There has been talk lately about pending federal legislation on cybersecurity and the potential for some national standards on how data is protected.
It seems that individual states also need to get into the act because apparently, state agencies believe risk management works in a vacuum. According to an article at SearchSecurity.com, security programs in state government lack oversight across agencies and there are little to no direct reporting lines from agency security offices to the state CISO. Robert Westervelt wrote:
Many state CISOs lack the authority to ensure personally identifiable information (PII) is protected in all agencies and departments, according to a new study that analyzes cybersecurity readiness at the state level. The lack of authority is resulting in the failure of states to adequately measure the effectiveness and progress of security programs and security program management , according to the 2010 Deloitte- National Association of State Chief Information Officers (NASCIO) Cybersecurity Study.
Improving security is going to be tough, unfortunately, since most states are in fiscal trouble. The article says that of the 49 states participating in the survey, nearly half saw a budget decrease in 2010, despite security only making up 1 percent to 3 percent of the overall IT budget. The outlook doesn't look very good for 2011.
When you think how much PII state governments hold, it would be nice if states could make security a higher priority. Or at least come up with a security policy that encourages conversation between agencies so everyone is working toward the same goal.