author photo
By Cam Sivesind
Tue | May 16, 2023 | 10:46 AM PDT

Seven small coastal towns in Massachusetts have formed a partnership to better tackle their IT and cybersecurity needs in the region.

The cities of Middleton, Danvers, Wenham, Manchester-by-the-Sea, Essex, Hamilton, and Topsfield formed the North Shore IT Collaborative in 2021 with the goal of their collective power being stronger than what they can manage alone.

Some members of the collective only have a few thousand residents, while the most populous town is Danvers, home to 27,000. The city has a more established IT setup, including a full-time IT director, which many of the smaller towns lack, according to this Government Technology article.

"This is a great approach. By banding together, these entities can accomplish much more than going it alone. We use this type of model for our 'Whole of State' approach to security in North Dakota," says Michael Gregg, CISO for the State of North Dakota. "Small entities struggle with the cost of security services. This helps shift some of the internal CAPEX cost to an external OPEX funding model. One key item to be clear on is data comingling. The legal agreement with the other entities must be worked through and agreed to before signing any agreement." 

Gregg is part of an opening keynote CISO panel on "Lessons Learned and Advice for the Next Generation of Cybersecurity Professionals" at SecureWorld Houston on Thursday, May 18, at the Norris Conference Center at Houston CityCentre.

Tom Brennan is the Executive Director, Americas Region, at CREST, a global community of cybersecurity businesses and professionals working to keep information safe in a digital world. He says:

"I think this move by these Massachusetts municipalities is absolutely wonderful. Municipalities have to hold massive amounts of PII [personally identifiable information] along with banking and payment card details. Those communities also have a legal obligation to protect that data. Residents don't have a choice of whether or not to share payment/banking information to pay property taxes or traffic tickets. It's not as though they can choose to pay for those services elsewhere. The problem is that despite having to protect this boatload of ultra-sensitive information, cyber thieves often see small towns as easy targets with weak defenses. Sadly, that perception is right more often than not.

Adding to this problem is that municipal boards and commissioners often spend far too little on security because voters don't see it as a priority. That is why this move is so perfect. By combining their resources, these seven municipalities can collectively obtain much higher-end security. It's a win-win.

That all said, it's crucial for these towns—and any other entities that do something similar—to make sure they are leveraging security that is consistent with standards. Municipal governments must share data with counties, state agencies, and even some federal systems. Without adhering to the kind of consistent cybersecurity standards that CREST supports, it has the potential to weaken their defenses by creating holes and cracks where attackers can hide malware."

Brennan is speaking at SecureWorld Chicago on June 8, tackling the topic of "I Can See Clearly Now, the Threats Are Gone: The State of InfoSec and Threat Intelligence Today."

Eric C. Botts is Director of the Global Cyber Security Program at University of St. Thomas. He, too, is speaking on a panel at SecureWorld Houston on May 18. He and other representatives from Houston-area universities are speaking on "What Academia Is Doing to Prepare Next-Gen Cybersecurity Professionals."

Botts has a different, and cautious, view on the North Shore IT Collaborative, saying:

"I hate to throw cold water, but unless these towns build in a security architecture to go with the connectivity, all they will do is give a potential attacker access to more attack surfaces and an ability to propagate malware through a larger network. Not knowing the configuration in detail and what monitoring software (intrusion prevention/detection) SIEM tools, etc. will be used, it is hard to evaluate the effectiveness of the project. A decentralized, connected IT network ought to have a SOC while they are at it. On the plus side, they did mention multi-factor authentication and EDR.

The big plus, and hats off to them, is bringing in cybersecurity interns from local universities. All of the efforts described will go a long way to building a more resilient IT infrastructure. But wait... they have to include an incident response framework and stand up a CIRT team. The question isn't if they'll get hit but when."

Mike Parkin, Senior Technical Engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, is a fan of the collaborative. He says:

"I love this idea! Having seen the damage cyberattacks can do to small government organizations, and the challenges they can face both in maintaining and securing their environments, the idea of small communities working together to improve their security posture is brilliant. It lets them pool their understandable limited resources to gain the benefits of a much larger and mature organization without breaking their budgets. Given that they share many of the same challenges, face the same risks, and have to deal with the same issues, it makes perfect sense. In fact, this idea should appeal to security vendors, as well, letting industry specialists provide their expertise in a way that benefits more people without having to duplicate effort multiple times. While it may not work everywhere, it's a concept that could well spread widely, and a lot of good could come from it."

Sean Scranton is a consultant on the Cyber Risk Solutions Team at WTW and often speaks on cyber insurance issues. He will join a panel at SecureWorld Dallas on October 26 on the topic, "Cover Your Cyber Assets." Scranton says:

"This is a how-to case study. It shows that providing shared services can lift the cybersecurity posture of all participants. It also reminds of bringing together siloed departments or business functions under one federated security structure in an organization. The benefits of cost savings, security awareness training, and use of similar tooling, to name a few, provide a sizeable maturity increase through these economies of scale. Similarly, on the insurance side, we have seen similar organizations band together to form captives and/or shared insurance pools, such that the organizations are under the same insurance structure. This may result in cost savings and better terms of insurance for all participants."