North Dakota: An Innovative and Leading Cybersecurity State

GettyImages-1093271982When you think of US States exhibiting cybersecurity leadership, which ones come to mind? For me, I’d place Maryland at the top of the list, followed by CA, MA, VA, GA, and a few others. In my view, these states exhibit good efforts around cybersecurity innovation and public/private partnerships.

Now if you pinned me down and asked me to continue my list, I’m not sure where I’d place North Dakota, a state with a population of 755k. Until recently, I had no knowledge or opinion on the state’s cybersecurity position whatsoever. That changed for me when someone from the office of the CIO in North Dakota read one of my blogs on the cybersecurity skills shortage and reached out to fill me in on the state’s cybersecurity efforts. As it turns out, North Dakota is doing quite a bit.

As my research has often indicated, a strong cybersecurity culture starts at the top with an active executive. In North Dakota, this responsibility falls to its governor, Doug Burgum. Governor Burgum gets technology, as he is the former CEO of Great Plains Software, a mid-market ERP provider that was sold to Microsoft in 2001. Since his election in 2016, Governor Burgum has made STEM, IT, and cybersecurity a major part of his agenda. 

So, North Dakota has IT chops at the top and this is important for the future of the state. Good thing, since the state is a hub for unmanned aerial vehicle (UAV) R&D, energy, and agriculture – industries with heavy IT dependencies. Additionally, there is a fairly big military presence in the state.

Over the past few months, I’ve learned a bit about North Dakota’s four-pronged strategy – 1) Defend against threats, 2) Automate services, 3) Adopt a singular posture, and 4) Focus on computer science and cybersecurity education. 

In April of this year, North Dakota did something no other state has – it signed legislation to unify cybersecurity across all departments. This was seen as a way to protect 252,000 users who were already communicating across the state’s unified network (StageNet) and defend against around 5 million cyber-attacks per month. Centralizing cybersecurity defenses and operations will allow the state to unify policies, invest in leading security technologies, and spread cybersecurity expertise across agencies and localities that may not have the skills or staff to manage cyber risk on their own. 

This program makes a lot of sense to me. According to ESG research, 53% of organizations claim to have a “problematic shortage” of cybersecurity skills. Furthermore, the cybersecurity skills shortage is at its most acute for public sector and rural organizations. Since North Dakota meets both criteria, centralizing cybersecurity services may help the state improve cyber risk management, streamline operations, and scale to align cybersecurity defenses and processes with a growing attack surface.

Aside from governmental efforts, North Dakota is taking cybersecurity education much more seriously than other states. The state has adopted a program called K-20W, with a goal of “every student, every school, cyber educated. To develop its programs, North Dakota enlisted the help of the National Integrated Cyber Education Center (NICERC) and private companies like Microsoft. Teachers across the state are being trained on cybersecurity and developing a curriculum which will be used for all school districts from Kindergarten through 12th grade. At the college level, North Dakota State has a new PhD-level cybersecurity program while Bismarck State College (supported by Palo Alto Networks) was recently designated as a Center of Academic Excellence in Cyber Defense by NSA and DHS. Finally, the “w” in K-20W extends cybersecurity education to the North Dakota workforce with 40 statewide organizations participating.

I’ve been researching and writing about the cybersecurity skills shortage for more than 7 years. Early on, I was a lone voice and sort of the Chicken Little on this topic. More recently, many other analysts, pundits, and researchers have added their voices. I appreciate the company but in my humble opinion, things continue to get worse (note: Look for a new version of ESG’s research with ISSA for more data on this topic). This is bad news for all of us.

It certainly appears like Governor Burgum not only recognizes this problem but is also willing to rally his state to do something about it.  Kudos to North Dakota, I’ll continue to track its programs and progress.  I hope other so-called “progressive” states do so as well. 

Topics: Cybersecurity