, device, and request before granting access to their resources. This will help them reduce the attack surface, prevent unauthorized access, and mitigate insider threats. Zero trust will also involve implementing multi-factor authentication, encryption, micro-segmentation, and continuous monitoring.

Prediction 5: Cybersecurity talent grows in-house

Faced with a perennial talent shortage and high competition for cybersecurity professionals, state and local governments and educational institutions will start cultivating their own cybersecurity workforce. Expect to see more in-house training programs, apprenticeships, and partnerships with local universities and coding bootcamps to grow their cybersecurity capabilities organically.

Prediction 6: Cybersecurity mergers and acquisitions surge

As threats grow more complex, smaller SLED agencies will struggle to keep pace. This may lead to a trend where these agencies will partner with larger, more technologically advanced entities through mergers or acquisitions—a path less tread in the public sector. This would enable smaller agencies to benefit from the cybersecurity infrastructure of larger bodies, ensuring better protection against cyber threats.

Prediction 7: All for one, one for all

SLED organizations will increase their collaboration and information sharing on cybersecurity issues, both within and across sectors. Whole-of-State cybersecurity initiatives will gain momentum, and organizations will form networks and alliances to exchange best practices, threat intelligence, and incident response support. Organizations will also participate in joint initiatives and exercises to improve their preparedness and coordination. This will help them build trust, foster innovation, and enhance collective defense against cyber threats.

Splunk Inc. (NASDAQ: SPLK) turns data into doing with the Data-to-Everything Platform. Splunk technology is designed to investigate, monitor, analyze and act on data at any scale.

Learn more at splunk.com/publicsector.

Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyber attacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SSE-based Zero Trust Exchange is the world’s largest in-line cloud security platform.

Learn more at zscaler.com.

Recorded Future is the world’s largest intelligence company. Recorded Future’s Intelligence Cloud provides complete coverage across adversaries, infrastructure, and targets. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future provides real-time visibility into the vast digital landscape. It empowers countries and organizations to take proactive action to disrupt adversaries and keep their people, systems, and infrastructure safe. Headquartered in Boston with offices and employees around the world, Recorded Future works with more than 1,500 businesses and government organizations across more than 60 countries.

Learn more at recordedfuture.com.

NuHarbor Security is a leading national cybersecurity services firm, supporting the diverse needs of hundreds of clients with clear, comprehensive, and outcome-based solutions. We support only best-of-breed security technologies with thoroughly trained and vetted analysts. We make cybersecurity easier for our clients by integrating the most comprehensive set of security services in the market, from compliance and offensive testing to award-winning 24×7 managed security operations. What’s more, NuHarbor advisors analyze information from multiple sources to deliver the most well-informed strategies for building, improving, and maintaining your cybersecurity program.

NuHarbor makes it easy to secure what matters most to you. Learn more at nuharborsecurity.com.