For any organization, public or private, security risk assessments and penetration testing are necessary, and always will be, due to compliance and an ever-changing threat landscape. However, for an agency to create a true culture of cyber security within their organization, success lies on ensuring key information security activities are part of a cohesive, long-term security and risk management program. Like any department or discipline, cyber security should have a structure, a strategy, resources to execute, and measures of success.

Providing over a decade of Cyber Security services to public agencies, I’ve found there are five key elements agencies should consider as a baseline for making cyber security a core competency:

  1. Establish an information security and risk management program. Cyber security, just like any discipline, needs a long-term strategy, operations and management resources, and discernable measures of success (i.e. how does cyber provide value back to the agency?). Historically, Infosec has been considered an afterthought in many organizations – and in most cases, a subcategory of Information Technology (IT). Limited resources is a reality in the public sector, and cyber may need to continue to live as a subset of IT. However, finding a partner to help you create a cross-functional “strike team” focused on creating a long-term program and strategy is essential to achieving stakeholder buy-in. Ensuring that cyber security has tangible goals for the agency, and that all employees within an agency understand that safe management of information is everyone’s responsibility, are critical pillars of an effective information security risk management program.
  2. Monitor your network 24/7. Many consultants don’t offer this as part of their portfolio, which is why you ask this question up-front. How would you know if you’re getting attacked if you aren’t monitoring your network? As your cyber security program matures and your enterprise continues to harden its security posture, a 24/7 network monitoring service along with security operations center support to address potential incidents and alerts in a live environment is a key piece of a multi-layered security program. Once again, be sure you are building this into your strategy before investing money in a long-term service.
  3. Third party application & vendor management. Think about all the third-party applications we use as part of our everyday work lives; these could include communication tools for your customer or clients, or other SaaS platforms that could gather (posing another threat of either using or distributing) citizen’s private identifiable information (PII). Knowing these vendors have the appropriate security controls in place to keep that data secure should be your number one priority. Bottom line – you need a formal program around security standards for third-party vendors with access to PII. When departments within an agency buy applications independently and IT has no knowledge of these purchases, it drastically increases overall risk.
  4. Compliance. Regardless of our take on the various regulations and requirements, we all know compliance is part of doing business today. We also know that keeping up with all the standards can be daunting, and very expensive. To address this burden on IT and security leaders, an outside consultant can often be the best choice. For an example, at MGT we’ve implemented a Virtual Compliance Officer program that streamlines compliance requirements as they relate to security assessment needs and security control implementations. Then, on the assessments side, our hybrid assessment includes a variety of standards rather than doing them separately resulting in a more comprehensive assessment thereby saving money in the process. For whichever path you choose – bottom line – find a way to streamline your compliance efforts.
  5. Establish a Chief Information Security Officer resource. Whether this is internal or external like leveraging a program such as a virtual Chief Information Security Officer, it is critical to have a voice and ownership in the security space. As part of a robust information security program, you need a resource that:
    1. Continuously evaluates the overall security posture of the agency.
    2. Develops, maintains, and implements information security policies and procedures.
    3. Manages security hardware and software.
    4. Develops and implements security training and awareness programs for all staff
    5. Address compliance requirements long-term.
    6. Acts as a voice at the highest level of leadership within the agency to provide an information security lens to all agency activities.

These are just some fundamental elements of a robust information security risk management program. As a follow up to these points, I believe it is necessary to stress for any organization/public sector agency the importance of having a long-term cyber security plan and making this a core competency across their organization. Furthermore, don’t spend a dime on flashy hardware and software solutions until this plan is in place and you have a way to leverage them efficiently. Your plan may reveal key procedural and “people-driven” items you need to address first, and even then, you may not have the adequate budget to maintain some solutions long-term.

For those looking to implement security solutions, my team helps Information Technology (IT) and Information Security (Infosec) leaders and agencies redirect the way information security is looked at as part of overall operations. Just like any other department or core agency function, your cyber security plan needs to be championed, phased, scalable, and sustainable. This is how public agencies make cyber security a core competency. To this end, our philosophy in helping agencies build robust cyber security programs is providing solutions to one day “work” ourselves out of the job.