Governance Structures

The incredibly complex challenges inherent to cybersecurity require a whole- of-state approach guided by multiple agencies. The state chief information officer may lack authority to enact cybersecurity measures across the executive branch, and a major cyberattack will demand close coordination between National Guard cyber units, state police and private companies. Formalizing communication pathways between critical stakeholders and ensuring they do not break down is indispensable for a truly strategic approach to state cybersecurity.

When Creating a Governance Body, What Steps Should Governors Consider?

STEP 1: Conduct a Statewide Risk Assessment

A risk assessment will provide direction by establishing the baseline risk to state operations, organizations and individuals resulting from cyber threats. It identifies vulnerabilities to state information assets, internal and external threats to those assets, consequences if the threats exploit the vulnerabilities, and resources available to mitigate those vulnerabilities. The findings will determine the composition of the governance body based on members’ abilities to mitigate risks and vulnerabilities.

State Example:Appointing a Chief Cyber Advisor

Connecticut, Rhode Island and South Carolina are the few states to appoint a single cybersecurity advisor. Connecticut’s cyber security risk officer is responsible for enhancing cybersecurity prevention and protection efforts in the state. Rhode Island’s cybersecurity officer is tasked with developing and implementing a cybersecurity strategy throughout the state. Lastly, South Carolina’s cyber executive leads the state’s cybersecurity program and oversight group.

STEP 2: Choose the Mechanism for Creating the Body

Consider the legal and policy implications when establishing the body through an executive order, legislation, or a simple convening, and when naming the body (e.g., commission, task force, council). Accounting for political realities, sunset rules, freedom of information statutes, and budgetary requirements will result in more realistic timelines and encourage sensitive discussions among task force members.

State Example:Virginia Governance Body

Virginia Governor Terry McAuliffe signed an executive order in 2014 to establish the state’s Cybersecurity Commission. The order identified the composition of the commission and its roles and responsibilities. A second order was signed in 2015 to continue the commission’s work, which ended with a report on recommendations to improve cybersecurity in the state.

STEP 3: Scope the Purpose of the Governance Body

Will the body focus on state networks alone, or will it study the private sector? Will it simply offer recommendations, or craft and operationalize a strategy? In the latter case, an executive order or legislation should explicitly authorize the body or its individual members to mandate specific actions by government agencies. Governors should avoid duplicating existing roles and responsibilities that already exist within agencies. The governance body should complement existing functions and leverage them to fulfill its own unique mission. Lastly, the body should also include a legislator who is familiar with relevant issues, and who can champion potential legislative action.

State Example:Governance Bodies

In West Virginia, the governor’s Executive Information Security Team is responsible for “reviewing any deficient audit findings and rectifying the conditions to a satisfactory status.” Likewise, Maryland’s Cybersecurity Council is responsible for assisting infrastructure entities in complying with federal cybersecurity guidance and assisting private sector cybersecurity businesses in adopting, adapting and implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
What Can Governors Do?
  • Conduct a risk assessment to identify the threats posed to the state (including non-IT threats), vulnerability of assets, the consequences of those threats materializing, the risk posed to those assets, and the resources available to mitigate threats;
  • Create a governance body through executive order, legislation, or ad-hoc convening based on the state’s statutory and regulatory requirements, such as sunset clauses and freedom of information acts;
  • Select members of the body based on their expertise and their authority to implement a statewide cybersecurity strategy;
  • Include at least one legislator to serve as a champion for potential legislation;
  • Consider providing specific authority or requesting a budget for the body to implement policies;
  • Examine current agencies’ roles and responsibilities to avoid duplication of efforts; and
  • Consider appointing a new advisor to manage cybersecurity for the state, tasking an existing officer with such responsibilities (e.g., the homeland security advisor or GIO), or spreading authority across agency leadership.