On July 10, Connecticut Governor Dannel Mallow officially announced the release of the Connecticut Cybersecurity Strategy. The most far-reaching of its kind put forth at the state level, this strategy document outlines how the state expects both public and private sectors to handle cybersecurity issues. This is just the first step, and will be followed by a concrete cybersecurity action plan.
We have seen some state mandated cybersecurity regulations, such as the New York State Department of Financial Services (NYDFS) cybersecurity regulations—but nothing so sweeping across an entire US state. If this works for Connecticut, other states are sure to follow.
The document outlines seven key “principles” (leadership, literacy, preparation, response, recovery, communication and verification) meant to set the tone for strengthening the state’s cybersecurity posture. These principles are to be applied to every organization, agency, and individual in the state.
Overall, the intent is to focus efforts on cybersecurity education, preparation and information sharing, to improve workforce cybersecurity skills and enhance both public and private sector resources. What makes this initiative different is its holistic, cross-sector approach and the drive to create a statewide cybersecurity ecosystem.
Connecticut’s chief cybersecurity risk officer, Arthur House, hopes this initial document will focus attention on statewide cybersecurity as a priority and underscore the need to take concerted, collective action now. House also underscores the need for a stronger law enforcement and intelligence component to the state’s cybersecurity posture, in alignment with the FBI and other federal agencies.
It is not the state’s intention to regulate how organizations respond to cyber threats, but rather to give Connecticut businesses a “competitive edge” by “maximizing the financial well-being of companies, the safety of their employees and the integrity of their products.” Industry-specific recommendations currently on the table include adopting a communications plan for cyber incident response across the financial services industry and organizing statewide forums for insurance firms. “Everyone should join in a common effort to create a culture of cybersecurity awareness,” said House.
The end result of the effort is likely to be not just guidelines, but technical steps and processes that will impact nearly every company in the state on some level.
As with all aspects of cybersecurity, the best way for businesses, government agencies and other organizations to proactively prepare for an uncertain and increasingly risky future is to move towards the design, implementation and continuous improvement of a comprehensive information security management system (ISMS). To find out more, contact Pivot Point Security.
For more information on statewide cybersecurity:
- “Meet the Threat”—how states are collectively confronting cybersecurity challenges
- A recent memo on state cybersecurity response plans
- The improvements shown through Colorado’s statewide cybersecurity program
- The State of Washington’s recent cybersecurity preparedness and emergency management program