Developing a Cybersecurity Strategy

Governors need a foundational statewide strategy to guide their cyber efforts. If state agencies each decide their own cyber goals and objectives, a lack of statewide coordination is likely to be a significant vulnerability. A single plan will ensure unity of effort and a stronger cybersecurity posture.

STEP 1: Convene Stakeholders and Conduct Risk Assessments

Convene agency heads, private sector partners, critical infrastructure owners, the higher education community, and other relevant stakeholders to discuss cybersecurity needs and priorities. Either before or after the initial meeting, stakeholders should conduct a broad risk assessment that identifies their technology, budget, workforce and incident response gaps. This will ensure that the strategy is risk-based and not created simply to check off a series of boxes to comply with standards. Lastly, agency heads and policy- makers should attend all convenings and not deputize subordinates to facilitate quicker decision making. (See Governor’s Guide – Governance Structures).

State Example

Iowa is a model example of how a governor can convene stakeholders to create a statewide cybersecurity strategy. In 2016, former Governor Terry Branstad signed an executive order to convene various agency heads to create a strategy that covers nine specific goals.

STEP 2: Create S.M.A.R.T Objectives and Assign Responsibilities

Objectives in the strategy must be specific, measurable, attainable, realistic and timely. Each objective should also have a designated stakeholder that is responsible for completing it.

  • Specific: The objective accomplishes a tangible and precise outcome that is identifiable.
  • Measurable: The objective can be verified, progress can be tracked and evaluated.
  • Attainable: The objective can be achieved with current resources.
  • Relevant: The objective can be tied to the goal and the overall vision.
  • Timely: The objective articulates when it will be accomplished.

STEP 3: Communicate the Strategy to the Legislature and Public

Announce the strategy through a public event or press release to inform the public of what the state intends on accomplishing to make citizens and organizations more secure. Secondly, brief the legislature on the strategy and solicit their feedback. The legislature’s support will be critical to ensuring that objectives are met.

State Example:The Need to Engage the Legislature

To implement their recommendations, Virginia’s Cyber Commission focused on getting 12 bills passed, and nine were ultimately signed into law. Some of those laws include clarifying language regarding search warrants, examination of computers, networks and other electronic devices; establishing a STEM Competition Team Grant Program and Fund; and strengthening language to protect private sector critical infrastructure providers who wish to share sensitive information with state authorities. Lastly, the commission held a series of public forums to engage the public and receive their input.

STEP 4: Monitor Progress

Once a strategy has been established, it is necessary to track progress of implementation to ensure accountability. Among those issues that should be tracked include cyber incidents, progress on major initiatives, and budget requests. Michigan has developed a dashboard that effectively tracks these issues, which they publish to give citizens a better understanding of how the state is managing cyber threats. Another example is the Illinois’ approach. Their strategy contains a grid on how each objective aligns with the NIST Cybersecurity Framework below.