Cyber criminals are becoming increasingly capable, making them more dangerous to government agencies. This constant threat of attackers weakens government’s cyber posture and exhausts resources and time. To counter this threat, agencies must be diligent about improving their cybersecurity strategies and tactics.
To learn how public sector organizations can cope with these challenges and increase their cyber defenses, GovLoop brought together Sean McSpaden, Principal Legislative IT Analyst at the State of Oregon Legislative Fiscal Office; Reggie Tompkins, Director of U.S. Public Sector, Security Solutions at IBM; and David DeJarnette, Certified CISO in the recent online training, How to Bring Your Government Security Capabilities to the Next Level.
The experts kicked off the discussion by explaining the current state of cybersecurity in the public sector. “We are facing a historic shift in the nature of cybercrime,” Tompkins said. “Cybercrime is no longer being perpetrated by individuals committing one-off attacks, but rather sophisticated enterprises.” This means that a good spot to start combatting cybercrime is raising the bar for security standards throughout organizations to ensure that they can counter the increasingly sophisticated threat.
Start by making risk assessments more robust. “Identify your most valuable assets through an assessment that aligns the strategic needs of a business to a risk management framework,” Tompkins recommended. Doing this reveals gaps in the security infrastructure and allows you to align your resources and develop strategy and take an enterprise approach to fill those gaps.
It is also important to approach the issue of cybersecurity through a unified effort. DeJarnette explained, “it is easy to get distracted by the news and the hype but it is important to look at your agency and understand its mission and strategy and set your priorities there to leverage an enterprise approach.” At the end of the day, cybersecurity measures have to be a focused priority of the entire enterprise or they risk failing and leaving the agency vulnerable.
The state of Oregon is one public-sector enterprise that recently realized they needed to improve their cyber capabilities. “We had half a dozen incidents occur across the state of Oregon and in response to these, we realized we had to take urgent action,” McSpade said. In response, the State of Oregon employed the aforementioned strategies and more to ensure that they were ready for any potential cyberattacks.
The state ran multiple audits that showed the legislature where to appropriate more money for cybersecurity. “At the end of the audit we found that the organizational structure we were operating under was too decentralized,” McSpade explained. “As a result, we again took action and passed our most recent cyber bill to unify all security personnel in the state of Oregon.”
Cybersecurity is most robust when it cyber best practices permeate the entire enterprise not just one agency or department. “You really can’t go at it alone, you have to share resources and people to stay on top of cybersecurity,” McSpade said.
Looking forward, agencies must adopt an enterprise mindset in order to most effectively counter cyber threats. DeJarnette concluded, “Don’t be afraid to speak up, we are all on the same team and everyone is playing. No one is on the bench here, cybersecurity is a team sport.”
Extremely insightful Mr. Tompkins.