How ‘smart cities’ push IoT cybersecurity for state and local ITIn the last installment of this column, we talked about
cyber hygiene as a way to reduce security vulnerability. Now let’s turn our focus to cybersecurity, particularly as government gears up for the coming rush of the internet of things (IoT).
The threat recently became more real for state and local leaders. This past April, the emergency alert system in Dallas was hacked, with hurricane warnings starting just before midnight, activating 156 emergency sirens at once – 15 times over nearly two hours.
For that and other reasons, the state and local governments are becoming more proactive in their approach to IT and cybersecurity, together spending more than the federal government. According to the research company e.Republic, state and local governments will spend some $101.3 billion on IT, with both counties and states each increasing their budget by about 1.5 percent. (By comparison, the federal government has budgeted about $90 billion.)
So cybersecurity is a top IT priority among CIOs at the state, county and city level. In general we can say that the priority has been triggered by a push toward IoT in the so-called “smart cities” development vision to integrate IoT with communications technology to better manage municipal assets.
To that extent, IoT is at a much more mature place at the state and local level than it is in the federal government or even private industry. State IT executives are more aware of IoT cybersecurity implications, because they’re dealing with industrial systems, facilities HVAC, appliances and the power grid, all of which are managed at the municipal level. To complicate matters, many connected municipal services, from public transportation to water purification are both used and in some cases managed by private companies, so potential cybersecurity threats can come from many different intrusion points at once.
The risk and expense is high. At a recent seminar by the Center for Digital Government, Oakland County CIO Phil Berolini noted that the cost of a breach can be as much as $240 per record. Multiply that by the number of breaches in a typical attack, and the costs mount rapidly. LA County recently dealt with a 750,000 records breach, Berolini noted.
James Collins, Delaware’s CIO, explained that these actual and potential threats have put cybersecurity on legislative and executive radars. Because cyber is no longer relegated to being an “IT thing,” it actually opens the door for more practical solutions, Collins said.
Across the board, the real door opener for these and other CIOs is any discussion with the IT community on “baking in” cybersecurity into technology solutions. When cybersecurity maintenance costs are rolled into the tools that are actually included in IT budgeting, there’s more bang for the buck on infrastructure spending, with a higher level of security resilience. Because state and local IT leaders are still getting their arms around on-premise and off-premise cybersecurity, baked in defensive tools are especially valuable in IT purchases.
Some advice for the IT vendor community: slow downThe accelerated interest in IoT in state and local government has led to something of a gold rush among technology companies, who are often guilty of prospecting in that market in all the wrong ways. Many times overzealous technology salespeople make calls without enough research, or promise things that are of no importance.
Wanda Gibson, CTO for Fairfax County, urged the vendor community to pay better attention to published information regarding government IT priorities and budget. “Do your research,” she said, and talk to the other county departments to know what matters most.
The all-too-common sales strategy of blanket emails requesting a first meeting out of the blue are just plain “creepy” for Travis County CIO Tanya Acevedo. Calls like that do nothing to help Acevedo sell technology up the ladder in the county. A softer approach is better, with roundtables or symposiums providing good information without feeling like salespeople are trying to shoot ducks in a barrel.
The slow, measured approach seems to be the right way to get traction in the state and local technology community. As Oakland’s Berolini explains, leading with the gold-plated solution is a “turn-off” for any future discussions. Berolini, like most IT leaders, advocates a consultative approach where vendors work to understand problems, rather than trying to force fit a solution blindly.
It’s a balancing act, clearly, between government leaders working to implement IoT technology to better serve citizens quickly while ensuring that this rapid pace doesn’t introduce more security problems than it’s worth. While the vendor community is a valuable resource to address potential problems, they’re doing no one any favors by pushing their way into the process. CIOs have enough on their hands without having to fend off the advances of an under-informed partner.
With enough shared background and experience, the IoT phenomenon will take off for state and local government – and will provide valuable insight all the way up to the federal level.
Original article: By Lloyd McCoy Jr., CSO Magazine on May 23, 2017