Information Security Strategic Plan
State government has seen an uptick in attacks, which are more sophisticated and targeted
You can read the Information Security Strategic Plan below or download a PDF version here.
Information Security exists to help business leaders understand and manage complex technology risks. Business leaders have a fiduciary obligation to protect data from unauthorized loss, disclosure, or alteration, and they must make certain that their systems are available when needed – particularly during times of crisis. Facing an onslaught of catastrophic breaches, business leaders strive to meet new compliance pressures as regulators respond with more mandates. In this increasingly complex and hostile world, business leaders need a trusted advisor to help them succeed and protect their reputation. Information Security fills that role.
Information Security faces unprecedented challenges and extraordinary opportunities. Advanced attacks are becoming more sophisticated and more common, testing the limits of existing capabilities. Businesses’ push to digitize compounds the problem and significantly expands the volume of sensitive organizational data vulnerable to attack. These and other trends put great pressure on public and private sector Chief Information Security Officers (CISOs) to develop new strategies and tactics for success.
More than half of CISOs in the United States believe an advanced attack will affect their organization in the next year. The pervasiveness of these threats means CISOs must quickly develop cutting-edge threat intelligence competencies while also improving response plans for when the worst occurs. Every day, attackers use sophisticated tools and techniques to test the defenses of the State of Minnesota and other government entities. Unfortunately, many government entities are not up to the challenge. The result is costly and embarrassing data breaches that erode citizens’ confidence in government and cost significant dollars.
Both government and private sector organizations see significant increases in cybersecurity losses due to breaches and reductions in worker productivity. Organizations in the United States now have average annual cyber-crime losses of $15.4 million, according to the Ponemon Institute’s 2015 Cost of Computer Crime Study. A 19 percent increase from 2014, this is double the average loss rate of other industrialized nations. A key finding in the report shows that deploying advanced security technologies makes a big difference to significantly reduce cybersecurity losses.
Intense public, media, and regulatory focus on cyber-attacks has sharpened senior executive interest in Information Security. Because of this, the National Association of State Chief Information Officers (NASCIO) named Information Security its number one priority for two consecutive years. NASCIO also spearheaded three studies over the past four years with a leading consulting firm to highlight funding and governance issues that inhibit the effectiveness of state security programs. Information Security has even become a significant issue at the state leadership level, demonstrated in July when 38 governors, including Minnesota’s Governor Mark Dayton, signed a compact pledging their commitment to bolstering cybersecurity defenses in their states.
State government has accrued a substantial cybersecurity debt from years of underinvestment
It is important to note that on average state governments spend about two percent of their IT budget on cybersecurity, as opposed to the five percent or more that private sector and federal government civilian agencies spend. While state government spending has been static, Gartner recently announced that the worldwide spend on cybersecurity has been increasing at a seven percent to nine percent rate. It is clear that organizations across the globe are setting the cybersecurity bar higher in response to more advanced and persistent threats. Organizations that do not keep pace are accruing a cybersecurity debt that they eventually must pay to align with industry accepted best practices.
Although the Information Security Strategic Plan does not specifically call for more spending to make security “bigger,” it outlines steps that must be taken to make security “better.” This plan prioritizes the initiatives for the management, control, and protection of the state’s information assets. It identifies 18 major strategies that Minnesota IT Services (MNIT) hopes to achieve over the next five years, resources permitting. The plan also highlights specific milestones for the ensuing year, things that MNIT expects to accomplish with existing resources.
The plan organizes strategies and milestones in four chapters:
- Proactive Risk Management
- Activities to prevent adverse security events.
- Improved Situational Awareness
- Activities to increase understanding of the state’s ongoing cybersecurity posture.
- Robust Crisis and Incident Response
- Services to continue uninterrupted in a crisis.
- Partner for Success
- Building formal relationships with other entities that are part of the broader cybersecurity ecosystem.
In the complete plan, five year strategies are distinguished from current year tactical milestones. Addressing the five year strategies will require assistance from policymakers and business leaders, who are ultimately accountable for cybersecurity risk, and that authorize spending levels for the state’s Information Security Program.
The complete plan also highlights strategies and milestones that address extremely high-risk areas, denoted with a special caution symbol and yellow highlighted text. Resource constraints make it necessary to classify many extremely high-risk areas as five year strategies, rather than items to address during the current fiscal year.