How SecurityStudio Solves the Top Priority for State CIOs

s2 state cios


Each year, the National Association of State Chief Information Officers (NASCIO) conducts a survey of state Chief Information Officers (CIOs). In the survey, state CIOs are asked to identify and prioritize the top policy and technology issues facing state government.

The top priority for state CIOs in 2021 is “Cybersecurity and Risk Management”.

This is great news because the SecurityStudio (S2) platform was specifically built for cybersecurity and risk management in state government. S2 wasn’t just built as a solution for this issue, it was built to be the best solution for this issue.

SecurityStudio is the best solution for tackling cybersecurity and risk management in state and local government.

In this short paper, we’ll demonstrate why SecurityStudio is the best platform to solve 2021s top state CIO priority.

NASCIO Survey Results

Since 2014, eight years in a row, “Security”, “Security and Risk Management”, or “Cybersecurity and Risk Management” have been the top priority for state CIOs. Under the heading of “Cybersecurity and Risk Management” are the following topics:

  • Authority and executive support
  • Budget and resource requirements
  • Data protection
  • Determining what constitutes “due care” or “reasonable”.
  • Governance
  • Insider threats
  • Risk assessment
  • Security frameworks
  • Third party security practices as outsourcing increases
  • Training and awareness

The topics supporting the top CIO priority for the past eight years are all fundamental information security concepts.

NASCIO Survey Results

The SecurityStudio (S2) platform was developed to simplify cybersecurity risk management fundamentals for everyone. Simplify does not mean we’ve taken shortcuts, in fact, our platform is the most comprehensive platform on the market. Simplify means we’ve taken unnecessary complexity out of the equation. The truth is complexity is the worst enemy of security.

There are four integrated tools on S2:

  • S2Org – The organizational risk management tool for measuring risk across administrative, physical, and technical controls. The ability to “nest entities” makes S2Org flexible and scalable for any application.
  • S2Vendor – The third-party information security risk management tool leveraging integration with competitive tools and S2Org.
  • S2Team – The personnel information security risk management tool leveraging personal habits measured through S2Me.
  • S2Me – The FREE personal information security risk management tool for people at home. States are using S2Me as a community education initiative too.

NOTE: We’ve also developed S2School, a K12-specific version of S2Org.

s2 state government

Knowing that you can’t manage what you can’t measure, S2 uses the S2Score risk management metric throughout. To date, more than 5,000 organizations in public and private sectors use S2 and the S2Score to objectively measure cybersecurity risk.

SecurityStudio to Solve the Top State CIO Priority

There were ten (10) topics mentioned in NASCIOs publication, and here’s how S2 addresses each one.

s2score 621

Authority and executive support

Executive management (CIO, legislature, Governor, etc.) isn’t likely to read a lengthy report full of technical jargon, but they will actively embrace concise scorecards and easily understood metrics. They want the assurance of knowing scorecards and metrics are justified by loads of technical detail, but they want to be spared the detail. Obtaining executive support with S2 is simple.

Budget and resource requirements

Budgets justified by risk decisions and objective metrics are much more likely to be approved, giving state CIOs and CISOs the confidence to deliver. It’s a great feeling to have an answer to the question, “What will we get for our money?”

executive management risk treatnment decision

Data protection

Information security is managing risk to unauthorized data disclosure, modification, and destruction. Data protection risks are built into S2. Using the program correctly will lead the state to making the best data protection investments.

Determining what constitutes “due care” or “reasonable”.

According to ALM’s Legal Dictionary, the term “due care” is defined as:

the conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others. If one uses due care then an injured party cannot prove negligence.

There is no better way to demonstrate due care than by prudently managing information security risk throughout the state. Using objective metrics, automated processes, and full accountability within S2, demonstrating “due care” couldn’t be any simpler. Risk management is reasonable, risk ignorance is probably less so.


Everyone has a role in information security, from the Governor to citizens, from the CISO to the System Administrator, and from the legislator to the common worker. Good governance must be established for a functional cybersecurity “program” and S2 (leading with risk) is the perfect guide.

s2 management responisibilities

The CISO should never be left to do it all. S2 is designed with distributed accountability as its core, allowing a CISO to distribute common assessments to various agencies, facilities personnel, etc. Once the assessments are completed, the CISO can make effective risk decisions and hold people accountable for making all necessary positive changes throughout state government.

s2 company profile

Insider threats

Every organization deals with insider threats and there is no easy solution. The only legitimate approach is a holistic one driven by good governance and solid processes. S2 accounts for protecting against insider threats by measuring the state’s adherence to good practice.

s2 insider threats

Risk Assessment

We can’t manage risk unless we’ve assessed it first. Risk assessments form the basis by which we make sound risk decisions and measure meaningful mitigation (or similar) progress.

s2 risk assessments

Security Frameworks

If there’s one thing our industry has, it’s frameworks (and standards)! The challenge isn’t in understanding the framework(s), but it’s in implementing and managing against it/them. S2’s content was derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and mapped to several others.

s2 security frameworks

Third party security practices as outsourcing increases

Third party information security risk management is handled by the built-in S2Vendor tool and integrated into the state’s S2Org for a full accounting of information security risk. Using S2Vendor is flexible, allowing for roles such as Vendor Relationship Manager, Vendor Risk Manager, and others.

s2 vendor dashboard

Training and awareness

The world was flipped on its side (or maybe upside down) when COVID 19 hit in early 2020, and some people say things will never be the same. When it comes to information security training and awareness, S2 was already ahead of the curve, before the pandemic.

s2 team dashboard

People are creatures of habit and they follow the same habits regardless of where they are, at home or in the office. S2Team takes aggregated and anonymous data from S2Me (our free personal information security risk management tool) and gives state CISOs unprecedented insight into true employee behavior. S2Me has the added benefit of motivating personnel to adopt better cybersecurity habits for themselves while the state benefits in the process.

Why SecurityStudio is Best

SecurityStudio is the best tool for tackling the top state CIO priority bar none. The S2 platform was built with simplicity, scalability, distributed accountability, and countless other features to revolutionize the way states manage information security.

Contact you representative to see a demonstration, register trial accounts, and/or arrange for a proof of concept (POC) today!

ss logooo

We are always here to serve.

Evan Francen, email:

To learn more about SecurityStudio, our tools, or our #MissionBeforeMoney, visit us online at


Estimate your score or book free demo today