5 ways to bolster cybersecurity maturity
By Brandon Shopp
Cybersecurity is not sufficiently maturity across public-sector organizations. According to the 2020 SolarWinds Public Sector Cybersecurity Survey, only 57% of IT operations and security decision-makers from across the government identified their agency’s cybersecurity functions as mature. Respondents said budget constraints and a lack of confidence in their team’s ability to keep up with evolving threats are the biggest roadblocks to cybersecurity maturity.
These responses aren’t surprising. Just when security teams find ways to block a specific attack, bad actors pivot to new tactics and techniques. It’s a constant game of cat and mouse, and it can feel like the rules are rigged against security professionals. To make matters worse, the digital ecosystem is expanding. More endpoints, more services and greater reliance on the cloud are adding to the workload of security teams. With this in mind, here are five ways public-sector IT professionals can bolster their agency’s cybersecurity maturity.
1. Make endpoint protection a priority
A key finding from the survey is that organizational maturity — even for technologies that have been around for some time, such as endpoint protection — is lacking in government. While 57% say they’re most mature in endpoint protection, over 40% are not. The challenge for security teams is as the network perimeter expands, particularly across remote offices and employees’ personal devices, endpoint protection solutions can be costly to acquire and deploy. One way around this dilemma is to analyze the risk profiles of the various endpoints. With this insight, security teams can prioritize critical or at-risk assets, such as servers over end-user systems. If budget remains an issue, agencies can also leverage existing technology investments, such as security capabilities in Windows, to enhance protection across lower risk assets to ensure there are no blind spots within the organization.
2. Understand cutting-edge solutions don’t equal maturity
Even as foundational solutions like threat intelligence, endpoint protection and identity and access management evolve, too often organizations gravitate toward products with the loudest bells and whistles, many of which include features they don’t really need. These costly solutions can spread resources and investment dollars too thin and even undermine organizational security maturity. With costs rising and budgets shrinking, agencies must adopt a risk-based approach and prioritize security investments to address key problems, vulnerabilities and exposures. Because the market is flooded with very mature, cost-effective and capable solutions that can drive cybersecurity maturity where it’s needed most, IT pros don’t need to chase the latest shiny object.
3. Leverage automation
One way to move the needle on cybersecurity maturity is to leverage artificial intelligence and machine learning. AI and ML allow security teams to be more effective with the resources they have. Next-generation automated security technologies can complete tasks such as identifying potential threats, detecting unauthorized behaviors, applying intelligence to qualify incidents, countering and blocking attacks before execution, stopping unauthorized movement of data and more. As AI and ML become more prevalent in the security marketplace, agencies can evolve their cybersecurity architecture to respond to changing digital threats.
4. Go beyond checking a box
Security maturity is more than a check in a box. It can be easy to deploy technology or train employees once and think the risk to the agency is mitigated. But IT environments, threats and risk tolerance evolve over time. To be truly effective, a cybersecurity program must continually improve to address gaps in the cybersecurity program. There’s good news. Both the National Institute of Standards and Technology and Energy Department’s Cybersecurity, Energy Security, and Emergency Response group provide cybersecurity frameworks and maturity models as guidelines. Whichever is chosen, the more focus placed on cybersecurity — across all functions — the better the outcomes will be.
5. Establish a culture of cybersecurity awareness
Technology alone can’t drive cybersecurity maturity. The entire agency must commit to a multifaceted security program acknowledging the cybersecurity risk posed by employees and contractors. Fifty-two percent of respondents to the survey cited uninformed or careless insiders, including contractors, as their top threat. That’s why agencies must work on building their security culture. Instilling common sense in the workforce around what to look out for, best practices and what to do in certain scenarios can make a significant difference in an agency’s security posture.