State government organizations (and the departments within) have a lot to focus on. From public health and safety to transportation to education and the environment, state government departments own and process a lot of data, making each division particularly vulnerable to cyber-attacks. This poses a significant risk since the primary role of state government is to support its citizens through these varying departmental services. With so much sensitive data housed in each department within each state government organization, threats like ransomware and phishing are on the rise since hackers know how to manipulate and exploit state government networks, some of which can be running on legacy systems or managed without all the resources desired to do so effectively. Ensuring state government departments and the cyber professionals employed there have the skills they need to protect all this data requires these organizations to assess its cyber readiness—and it can start with better cyber training.
Training can help cyber professionals in state government grow in knowledge and skill to identify their own gaps and areas to improve in cybersecurity practices. In the grand scheme of things, the better they are at their individual jobs, the better they’re able to protect networks from threats, and the stronger the cyber posture for the department/organization.
Cyber Training Funding Challenges for State Governments
Unfortunately, cyber training is often the red-headed step child of state government investments—a small, albeit non-existent, line item. For states with smaller populations that may have less budget than more populous states, one can understand how some state governments remain at great cyber risk when they don’t have the funding or federal/executive level support needed to harden departmental data. But it’s not just a matter of population when it comes to funding for cyber training for state governments. Recent challenges of pandemic precautions, social unrest, budget cuts, and the upcoming election all contribute to uncertainty for state government’s ability to stay safe and secure, according to an article from Dark Reading . It notes “The combination of reduced tax revenues and the additional costs caused by the pandemic could strain budgets for typical cost centers such as cybersecurity,” so it’s an unfortunate reality that ransomware cybercrime is on the rise since attackers know state governments are not always well-funded.
Other Cyber-Related Challenges for State Government Organizations
- Sustaining employee’s knowledge of technology applications increases breach propensity if solutions are not proactively maintained
- Variability in procurement processes inhibit standardization of cyber training solutions
- Individual systems that house data create inconsistencies in security management
- Weighing shifts to either public or private cloud operations against data security requirements
What to Consider in a Cyber Training Solution for State Governments
So what can CIOs, CISOs, and department leaders do to ensure their data is protected optimally with strong and skilled frontline cyber defenders?
While cyber training may not be a high priority budget item in the grand scheme of investments to make, it’s certainly more cost-effective than experiencing the monetary damages of a breach or ransomware attack.
We encourage state government cyber leaders to explore alternative training options that are:
- More than one-time use (preferably browser-based/online so training is continuous)
- Engaging for trainees (so skills retention is high)
- Authentic and realistic (real virtual machines helps training ‘feel’ real)
- Metrics-driven (leaders should be able to assess gaps in training performance)
- Scalable (so individuals and teams can train together or separately at any time)
Project Ares cyber range training for state government cyber professionals
Project Ares cyber training platform checks these boxes and much more.
Two examples of relevant, engaging cyber training activities pertinent to state government threat scenarios include:
- Operation Water Flash which teaches cyber professionals how to mitigate an attack on an ICS/SCADA system that’s impacting a water treatment plant. For departments like Public Works or Water Utilities in state government organizations, training to combat a threat doesn’t get more ‘real’ than this. And for professionals who don’t secure water treatment facilities the training still resonates because they get a sense of how to defend an attack on a control system, likely not unlike whatever they may be dealing with in their real positions. AND they can use real cyber tools, just like what they use in real defense.
- Operation Crimson Wolf teaches cyber professionals how to use network monitoring tools to stop and remove malicious actor artifacts (in this case, from a hospital’s patient records). For departments in Public Health and Safety or any professional securing citizen records, this scenario training can be particularly valuable.
The platform is structured into three main learning tiers:
- Build fundamental knowledge of cybersecurity concepts and theory with learning games
- Use tools, deploy tactics, and hone procedures in foundational exercises called Battle Rooms
- Culminate knowledge and skills in specialized scenarios called Missions
The platform is offered as a subscription-based model for cyber teams in departments.
There’s never been a more critical time than now to revisit the positive effects that good cyber training can have on state government entities and the departments within. The threats and risks are not going away, nor are the attacks slowing. It’s time to invest in immersive, hands-on cyber training so state government cyber professionals can protect citizen data – and state governments can get back to serving its citizens in the best ways they can.