For any organization, public or private, security risk assessments and penetration testing are necessary. Compliance and an ever-changing threat landscape require constant threat management. However, for an agency to create a true culture of cyber security, success depends on tactics as part of a cohesive, long-term security and risk management program. Like any department or discipline, cyber security should have a structure, a strategy, resources to execute, and measures of success.
Providing over a decade of Cyber Security services to public agencies, I’ve found there are five key elements agencies should consider as a baseline for making cyber security a core competency.
Establish an Information Security and Risk Management Program
Cyber security, just like any discipline, needs a long-term strategy, operations and management resources, and discernible measures of success. For example, how does cyber provide value back to the agency? Historically, Infosec has been considered an afterthought in many organizations – and in most, a subcategory of Information Technology (IT). Limited resources are a reality in the public sector, and cyber may need to continue to live as a subset of IT. To achieve stakeholder buy in find a partner to help you create a cross-functional “strike team” to create a long-term strategy. There must be tangible goals for the organization pertaining to cyber security – all employees should understand information management is everyone’s responsibility.
Monitor Your Network 24/7
Many consultants don’t offer this as part of their portfolio, which is why you ask this question up-front. How would you know if you’re getting attacked if you aren’t monitoring your network? As your cyber security program matures and your enterprise continues to harden its security posture, a 24/7 network monitoring service with security operations center support is crucial. This operation center can address potential incidents and alerts in a live environment. Once again, be sure you are building this into your strategy before investing money in a long-term service.
Third-party Application and Vendor Management
Think about all the third-party applications we use as part of our everyday work lives. These include communication tools for your customer or clients, or other SaaS platforms that could gather (posing another threat of using or distributing) citizen’s private identifiable information (PII). Knowing these vendors have the appropriate security controls in place to keep that data secure should be your number one priority. Bottom line – you need a formal program around security standards for third-party vendors with access to PII. When departments within an agency buy applications independently without telling IT, risk drastically increases.
Compliance
Regardless of our take on the various regulations and requirements, we all know compliance is part of doing business today. We also know that keeping up with all the standards can be daunting, and very expensive. To address this burden on IT and security leaders, an outside consultant can often be the best choice. For an example, at MGT we’ve implemented a Virtual Compliance Officer program that streamlines compliance requirements as they relate to security assessment needs and security control implementations. Then, on the assessments side, our hybrid assessment includes a variety of standards rather than doing them separately. This results in a more comprehensive assessment – which means our clients save money. For whichever path you choose – bottom line – find a way to streamline your compliance efforts.
Establish a Chief Information Security Officer Resource
Whether this is internal or external like leveraging a program such as a virtual Chief Information Security Officer, it is critical to have a voice and ownership in the security space. As part of a robust information security program, you need a resource that:
- Continuously evaluates the overall security posture of the agency.
- Develops, maintains, and implements information security policies and procedures.
- Manages security hardware and software.
- Develops and implements security training and awareness programs for all staff
- Address compliance requirements long-term.
- Acts as a voice at the highest level of leadership within the agency to provide an information security lens to all agency activities.
What Can You Do Now?
These are just some fundamental elements of a robust information security risk management program. It is necessary to stress the importance of having a long-term cyber security plan and make this a core competency across their organization. Furthermore, don’t spend a dime on flashy hardware and software until this plan is in place and you have a way to leverage them efficiently. Your plan may reveal key procedural and “people-driven” items you need to address first, and even then, you may not have the adequate budget to maintain some solutions long-term.
For those looking to implement security solutions, my team helps IT and Infosec leaders and agencies redirect the way information security is looked at as part of overall operations. Just like any other department or core agency function, your cyber security plan needs to be championed, phased, scalable, and sustainable. This is how public agencies make cyber security a core competency. To this end, our philosophy in helping agencies build robust cyber security programs is providing solutions to one day “work” ourselves out of the job.