• Featured Partner

      D Robinson NASCIO
      Doug Robinson
      Executive Director
      National Association of State Chief Information Officers (NASCIO)

      State governments are at risk! Today’s headlines are filled with stories of cybersecurity incidents and their disturbing impact on both public and private sector organizations.. As a result, governors and other elected officials must be prepared to respond quickly to restore public trust. For states, the question of a cybersecurity incident is not if, but when.

      The states are facing persistent challenges in cybersecurity because of several factors, but most importantly these four key issues:  inadequate enterprise strategic direction, constrained security budgets, increasing sophistication of the threats, and lack of cybersecurity professionals.  What should be the priorities for states?  First and foremost, NASCIO recommends states organize for success with a clear and authoritative governance structure that includes all appropriate stakeholders (and not just technology leaders).

      Only by making cybersecurity a priority for state leaders, organizing for success and embarking on innovative collaborations with public and private sector entities will states be in a position to address the continuing onslaught of cybersecurity risks.

      Contact Information
      201 East Main Street, Suite 1405
      Lexington, KY 40507
      O 859.514.9153
      M 859.229.0518

      www.nascio.org |@NASCIO

Creating Cybersecurity Strategies to Prevent Data Breaches Across the States

Committee of Jurisdiction: Emergency Preparedness, Cyber, and Homeland Security



stock footage happy businessman working on a computer in an office Photo COurtesty of SHutterStockPhoto Credit: ShutterstockBetween 2005 and 2014, there have been 4,695 security breaches exposing 633 million records, according to the nonprofit Identity Theft Resource Center. The average cost of a breach to an organization is estimated at $3.5 million.  So far in 2015, there have been 400 data breaches nationwide.  These data breaches have exposed over 115 million people and put their information at risk at the hands of identity thieves and hackers.  Data breaches are slowly becoming common occurrences with the most recent breach at the Office of Personnel Management (OPM) impacting more than four million people, a number that is expected to rise once ongoing investigations are completed.  Cybersecurity, the body of technologies, processes, and practices designed to protect networks, computers, and data from security threats or attacks, is becoming more of a prevalent issue among the federal government and the states.  As more sensitive personal information becomes computerized, the government and the private sector must take steps to prevent personal or state information from being stolen.

Federal Action

Recognizing a need for increased vigilance in cybersecurity, President Barack Obama issued Executive Order Promoting Private Sector Cybersecurity Information Sharing aimed at creating a more cooperative framework in combating security threats by having private industries share with each other when breaches occur.  Congress has also introduced a flurry of bills designed to increase information-sharing on cybersecurity threats and State attorneys general have pushed back on federal data notification laws as being preemptive to state notification laws.

State Action
Where state agencies often have valuable personal information, such as social security numbers, birth certificates, tax records, etc., data security is a paramount concern.  However, states often lack the funding to carry out security plans that would provide them with the most protection.  As a result, state agencies, such as the state employment department in Oregon, the public health and human services agency in Montana, and the state revenue department in South Carolina, get breached exposing millions of people to potential fraud.1  Where 21 percent of African Americans work in the public sector, this leaves vulnerable communities even more vulnerable and susceptible to identity theft.  Identity theft can be extremely hard to remedy once it occurs.  Moreover, data breaches that impact an agency’s record and accounting can have a devastating effect on payroll or pension files.  Fighting cybercrime can come down to three areas: 1) robust preventative measures, 2) data breach notification, and 3) strong training and staffing.  Currently, 47 states have a cybersecurity plan in place, Alabama, New Mexico, and South Dakota do not have strategies (unsurprisingly, the Alabama legislature suffered a data breach earlier this year).  However, these plans vary greatly on their level of effectiveness.  A study by National Association of State Chief Information Officers (NASCIO), found that some states have security plans that barely scratch the surface and others are leading the pack in fighting cyberattacks.  Utah and Vermont have the least effective plans on cyber threats.  Other states like Maryland have a better idea, but have not fully fleshed it out.  The more vigilant security plans rely on metrics to assess how well their plans work.  Colorado and Delaware have delineated ways of measuring their plans, which is not only limited to the technology, but also to ensuring their training protocols make their staff well-prepared.  This same study found that Idaho and Mississippi were the leading states in cybersecurity.  Both states adopted all or in some part, standards developed by organizations like the National Institute of Standards and Technology (NIST).  The Cybersecurity Framework developed by NIST lays out methods in which states can protect their networks from data breaches.  

Hiring and retaining staff is also a major issue for states.  Because of the nuanced set of skills required for information technology (IT), state governments often lose top talents to the private sector.  In a study conducted by the National Association of State Chief Information Officers (NASCIO), nearly 92% of states noted that salary and pay grades created the biggest challenges to hiring and keeping employees.  86% of states said they had trouble recruiting people to fill vacant slots.  In order to fill these empty desks, some states are reviewing job classifications and offering better work schedules.  Others are providing work incentives such as performance awards, tuition reimbursements, and signing bonuses.  States, such as Maine, are also working with colleges and universities to create pipelines with students in their IT programs. 

For states looking to augment their cybersecurity protections, many have introduced bills on expanding the definition of personal information to include medical information; requiring business or government entities to report data breaches to state attorneys general or another central state agency; requiring entities to implement security plans; and to require educational institutions to notify parents or government agencies about security breaches.  These measures are ways in which states are looking to decrease cyber-attacks and protect their resident’s information.

Our lives are becoming more and more online.  In the same way, state and federal buildings provide security guards and metal detectors to protect against physical threats, they must protect against growing virtual dangers.  Whether domestic or abroad, cybercrimes will continue to pose a threat to our nation unless federal, state, and local governments take steps towards fortifying our networks and ensuring cyber safety.

  • National Association of State Chief Information Officers (NASCIO): A nonprofit, 501(c)(3) association representing state chief information officers and information technology executives and managers from the states, territories, and the District of Columbia.  NASCIO provides state CIOs and state members with products and services designed to support the challenging role of the state CIO, stimulate the exchange of information and promote the adoption of IT best practices and innovations.
  • National Institute of Standards and Technology (NIST): Founded in 1901 and now part of the U.S. Department of Commerce, NIST is one of the nation's oldest physical science laboratories. It was established to remove a major handicap to U.S. industrial competitiveness a t the time—a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals. Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations.
  • Privacy Rights Clearinghouse: Our mission is to engage, educate and empower individuals to protect their privacy. We identify trends and communicate our findings to advocates, policymakers, industry, media and consumers.


1. Jenni Bergal, “Hiring Cybersecurity Staff is Hard for States,” Stateline, The Pew Charitable Trusts, May 11, 2015.