Cybersecurity initiatives for government agencies -- in fact, other organizations, too -- have to be proactive and iterative.
According to the US Office of Management and Budget, federal agencies reported 30,899 cybersecurity incidents to the Department of Homeland Security last year. Threats are evolving across multiple vectors as the number of potential entry points expands exponentially with the proliferation of connected devices and the Internet of Things (IoT). IHS Markit predicts that the number of connected devices will increase from 15.4 billion in 2015 to 30.7 billion by 2020, and 75.4 billion by 2025.
Given this new world of connected devices and sensors, cyber hygiene can no longer be limited to basic endpoint security, firewalls, and dual-factor authentication. Public sector agencies need strong security strategies that fit into their organization’s broader digital plan.
Need to develop a cyber plan, but strategically
Cisco’s 2017 Annual Security Report found the majority (54%) of public sector organizations still take a project-based approach to purchasing security solutions. On the other side, public sector lags behind private sector in taking an enterprise architecture approach to cybersecurity purchasing – just 28% of agencies compared to 38% of private sector organizations.
This delta indicates that most public sector cybersecurity decisions are being driven by reactions to security incidents rather than by a proactive, strategic approach that’s part of a larger security plan.
Agencies that aren’t incorporating security into their IT strategy at the ground level are essentially playing checkers (reactive) when today’s environment requires you to be playing chess (preemptive). Truly effective cybersecurity requires an integrated, flexible architecture with an approach that balances all the elements – technology, processes, and people.
The key phrase here is “ongoing process” – a continual journey of measuring, evaluating, and refining systems and protocols to ensure proper protection before an attack takes place. This gets to the core of the issue, that proactive cybersecurity is an iterative process of improvement rather than the mere execution of a checklist.
The approach agencies take dictates how security technologies and critical processes are implemented and adapted over time. Being proactive is imperative to limiting risk and responding to threats.
Put another way, effective cyber risk management requires an architecture that enables planning two-three moves ahead (chess) and provides flexibility to adapt, rather than a culture of simply responding to threats as they occur (checkers).
Don’t forget about the people
Among public sector respondents, Cisco’s 2017 Annual Security Report found that two of the top five hurdles to adopting advanced cybersecurity technologies related to people – organizational culture/attitudes about security; and lack of training personnel.
Agencies must focus not only on physical IT modernization through the procurement process, but also weave cybersecurity into the fabric of the organizational culture. No matter how extensive an agency’s security protocols, they are useless in the absence of proper training, buy-in, and active use by the employees themselves.
Cybersecurity is thought of as a technology issue, but at its core people still execute the attacks and develop defenses. New technology is great, but new thinking and strategy is equally as important.
The game of security should be one of chess, not checkers. With possible internal and external weak points abundant, public sector agencies need to be strategic instead of reactive with their security, creating an ongoing process that fits into their organization’s broader digital plan. There’s a lot to think about with finding the right security technology, the right security procedure and onboarding the entire agency to understand how security should be viewed. However, if an agency has a security-first mindset that sees security as an enabler, then it will be able to embrace the best security strategy for its digital future.
Will Ash, Cisco
Will Ash is Senior Director of Security, U.S. Public Sector, for Cisco.
The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.