Written by Todd Weller
A few weeks ago, I participated in a cybersecurity panel at the National Association of State Technology Directors Annual Conference. The theme of the event, “The Crossroads of Technology,” was very fitting from my perspective because it was clear that state and local government organizations are, in fact, at a major crossroads when it comes to cybersecurity. These enterprises are clearly feeling the wear-and-tear of phishing, malware, and ransomware attacks that must feel like a daily occurrence. In fact, during the conference, news broke about the state of Texas being hit with a coordinated ransomware attack that disrupted systems of 22 local governments.
Our panel – filled with cybersecurity leadership from South Carolina and Florida — Here is what I learned:
Give Up or Fight Harder?
When standing at a cybersecurity crossroads, which path do you take? Often, the unrelenting nature of cyberattacks makes people feel like throwing in the towel. While the consensus from our panel was that option wasn’t viable, it wasn’t immediately clear how smaller and mid-sized organizations could combat adversaries and embrace the fight.
Government organizations, like all enterprises, need to operate with a “not if, but when” mentality. Organizations need to do their best to cover basics like vulnerability management, patch management, and data backup as well as ensure that people, process, and technologies are in place to prevent, detect, and respond to threats.
Here are three steps discussed during our panel that organizations can take to up their cybersecurity game:
Secure More Budget: In 2014, breach disclosure requirements resulted in a significant increase in the transparency of cyberattacks. One result was a significant increase in cybersecurity budgets. Right now, the awareness around the increased need for cybersecurity in state and local governments has never been higher and organizations should take advantage of this opportunity to argue for more budget. You need it!
Cybersecurity is a Business Risk: In the commercial world, the shift from viewing cybersecurity as a business risk vs. an IT risk is several years underway. However, it seems that in state and local government, this shift is at its early stages. This should be a key theme for state and local government cybersecurity organizations, not only because it strengthens your argument for more budget but also because it’s true. Recent attacks on state and local governments have not been focused on stealing sensitive data but rather creating business disruption via ransomware. This is impacting service availability, revenue, and over time will become a more sensitive topic with constituents.
Outsource, Automate & Use Threat Intelligence: Scaling people and processes are critical in today’s environment. State and local government organizations face more severe pressures relative to the commercial sector when it comes to finding and retaining skilled security staff. One approach here was a recommendation from Florida’s CISO for a governmental culture shift: accepting the reality that cybersecurity talent may only stay for one or two years. In the commercial sector, to address the staff shortage, there is a huge shift towards managed security services.
Embracing security automation is also critical to scaling security efforts. Leveraging security automation has never been easier as the requirement for cybersecurity technologies to be integrate-able and automated has never been higher. No organization alone can keep up with and defend itself against today’s dynamic threat environment and so incorporating threat intelligence into your security efforts is critical.
Ultimately, there needs to be a mindset shift by organizations to not operate with fear of cyberattacks but to embrace the challenge. Operate with the attitude that cyberattacks happen. Be transparent around what you are doing to address cyber risk. Ensure you are maintaining proper cyber hygiene – it’s extremely difficult to rebuild trust post-breach if your organization or agency has not been patching two-year old vulnerabilities. It’s critical to have and practice an incident response plan, so you are prepared and seasoned when the unfortunate—but inevitable—occurs.
Todd Weller is the chief strategy officer for Bandura Cyber.