This article was originally featured on the Checkmarx blog. Click HERE to read the original in its entirety.
Within state and local governments across the US, citizens using online services can pay taxes and fees, register for libraries, register to vote, access educational services, and much more. However, this technological transformation is not without challenges. While it represents a revolution in access to citizen services for state and local governments, this has perhaps been at the cost of secure infrastructure and strategic planning.
In the last few years, attacks on SLED targets have risen in frequency and cost. These attacks hold government agencies to ransom for large sums and exfiltrate sensitive data, whether perpetrators are paid or not.
And while state and local government organizations are rapidly improving their cybersecurity posture to protect their systems, they suffer from significant differences in funding and preparedness and a lack of standardized policies. Often, they don’t take a centralized approach within the agency or work together to solve security issues – all while their systems are digitizing faster than their applications, security, and infrastructure can keep up.
Typically, state and local government agencies spend around three percent of the budget annually on cybersecurity, significantly lower than the federal government and the commercial sector. However, cyber-attacks are more frequent and creative than ever before, thanks to the distributed workforce and the expanded attack surface this creates. Unfortunately, state and local government agencies are a prime target because of the amount of citizen data they hold.
Now, more SLED agency departments need to work together to centralize security plans, share resources, budgets, and consolidate infrastructure. This collaboration and efficiency in resource planning, compliance, and cost control ultimately keep agencies one step ahead of cybercriminals.
What are State CIO Priorities?
To this point, NASCIO (National Association of State Chief Information Officers), a leading advocate for technology policy for state CIOs, recently published its top ten priorities. Cybersecurity and risk management was top of the list, advocating the need for CIOs to establish strong governance, budget, and resource requirements. Fifth on the list was budget, cost control, and fiscal management strategies for cost savings and dealing with inadequate funding and budget constraints. Consolidation and optimization and the need for CIOs to centralize and consolidate services, operations, resources, and infrastructure were priorities.
However, this is easier said than done. The variety of services offered online from state to state and county to county can vary significantly in revenue and legislative structure, so it is not one-size-fits-all. And all agencies have budgetary restrictions and shortages compounded by the pandemic, which forced agencies to divert budgets to meet immediate security requirements and secure employee devices. The federal government has provided funding through the Coronavirus Aid, Relief, and Economic Security (CARES) Act to offset this spending, but this seems to be slow in coming, causing a squeeze on investment.
Therefore, the priority now is for agencies to look at the expanded attack surface and identify how they can keep data and apps more secure without spending money they don’t have. Most vulnerabilities originate in apps, but with multiple pressures, small budgets, and departments fighting for resources, application security is a task that often gets overlooked.
Taking a Centralized Approach to Application Security
So how can SLED CIOs achieve their target of improving cybersecurity while at the same time optimizing and consolidating the number of solutions in use and controlling costs? Centralized Application Security Testing (AST) is an excellent place to start.
Right now, larger state and local government organizations who invariably have more budget will have AppSec tools that they are already utilizing, but these are often outdated and inflexible; they can act as a brake on the development process. Additionally, many organizations facing budget limitations have opted to deploy open source freeware solutions deemed “good enough,” though they are not ideal. All too often, organizations use these tools to tick the compliance box rather than being deployed strategically to ensure long-term application security.
A centralized security plan and approach can help. Instead of working in silos, teams can work together to overcome budgetary constraints and reduce risk with a more robust process and system to combat attacks. Such a security plan should start by ensuring a solid resource plan that centers on preventing and remediating threats. The security plan should include investment in the latest technology that integrates with existing and future tools. By adopting a centralized approach to AST using a solution that integrates fully with the software development life cycle and delivers fast ROI, SLED agencies can improve software quality while reducing the number of different tools in play.
Since budgets are small in SLED, centralizing provides the opportunity to use economies of scale to help reduce costs. Better cost control, fiscal management, and risk reduction are additional benefits of choosing a solution that delivers best-fix locations and tips on resolving identified issues while expanding their developers’ skillsets.