The State of Information Security in Your State

State of Information Security
A simple, objective, measurable, and scalable standard for accountable risk management in state government.


The challenges facing information security (or “cybersecurity”) personnel in state government are endless. State Chief Information Security Officers (CISOs) are too often put in the unenviable position of trying to secure their state’s information assets without adequate support from their governor, legislators, agency heads, or the citizens they serve. The lack of support isn’t due to neglect or indifference, but due to the lack of effective communication, a fundamental understanding of information security risk, and accountability.

SecurityStudio works with state CISOs and governments to simplify information security risk management for optimal effectiveness, without taking shortcuts.

Every state is different

No two states among our fifty are the same.

Some states are more distributed than others. Some states have greater influence on county, city, and local municipal government than others. Some states govern education, both K12 and higher education, more closely than others. Although every state operates differently, information security fundamentals and logic are the same everywhere.

SecurityStudio engages with all states at various levels to make information security better for everyone.

The state of information security in the state

Without knowing where we are, how will we get where we need to go?

The question points to a common problem in state government, reinforced by a recent conversation between a state technology committee chair and our (SecurityStudio) team. The chair asked SecurityStudio to discuss cybersecurity concerns with the committee, but more specifically, the committee wanted to know what their state should do next with cybersecurity.

Chair: We’d like you to come to our next meeting and tell us what we should consider next and what other states are doing. What is our greatest cybersecurity concern today?

SecurityStudio: Good question. It’s fundamental. The state doesn’t know the current state of information security within the state. Furthermore, the state doesn’t know what the future state of information security should be, when it should get there, or how much it would cost.

Chair: What do you mean?

SecurityStudio: Let me ask you this question, do you know the current state of information security within the state?

Chair: No, not really. We’ve seen various reports, but nothing that indicates an objective view of information security across all of state government.

SecurityStudio: Nobody can determine a future state or make good risk decisions without defining where things sit today. The state needs to adopt a simple, objective, measurable, and scalable standard for accountable risk management, read more on the 4 steps here.

Without a current state, how will the state know if its spending on the right things, whether it’s getting an adequate return (in the form of reduced risk) or if it’s effecting proper accountability. We need to be more accountable to the citizens we serve.

Chair: Today, we justify how well we’re doing by how much money we spend on cybersecurity.

SecurityStudio: This is the wrong metric. $10M spent on ineffective or the wrong information security controls can be worse than spending no money at all. Information security budgets must be justified by risk, not by opinion or the latest trend.

We need to help our governor, legislators, CIO and CISO obtain better visibility into information security risk and provide objective justifications for our spending.

Chair: The state is a big, complex organization. How would we get our hands around it all?

SecurityStudio: We start simple and keep it simple, all without compromising quality or accuracy. There are seven simple steps:

  1. Obtain or create an inventory of administrative, physical, and technical components (or “entities”) that complete our state’s government.
  2. Define accountability for each entity.
  3. Perform simple, effective, and consistent risk assessments of each entity.
    • Using the standard definition of information security.
    • Using objective (binary) criteria.
    • With consistent, logical measurement and sensical scoring.
  4. Compile and communicate results with the governor and legislature.
  5. Make risk decisions (using measurement as our guide).
  6. Plan and budget, creating the state’s roadmap.
  7. Implement changes and measure progress.

We built an affordable software platform to manage and automate everything that can be automated. We can show you a demonstration during the committee meeting.

Chair: Excellent! This will be a great discussion. I’m excited to see what you’ll show us.

Most states have the same (or a similar) issues as those described in this real conversation.

How SecurityStudio helps with this problem

SecurityStudio was built specifically for fundamental information security challenges facing state CISOs.


The primary risk management tool on the SecurityStudio (or S2) platform is the SecurityStudio Organizational Risk Management Tool (or S2Org). For the current state of information security in a state to be accurate, the “state” or risk assessment score (S2Score) must represent risk across all state branches and agencies; however, it’s often necessary to go further.

Some states provide shared infrastructure and/or services to counties, cities, other municipalities, K12 education, and/or higher education. In shared resource cases, states leverage the many benefits of S2Org’s built-in “nested entities” function. The two most valuable benefits for states and state CISOs are:

  1. Accuracy. The most accurate representation of risk through measurements and answers provided by personnel who are best suited to provide them.
  2. Accountability. Distributed accountability for an entity (or portion of an entity) to responsible personnel for assessment and/or remediation with a few clicks.

Additional tools on the S2 platform used by state and local governments include 2Team and 2Me. 2Me is a free personal information security risk management tool for everyone. The State of North Dakota was the first state to make 2Me available to all their citizens through an ongoing awareness campaign called #BECYBERSMART. 2Me is available to all states as a white labeled option at no cost.

personal security risk assessment

2Team is used by employers (including the state itself and its sub-entities) to learn about employee information security habits at home, using data from 2Me. ONLY anonymous and aggregated data is shared with employers through the 2Team portal; however, the data can still be invaluable for helping employees secure themselves and/or their families better.

state government


Understanding and managing “the state of information security in the state” is NOW attainable for governors, legislators, agency heads, CIOs, CISOs, and our citizens who rely upon us to do our best.

From the current state:

  • The future state can be determined,
  • The time to reach the future state can be defined, and,
  • Cost (budget) can be justified and our spend can be quantified.

Information security management for state and local government cannot be made any simpler, more objective, more measurable, more scalable, more standardized, or more accountable than we’ve made it with SecurityStudio!

Before we close, we’re also affordable, leaving you with more money for remediation.

Contact SecurityStudio

We are always here to serve.


Estimate your score or book free demo today