Perspectives from Partners: National Governors Association Center for Best Practices

By Yejin Jang posted Feb 22,2017 01:07 PM


For this month's issue, we interviewed Timothy Blute, Program Director in the Homeland Security and Public Safety Division within the NGA's Center for Best Practices. This year, Tim has focused his efforts on the NGA's Chair's initiative or Governor McAuliffe's Meet the Threat: States Confront the Cyber Challenge which aims to help states develop strategies for strengthening cybersecurity practices as they relate to state IT networks.  Additionally, NGA will be kicking off their winter meeting February 24-27 where the issue of cybersecurity will be discussed; NGA will also be hosting cybersecurity focused meetings/summits in March and June as part of the Meet the Threat initiative. 

Please describe the NGA members. 

NGA is the bipartisan organizations of the nation’s governors. Through NGA, governors share best practices, speak with a collective voice on national policy and develop innovative solutions that improve state government and support principles of federalism. The Center for Best Practices, where I work, is NGA’s ‘think-tank’ for governors and their senior staff. The Center provides policy expertise on a wide range of issues includes health, education, workforce development, homeland security, energy, critical infrastructure, and of course, cybersecurity.

How do governors view cybersecurity?

Increasingly, governors see cybersecurity as both a threat and an opportunity for states. No longer is cybersecurity an IT problem, but rather governors see cybersecurity as a risk to the core functions of state government. This realization will only grow as more and more state functions rely on the Internet to deliver results.

Additionally, many governors see cybersecurity as part of the growing wave of new technologies that they can harness to grow their economy. A number of states have initiated workforce development programs, partnering with academia and the private sector, to grow the number of cyber-qualified graduates who can work for and start new companies in this space.

The chair’s initiative will end after this year, will “Meet the Threat” efforts continue?

NGA has been actively assisting Governors and their senior staff prepare for the growing cybersecurity threat since 2012, under the leadership of Michigan Gov. Snyder and Virginia Gov. McAuliffe. Our work under Meet the Threat is a reflection of Gov. McAuliffe’s year-long chairmanship of NGA and has allowed us to broaden the scope of our cybersecurity projects and foster improved awareness. We plan to continue to focus on cybersecurity policy after Gov. McAuliffe’s term as chair concludes and we’re actively planning the next phase of our work. No matter what form our work takes, our focus will remain providing governors the resources they need to improve their overall cybersecurity resiliency.

How can CIOs better work with our governors to enhance state cyber efforts?

I think the most important think CIOs can do is to translate cybersecurity into a language that governors can relate to. Rather than discuss how many attacks or intrusions were blocked or how many phishing attempts were identified, CIOs need to show governors that with more and more state business being conducted on networked systems, poor cybersecurity poses a direct risk to the core functions of state government. When cybersecurity is seen as a risk to how the state operates, it becomes much more evident that this problem must be adequately resourced.

Additionally, given that cybersecurity impacts all areas of state government, CIOs should work with other state leaders to help solve this challenge. States where CIOs collaborate with homeland security advisors, emergency managers, higher education leaders, budget directors, etc., are able to show a more united front to governors when they make policy recommendations. In the states that we are actively engaged with we recommend an enterprise-wide, team approach to cybersecurity.

When it comes to cyber, what do governors want to know?

Governors want to know how cybersecurity impacts the government, the private sector, and the citizen’s ability to go about their daily lives and function effectively. This means translating cybersecurity into risk, much like would be done with a natural disaster or a public safety issue. Additionally, when it comes to improving state cybersecurity, governors want to be presented with policy options that have a record of success (where possible) and have the widest range of support from across relevant state leaders. Finally, governors want to know that there is a plan in place to guide state response and recovery efforts should a significant or disruptive cyber event occur.

Any tips on how to communicate with governors? 

Given the fast paced nature of cybersecurity and technology, keeping up with each new trend or development is impossible for most people, certainly for senior policymakers. Considering this, there isn’t a universally applicable answer to how frequently governors need to be briefed or on what topics must be included. That being said, I think governors need to be kept apprised of any threats that may cause harm to citizens, businesses, and state government, including those in cyberspace. Each state has to determine, based on their own risk assessment, what the appropriate level of communication is.

Any last thoughts for NASCIO members?

From our perspective CIOs are doing a great job making cybersecurity a top concern with state policymakers and have made incredible gains given limited resources and an increasingly complex threat environment. We’ve been fortunate enough to work with a number of CIOs over the past years and look forward to continued partnership.

Resources referenced in this article: 
Meet the Threat: States Confront the Cyber Challenge 
NGA Resource Center for State Cybersecurity, which includes publications, such as: 
Federal Cybersecurity Programs: A Resource Guide
Act and Adjust: A Call to Action for Governors for Cybersecurity
State Roles in Enhancing the Cybersecurity of Energy Systems and Infrastructure