- What are the top three things the public sector should be doing to protect itself that it isn’t?
- Without a doubt, the two things that have been absent from public-sector cybersecurity planning are visibility and automation. Visibility is foundational to a strong security strategy and organizations need the ability to detect all of the devices on their network, whether that is traditional computers or Internet of Things (IoT) devices. Automation is also critical in being able to remediate found threats without human intervention.
- Public-sector organizations typically do not have the tools in place that allow them to instantaneously and automatically take action. If an unpatched device or endpoint is detected, your detection tool tells your patching tool to go do its job. This is enforced by a set policy, which is essentially the instruction manual for how you want to deal with found problems.
- The third thing that is absent from the public sector is awareness of their most critical assets and how best to secure them. The primary focus is usually on incident response and recovery, not on hygiene and prevention, unfortunately. Consequently, the focus on asset inventory is to serve the purposes of incident response (IR), when in fact the greater benefit in asset inventory is in prevention (i.e. patching and updating).
- Continuous Diagnostics and Mitigation (CDM), which is also available to states, and Comply to Connect at the Department of Defense are two large programs helping the federal agencies obtain visibility and automation.
- Who is most at risk?
- Public-sector agencies that are subsumed by the compliance mentality are most at risk. Agencies need to adopt a risk management mentality. From a federal perspective, this was underscored in the May Executive Order directing agencies to follow the NIST Cybersecurity Framework.
- Public-sector entities that are overwhelmed with the breadth of cybersecurity information, threats and solutions that are not putting a plan of action in place are most at risk.
- Those who are unable to control and manage everything on their network are at great risk.
- What is the biggest cybersecurity problem the public sector faces and why?
- The biggest problem public-sector agencies face is the deluge of IoT devices they now use to execute their missions. Connected devices are already pervasive throughout the public sector — handheld readers, smart engines, scanners, monitors and sensors. Our public-sector agencies can’t afford to not take advantage of the safety and efficiency benefits offered by connected equipment. But they must be secured and they can’t always be secured the same way you secure Windows devices.
- Another big issue facing public-sector agencies is training, recruiting and retaining a qualified workforce. This problem is exacerbated when they fail to automate breach prevention and response, as noted above.
- Finally, at the state and local level, identifying and securing funding for cybersecurity is also a huge problem.
- What can leaders do to minimize that threat?
- Security starts with visibility. You cannot secure what you cannot see. You have to first detect and assess these devices on your network and then automate action, including quarantining devices.
- In the case of workforce, states and the federal government should offer student loan forgiveness for computer science graduates willing to work in the public sector for five years after graduation, and they should offer incentive pay.
- What is next in cybersecurity?
- We believe visibility is the next big thing in cybersecurity. However, strong cybersecurity hygiene is also important. The cybersecurity controls (NIST SP 800-53) that agencies are required to follow per the Federal Information Security Management Act (FISMA) have been in existence for well over a decade, but how rigidly are they practiced by state and local government? Why do public-sector leaders continue to tolerate low and/or failing FISMA scores? Cyberbasics like patching and updating can be key to preventing breaches.
Cybersecurity Keys: Visibility, Automation, Awareness
Techwire has been publishing cybersecurity-related perspectives from several vendors this month, which is Cybersecurity Awareness Month. Following are responses by Katherine Gronberg, vice president of government affairs for ForeScout Technologies.
Techwire has been publishing cybersecurity-related perspectives from several vendors this month, which is Cybersecurity Awareness Month. Following are responses by Katherine Gronberg, vice president of government affairs for ForeScout Technologies:
