2022-2026 State Strategic Plan

Accelerating the Next Generation of Technology in Texas


Goal 1: Secure IT Service Delivery

Texans entrust government with some of their most sensitive and confidential information, and government agencies bear the responsibility for ensuring that information is not compromised.
As increasingly complex cyber threats continue to target the public sector, agencies must minimize risks to technology and evolve cybersecurity practices focusing on the human element.
In addition, Texas government must continue to invest in advanced tools for identifying, preventing, detecting, and responding to information security and cyber threats.

Challenges

Cybersecurity threats range widely in sophistication and scope. Increased reliance on third parties creates supply chain risks and the possibility that tools could be used to gain unauthorized access to networks or information.
Advances in technology give rise to new classes of threats almost every day.
Challenges around the human element of cybersecurity are prevalent and drive the need for identity-based, location-independent solutions.
A nationwide shortage of skilled cybersecurity professionals continues to hinder the public sector’s ability to recruit and retain people with specialized skills.
Cybersecurity risks are complex and may occur during other disruptions. As a result, there is an increasing need for regional responses and integrated continuity planning.

Desired Outcomes

• Mature, risk-based security programs that safeguard information, reduce harm, decrease third-party risk, provide continuous protection, and increase resilience.
• A cybersecurity-aware culture that can better identify and prevent incidents by sharing threat information throughout cyber communities.
• Sustainable resources to meet security needs, including long-term investment in cybersecurity tools, talent, and training.
• High levels of protection for private and confidential information, reduced exposure to cyberattacks, and regional approaches to preparedness that build resilience.

Objectives

1. Reinforce risk-based security practices, including continuous prediction, prevention, detection, and response to cybersecurity threats.
The global pandemic changed the nature of work and created the unique risks of a hybrid workforce. Agencies must consider the vulnerabilities for remote workers, increased opportunities for human error, and limitations for monitoring virtual workspaces. Agencies should explore a zero-trust model as a long-term approach to reducing vulnerabilities. As cloud adoption accelerates, so do the challenges of evaluating and monitoring cloud products and services. State law now requires agencies to contract with cloud providers that demonstrate compliance with the state’s risk authorization and management program, TX-RAMP. The program will provide standardization for security assessment, authorization, and monitoring of cloud computing services that process Texas government data. As security risks shift, the public sector must focus on user identity and access management in addition to network-based security measures. Agencies may want to take advantage of centralized identity and access management solutions to reduce duplication and implement risk-based protections.
2. Form a resilience mindset and a vigilant organizational culture through cybersecurity education and training.
As the range of cybersecurity threats evolve, it is critical that agencies provide ongoing education and training to all employees and contractors. Agencies must reduce exposure and strengthen the first line of defense against phishing, social engineering, and other human-focused tactics used in cyberattacks.
Texas government must implement cybersecurity practices well-suited for the workforce of the future by building internal skills, cross-training staff, and adopting policies that support good cyber hygiene. Agencies should identify and develop the security skills employees need to support the agency’s mission, the types of technology it uses, and the data it creates and maintains.
3. Develop regional approaches to cybersecurity engagement and response.
When cybersecurity incidents, natural disasters, pandemics, or other events disrupt IT systems, a quick response is critical to the restoration of government operations and services. Agencies should participate in and support regional cybersecurity planning, training exercises, and responses to actual events.
A new state law authorized the establishment of regional cybersecurity working groups, volunteer incident response teams, and regional network security centers that will become cornerstones for these activities. Agency continuity plans should contemplate scenarios where cybersecurity incidents occur during emergencies or other disruptive events, and cybersecurity response exercises should include regional partners to prepare for complex disruptions.
4. Create scalable, integrated tactics for cybersecurity based on cost-effective  cybersecurity tools.
Integrated approaches for cybersecurity and risk management are effective at helping agencies evaluate their current IT infrastructure and make informed decisions about which applications are too costly or high-risk to maintain. Agencies should apply multiple layers of security tools and strategies to heighten vigilance in protecting confidential and sensitive data.
Leveraging shared security services can help agencies make cost-effective investments in tools that help identify, prevent, detect, and respond to malicious activity. Examples of such tools include multi-factor authentication, endpoint detection and response, monitoring and reporting tools, breach and attack simulation tools, host intrusion protection systems, and disaster recovery tools.