September 2020
Dear Washingtonians!
Each day seems to bring news of cyberattacks across the country, from ransomware to identity theft, that cause disruptions in service and enormous financial losses. Yet we still underestimate the true threat.
The most recent Verizon Data Breach Investigations Report had an interesting statistic that demonstrates this point. The study found that only four percent of data breaches were due to sophisticated cyberattacks.
In other words, 96% of data breaches were the result of simple attacks used by bad actors, such as phishing emails that trick people into providing account credentials. This shows many organizations are still failing to do the basic "blocking and tackling" that could prevent many of these attacks.
What this means is we all need to take cybersecurity a lot more seriously. Government in particular needs to upgrade cybersecurity as a business function, along with other top priorities including financial, operational and legal risks. We must weave cybersecurity into the fabric of our business.
With that in mind, I am advocating for a fundamental shift in this state. Washington, historically, has taken a federated approach to cybersecurity. This has led to the creation of multiple small armies to fight attackers - with each state agency largely responsible for its own security. While this may have worked in the past, I believe it will not be enough to protect the state in the future. Instead, we need to build one strong army to fight the threats.
So, what does that mean?
We need a threat-centric approach where everyone in government is working together to combat common threats because an attack on any single organization represents a potential threat to the entire enterprise. Instead of taking an action 50 times across agencies, we should only have to act once.
While I have heard concerns that a more centralized approach to cybersecurity could lead to delays in decision-making, I would argue that the opposite is true. I'm advocating for the state to improve its ability to make quick, enterprise- wide decisions based on risk.
I am working with chief information security officers at state agencies, as well as state lawmakers to garner the support to build this unified army in the State of Washington.
As with the state cybersecurity operational plan I outlined last month, I view this as foundational work required for continued improvement in the state's security posture.
Many challenges lie ahead including a large state budget shortfall, a severe shortage of cybersecurity professionals and finding new ways to protect sensitive information with state employees working remotely.
I believe we can meet these challenges by working together and emerge stronger as a result.
The state Office of Cybersecurity will be a strong advocate for agencies to have the resources they need to quickly address risks.
Here is my question for you: How has your approach to cybersecurity challenges changed compared to two years ago?
I welcome your thoughts and ideas and look forward to our continuing partnership to serve this great state. Thank you for all that you are doing.
Vinod Brahmapuram
State Chief Information Security Officer