What are the top three things the public sector should be doing to protect itself that it isn’t?
- Prioritize cybersecurity as a critical issue
- Make cyber part of everyone’s job and train them appropriately, gamification can help tremendously
- Understand that breaches will happen and plan accordingly by mitigating the impact of the breach
All organizations are at risk since each one typically has some component of data or national secrets important to our adversaries. Those same adversaries know that most organizations are connected and a breach in one can often be the bridge into another. The key to understanding the risk picture is to understand the adversary and their intent. If we’re the focus of a nation-state cyberattacker, their goals are typically aligned as part of a national plan. Therefore, we need to understand the risk and focus our most significant protection efforts on our critical assets. You cannot protect everything equally; it just doesn’t scale.
What is the biggest cybersecurity problem the public sector faces and why?
Probably the two largest challenges today are antiquated equipment and related operating systems and a maniacal focus on compliance. We need to get our systems updated with the latest operating systems and applications and keep them that way by creating the appropriate budget line items for regular hardware and software updates and institutionalizing the process. We shouldn’t be playing catch-up year after year since it only hurts our security posture.
The second piece is to get a focus on risk mitigation instead of compliance. Today, most organizations are way too concerned with a compliance checklist. That would be OK if that checklist was completely aligned with a risk management plan for an agency. However, it’s not; it’s a generic plan attempting to cover all agencies, which doesn’t work. FISMA, FITARA, and other compliance programs should be thoroughly reviewed and restructured all around reducing risk in every agency. That way, when a breach happens you can mitigate the impact. Like a burglar that gets into a house, however, is apprehended or run off before they can steal anything.
What can leaders do to minimize that threat?
Focus on mitigating risk to agencies' assets. The newspapers are often full of compliant organizations that are breached. Train your users to be aware of the risk and practice being aware every day. Yearly cybersecurity training is meaningless if not practiced daily by understanding, looking for, and identifying anomalous activity as it relates to their daily activities. In other words, turn your users into additional sensors in your environment. We already do it for physical threats; cyber is no different with proper training.
What is next in cybersecurity?
The challenge is only going to grow. The rapid adoption of Internet of Things (IoT) devices that are generally not secure, which means they are inherently dangerous to connect into our existing enterprises and networked homes, will create new issues. Further complications will arise from inexpensive high-speed connectivity such as 5G that can be baked into IoT devices and pretty much any IP-enabled device will help further decimate perimeter defenses. Additional pressures on CISOs and CIOs will likely come into play from government regulators, lawsuits and insurance companies to meet specific levels of due-diligence to protect consumer personally identifiable information (PII) data. Artificial intelligence and machine learning will help us start to defend our systems as those technologies improve, however, it's quite likely that cyberattackers will pervert that technology as well to build creative new attacks in the future. The only certainty in this area is that the demand for additional experts in cybersecurity will continue to grow and likely outstrip the supply for a number of years to come.
