Mobile devices do bring great utility in terms of convenience and allowing individuals to be “online all the time.” governments have widely deployed mobile devices for accessing resources and greater workforce productivity. However, the use of mobile devices for communicating and for sharing data create inherent security issues and add more points of access to the network. Mobile malware threats are certainly growing and a significant security concern with mobile devices is the loss of the device. Additional risks related to mobile devices are personal devices being used in the workplace and the authentication of the user. The national institute of standards and technologies (NIST) publication “guidelines for managing the security of mobile devices in the enterprise” (sp 800-124) outlines a number of items for government organizations should follow.

Traditional approaches were focused on preventive and risk-based protective measures. Risk-based meaning that the investment in security is a function of the perceived value of the information being protected. Those approaches continue to be necessary aspects of security. However, any more state government must include two additional capabilities: vigilance and resilience.

Vigilance is continuous monitoring for threats that give early detection. Resilience is the ability to respond and recover. These capabilities must be continually enhanced to anticipate the growing threat landscape.

People know about cyber security – but they don’t know enough to protect themselves. Most people may even understand the imperative for protecting data and the fact that cyber threats are getting worse. However, effective cyber security is an ongoing maturing capability for not only the government enterprise but for individuals who are employed by or served by the state government. This capability must be continually exercised, tested, and strengthened through awareness training to not only combat aggressive cyber threats, but also accidental, unintentional cyber events.

Yes. Cloud services promise to provide flexibility, scalability, measured service, and certain cost efficiencies, but also present additional security risks associated with authentication, access and storage of government data. The total economic cost and different security elements of cloud services must be fully understood when evaluating cloud computing in general and the various deployment models (public, private, hybrid, community). Consumer-based cloud services used by government workers present additional risks because they may not offer rigorous security controls.

Very significant. There has been an unprecedented growth of social media, personal cloud services, and employees utilizing personal devices and third-party applications. This parallels with high-profile stories on data breaches and even the government accessing citizens’ personal information. The issues cited by state chief information security officers include unauthorized access to personal information, compliance with state statutes on privacy, and managing information sharing with third parties.

The national initiative for cybersecurity education (nice) developed a workforce framework to provide educators, students, employers, employees, training providers, and policy makers with a systematic way for organizing the way we think and talk about cyber security work, and what is required of the cyber security workforce. The workforce framework is a national resource that categorizes, organizes, and describes cyber security work.

The best place to start maybe with the national institute of standards and technologies (NIST) cybersecurity framework. The framework is a guide that leverages current standards, guidelines, and best practices. The framework provides a common taxonomy and mechanism for organizations to:

• Describe their current cyber security posture
• Describe their target state for cyber security
• Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
• Assess progress toward the target state
• Communicate among internal and external stakeholders about cyber security risks.

The cyber- prefix generally denotes something to do with cyberspace, the virtual environment that consists of all networked computers, whose interconnections comprise the internet-of-things (IoT). For example, in the context of cybersecurity (= cyber + security) it is common to speak of cyber threats, cyber attacks, cyber defenses, and cyber countermeasures.

Cyberspace is the virtual environment that consists of computer systems and networks, where all computers communicate via networks and all networks are connected. The term originated in science fiction during the 1980s and became popular during the 1990s. More recently computer vendors are attempting to brand cyberspace as the “Internet of things” (IoT).

Cyber risk: a risk assessment that has been assigned to a cyber threat, such as a DDoS attack or a data breach. A cyber risk assessment may be either qualitative or quantitative, where the latter should estimate risk (r) as a function of the magnitude of the potential loss (l) and the probability that l will occur (I.E., r = p * l).