Virginia has launched a project to build the first state-level organization for sharing cybersecurity threat information between the government and the private sector, the state’s governor, Terry McAuliffe, announced on Monday (April 20).
The Virginia Information Sharing and Analysis Organization (ISAO) is intended to share information on hackers, cyberthieves and other cybersecurity threats between businesses and state government, sidestepping potential antitrust concerns. President Barack Obama issued an executive order in February, encouraging ISAOs at the state level.
“Virginia’s ISAO is our logical next step in building on the outstanding work of the Virginia Cyber Security Commission, Virginia Cyber Security Partnership, Virginia Information Technologies Agency, and the cybersecurity efforts of so many other public- and private-sector partners throughout the Commonwealth,” McAuliffe said in a prepared statement.
Neither the governor nor Secretary of Technology Karen Jackson, who talked about the initiative at the RSA security conference in San Francisco on Monday, gave a timeline or other indication of when the state’s ISAO project would begin to support actually sharing threat information.
While Virginia, like some other states, has state-level cybersecurity organizations, the ISAOs are intended to have several key advantages. Arguably the biggest is that the federal Department of Homeland Security will create a streamlined process to share classified cybersecurity threat information with private-sector companies, according to a fact sheet about the February executive order.
But the state ISAOs also have the practical purpose of compensating for the difficulties state governments are having competing with private-sector demand for cybersecurity talent. States tend to have underfunded cybersecurity budgets, and 90 percent of state chief information security officers said salaries were the biggest challenge in attracting talent for state cybersecurity positions, according to a 2014 Deloitte survey.
By offering access to some classified information to private companies, the state ISAOs should be able to both promote cybersecurity in general, but also leverage private-sector expertise so that state governments can shore up security for their own networks.