Governors need a foundational statewide strategy to guide their cyber efforts. If state agencies each decide their own cyber goals and objectives, a lack of statewide coordination is likely to be a significant vulnerability. A single plan will ensure unity of effort and a stronger cybersecurity posture.
Convene agency heads, private sector partners, critical infrastructure owners, the higher education community, and other relevant stakeholders to discuss cybersecurity needs and priorities. Either before or after the initial meeting, stakeholders should conduct a broad risk assessment that identifies their technology, budget, workforce and incident response gaps. This will ensure that the strategy is risk-based and not created simply to check off a series of boxes to comply with standards. Lastly, agency heads and policy- makers should attend all convenings and not deputize subordinates to facilitate quicker decision making. (See Governor’s Guide – Governance Structures).
Objectives in the strategy must be specific, measurable, attainable, realistic and timely. Each objective should also have a designated stakeholder that is responsible for completing it.
Announce the strategy through a public event or press release to inform the public of what the state intends on accomplishing to make citizens and organizations more secure. Secondly, brief the legislature on the strategy and solicit their feedback. The legislature’s support will be critical to ensuring that objectives are met.
Once a strategy has been established, it is necessary to track progress of implementation to ensure accountability. Among those issues that should be tracked include cyber incidents, progress on major initiatives, and budget requests. Michigan has developed a dashboard that effectively tracks these issues, which they publish to give citizens a better understanding of how the state is managing cyber threats. Another example is the Illinois’ approach. Their strategy contains a grid on how each objective aligns with the NIST Cybersecurity Framework below.