darren whittingham - Fotolia

Manage Learn to apply best practices and optimize your operations.

Public and private partnerships helping bolster state's cybersecurity

The CIO and CISO for the state of Wisconsin discuss how public and private partnerships have become integral to their statewide cybersecurity strategy.

As cyber threat scenarios continue to evolve, more organizations are embracing public-private partnership initiatives...

to better defend themselves against the onslaught. Private and public partnerships are proving critical to protecting the country's critical infrastructure, and the state of Wisconsin CIO David Cagigal and CISO Bill Nash spoke with SearchCIO about the state's public-private partnership strategy at the recent Fusion 2017 CEO-CIO Symposium.

In this Q&A, they talk about the importance of nurturing these public and private partnerships, highlight the projects the state has implemented through such partnerships and also shed light on where they are concentrating their cybersecurity efforts.

What kind of efforts have you undertaken to build public and private partnerships?

David Cagigal, CIO, state of Wisconsin: In 2015, we developed a Cyber Disruption Response Strategy. First, we were able to establish the strategy based on public-private partnerships. It was well thought out and there was great participation from the members of the private sector. The strategy is highly dependent on the mutual understanding of the severity of the risks that we face today. Government can't solve the risks by themselves, neither can the private sector, but together they have a stronger probability of being able to resolve the issues.   

Secondly, we established a working group that also resulted from our public and private partnerships. We call it the Wisconsin Cyber Strategy Planning Working Group. It meets monthly and we talk over the issues that are before us in a collaborative manner. 

Government can't solve the risks by themselves, neither can the private sector, but together they have a stronger probability of being able to resolve the issues.
David CagigalCIO, state of Wisconsin

Last, we train and exercise together. We have established state, local, territorial and tribal teams. Our cyber response teams are made up of city, county and state employees that have been credentialed and have increased their capabilities to respond to an incident. We were called out 12 times last year. We're able to respond to citizens and counties that may have had an issue with an incident, and we quickly do a vulnerability assessment to understand what the root cause was or what the vulnerability was and how they might be able to close that gap. We also trained with the National Guard, which is instrumental in our partnership, and with the private sector, including the five utilities here in Wisconsin, and companies like AT&T and Cisco.

By training and exercising together, we have become more comfortable with our relationships.  We understand exactly the interdependencies associated with an incident response and that we're going to be much more successful in the future with our public-private partnerships. This isn't a project with a beginning and an end. This is a journey that we travel together, and through our public and private partnerships we'll be able to respond collectively to any incident that may occur.

What is of foremost importance in your cybersecurity agenda right now?

Bill Nash, CISO, state of Wisconsin: We've gone through risk assessments, we had a third party come in and do an assessment for us that pointed out a whole plethora of things that we needed to work on. We have developed a roadmap and a strategy based on multiple assessments and we've been carrying it out, but if I had to boil it down I would say there are two areas that we're focused on.

One is cyber hygiene, where we'd like to improve our processes and what we're doing to make sure our environment is not vulnerable.

The second side of it is the human side, where we're really working with training employees and IT professionals so they know how to do security configurations. It's kind of building that defense around humans. Those are the two focal points in our strategy and I think you could take all of our projects and align it to those areas. 

We're also trying to improve our vulnerability management program. We're doing network access control to try to analyze what's coming out of the networks. On the human capital side, we're doing security awareness training and trying to do things like multi-factor authentications so that if they do happen to give out their credentials where they shouldn't, there's at least a little bit of protection for them. 

Next Steps

Learn how public and private partnerships can help protect critical infrastructure

Read why public-private partnerships are key to fighting cybersecurity threats

Read about the challenges and benefits of implementing the NIST framework

Dig Deeper on Enterprise information security management