Unlike private sector companies, in local government we do not have a single line of business to support. Instead, we are supporting multiple lines of business, many of which have a direct impact on public safety: law enforcement and 911 centers, health and human services, transportation, building safety, coroner, elections, district attorneys, and utilities to name a few.
Locals don’t tend to be large enough entities to garner the sizable discounts our state, federal, educational and non-profit peers receive from vendors. Under the best circumstances, this makes acquiring security tools a significantly more expensive endeavor for local governments -- making our cyber security programs more expensive to develop and maintain. For many, it is a barrier to acquiring the technologies needed for a cyber security program.
Local governments typically rely on existing staff to lead cyber security activities. This is often because the budget is constrained and/or cyber has not been identified as something that requires a full-time effort within the organization. This often means there is a lone-cybersecurity-aware employee who works under another job title trying to move the dial on cyber security or there is no focus on cyber security at all.
Local governments are numerous and of incredibly varied sizes. There are thousands of local governments in the United States ranging in size from the very large like the City of Los Angeles with 100,000+ employees to the small like Washington County in Colorado with under 200 employeesor the Town of Dinosaur with only 6 employees.
And, while there is interest from the federal level and some states to provide support and guidance to local governments, organizations of their size struggle to understand both what it means to work in the local government space as well as how to help such a diverse set of entities. Because large-well-staffed organizations have trouble understanding our issues, they struggle to understand how they can help. This lack of understanding often results in well-meaning deliverables that are not useful.
With all of these seemingly insurmountable hurdles facing local’s ability to improve individual cyber security programs, there is one essential thing we have in our favor–our willingness to collaborate.
Collaboration is a means to at least two important ends. First, collaboration provides the lone (and often lonely) staff doing cyber security an opportunity to work with peers and create virtual teams. This ensures we are not wasting time reinventing processes or doing research a trusted peer has already done. Second, collaboration provides a way for our organizations to unite so that collectively we rival the size and influence of any major corporation garnering respect and negotiating power.
Collaboration doesn’t require that you have skills or knowledge to share, but it is not free. Collaboration requires effort and an ongoing commitment to work with others and become more knowledgeable. It is not something that happens for you or to you. It is adecision made; it is a set of actions taken to partner with othersto develop a set of goals and value propositions that benefits the whole.
Collaboration is a force multiplier.
And, let’s be honest-collaboration is not optional. Collaboration is the only method that will support all local governments maneuvering to a place of sufficient cyber security in an economical manner. Partnering means we each don’t have to build out our own extensive and expensive cyber security team, instead we can build teams that span jurisdictions and include all the expertise we collectively require.
I have the sincere pleasure to be partnering with a wonderful team of locals from jurisdictions all over the state of Colorado who are each working to improve their respective organizations cyber security program. I am a part of an rewarding virtual team that emails me advice when I ask for it, jumps for joy with me when things have gone well, commiserates with me when I’ve had a failure, and whom I trust unreservedly to be there if and when I need their help. I am endlessly grateful for each of them every day and my organization is more secure because of these relationships.
If you are in local government and you are not actively collaborating today, start-now. If you don’t know where to start, here are 2 ideas to get you going:
• Join MS-ISAC. (https://learn.cisecurity.org/ms-isac-registration) It is FREE and the most valuable organization facilitating state, local, tribal and territorial collaboration with the purpose of improving the overall cyber security posture of government across the nation.
• Make your own group. As you meet people at conferences, keep in touch and work together. If you don’t have contacts, MS-ISAC can help you identify contacts within your own state to get you started–email them at SOC@cisecurity.org
I stand by my statement that there is no harder place to “do cyber security” than in local government, but there is also no more rewarding space to be in for cyber.