How SecurityStudio Solves the Top Priority for State CIOs
Introduction
Each year, the National Association of State Chief Information Officers (NASCIO) conducts a survey of state Chief Information Officers (CIOs). In the survey, state CIOs are asked to identify and prioritize the top policy and technology issues facing state government.
The top priority for state CIOs in 2021 is “Cybersecurity and Risk Management”.
This is great news because the SecurityStudio (S2) platform was specifically built for cybersecurity and risk management in state government. S2 wasn’t just built as a solution for this issue, it was built to be the best solution for this issue.
SecurityStudio is the best solution for tackling cybersecurity and risk management in state and local government.
In this short paper, we’ll demonstrate why SecurityStudio is the best platform to solve 2021s top state CIO priority.
NASCIO Survey Results
Since 2014, eight years in a row, “Security”, “Security and Risk Management”, or “Cybersecurity and Risk Management” have been the top priority for state CIOs. Under the heading of “Cybersecurity and Risk Management” are the following topics:
- Authority and executive support
- Budget and resource requirements
- Data protection
- Determining what constitutes “due care” or “reasonable”.
- Governance
- Insider threats
- Risk assessment
- Security frameworks
- Third party security practices as outsourcing increases
- Training and awareness
The topics supporting the top CIO priority for the past eight years are all fundamental information security concepts.
NASCIO Survey Results
The SecurityStudio (S2) platform was developed to simplify cybersecurity risk management fundamentals for everyone. Simplify does not mean we’ve taken shortcuts, in fact, our platform is the most comprehensive platform on the market. Simplify means we’ve taken unnecessary complexity out of the equation. The truth is complexity is the worst enemy of security.
There are four integrated tools on S2:
- S2Org – The organizational risk management tool for measuring risk across administrative, physical, and technical controls. The ability to “nest entities” makes S2Org flexible and scalable for any application.
- S2Vendor – The third-party information security risk management tool leveraging integration with competitive tools and S2Org.
- S2Team – The personnel information security risk management tool leveraging personal habits measured through S2Me.
- S2Me – The FREE personal information security risk management tool for people at home. States are using S2Me as a community education initiative too.
NOTE: We’ve also developed S2School, a K12-specific version of S2Org.
Knowing that you can’t manage what you can’t measure, S2 uses the S2Score risk management metric throughout. To date, more than 5,000 organizations in public and private sectors use S2 and the S2Score to objectively measure cybersecurity risk.
SecurityStudio to Solve the Top State CIO Priority
There were ten (10) topics mentioned in NASCIOs publication, and here’s how S2 addresses each one.
Authority and executive support
Executive management (CIO, legislature, Governor, etc.) isn’t likely to read a lengthy report full of technical jargon, but they will actively embrace concise scorecards and easily understood metrics. They want the assurance of knowing scorecards and metrics are justified by loads of technical detail, but they want to be spared the detail. Obtaining executive support with S2 is simple.
Budget and resource requirements
Budgets justified by risk decisions and objective metrics are much more likely to be approved, giving state CIOs and CISOs the confidence to deliver. It’s a great feeling to have an answer to the question, “What will we get for our money?”
Data protection
Information security is managing risk to unauthorized data disclosure, modification, and destruction. Data protection risks are built into S2. Using the program correctly will lead the state to making the best data protection investments.
Determining what constitutes “due care” or “reasonable”.
According to ALM’s Legal Dictionary, the term “due care” is defined as:
the conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others. If one uses due care then an injured party cannot prove negligence.
There is no better way to demonstrate due care than by prudently managing information security risk throughout the state. Using objective metrics, automated processes, and full accountability within S2, demonstrating “due care” couldn’t be any simpler. Risk management is reasonable, risk ignorance is probably less so.
Governance
Everyone has a role in information security, from the Governor to citizens, from the CISO to the System Administrator, and from the legislator to the common worker. Good governance must be established for a functional cybersecurity “program” and S2 (leading with risk) is the perfect guide.
The CISO should never be left to do it all. S2 is designed with distributed accountability as its core, allowing a CISO to distribute common assessments to various agencies, facilities personnel, etc. Once the assessments are completed, the CISO can make effective risk decisions and hold people accountable for making all necessary positive changes throughout state government.
Insider threats
Every organization deals with insider threats and there is no easy solution. The only legitimate approach is a holistic one driven by good governance and solid processes. S2 accounts for protecting against insider threats by measuring the state’s adherence to good practice.
Risk Assessment
We can’t manage risk unless we’ve assessed it first. Risk assessments form the basis by which we make sound risk decisions and measure meaningful mitigation (or similar) progress.
Security Frameworks
If there’s one thing our industry has, it’s frameworks (and standards)! The challenge isn’t in understanding the framework(s), but it’s in implementing and managing against it/them. S2’s content was derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and mapped to several others.
Third party security practices as outsourcing increases
Third party information security risk management is handled by the built-in S2Vendor tool and integrated into the state’s S2Org for a full accounting of information security risk. Using S2Vendor is flexible, allowing for roles such as Vendor Relationship Manager, Vendor Risk Manager, and others.
Training and awareness
The world was flipped on its side (or maybe upside down) when COVID 19 hit in early 2020, and some people say things will never be the same. When it comes to information security training and awareness, S2 was already ahead of the curve, before the pandemic.
People are creatures of habit and they follow the same habits regardless of where they are, at home or in the office. S2Team takes aggregated and anonymous data from S2Me (our free personal information security risk management tool) and gives state CISOs unprecedented insight into true employee behavior. S2Me has the added benefit of motivating personnel to adopt better cybersecurity habits for themselves while the state benefits in the process.
Why SecurityStudio is Best
SecurityStudio is the best tool for tackling the top state CIO priority bar none. The S2 platform was built with simplicity, scalability, distributed accountability, and countless other features to revolutionize the way states manage information security.
Contact you representative to see a demonstration, register trial accounts, and/or arrange for a proof of concept (POC) today!
We are always here to serve.
Evan Francen, email: efrancen@stg-securitystudio-staging.kinsta.cloud
To learn more about SecurityStudio, our tools, or our #MissionBeforeMoney, visit us online at https://securitystudio.com
