After a year on the frontlines of pandemic-driven digital transformations, such as remote work, federal tech pros are hoping for a return to normal operations. But a new study — the SolarWinds IT Trends Report 2021 — suggests, although tech pros are confident with their WFH/remote work policies, agencies are at a critical inflection point as this confidence could create complacency or lead to security failures.
Rather than potentially fall behind, here are five steps government agencies can take to combat security apathy and proactively manage cyber risk when we emerge from the pandemic.
- Acknowledge Security 101 is everyone’s responsibility
It’s easy to think about security as an add-on or expect ownership to sit with a discrete security team. Unfortunately, those perceptions no longer reflect our world.
Security 101 demands security to be every employee’s responsibility. Most of the risk is produced by human behavior, and tech and non-tech employees must think of themselves as part of the extended security team.
As such, IT teams must examine current processes and deploy solutions providing complete visibility into all systems, so hidden risks can be identified and mitigated. Even small changes like faster upgrades and patches and multi-factor authentication can improve security postures.
For non-tech teams, not being “blind” to risk means practicing basic cyber hygiene (password etiquette, cautious file sharing, avoiding public Wi-Fi, etc.). They must also understand the security implications of investments flying under the radar of IT, such as Software-as-a-Service and other shadow IT procurements.
- Foster greater alignment between IT and organizational leadership
As cyberattacks become more frequent and consequential, senior IT leaders are taking notice. For example, the SolarWinds report (which surveyed public and private sector technology practitioners and business leaders), found 63% believe it’s not a case of “if” but “when” a risk factor will impact them. However, a third of these leaders have difficulty convincing other leaders of this reality, limiting resources to address risk.
This is problematic because investment in risk management and mitigation technologies takes time and needs guidance. To help agency leaders make informed decisions about policies and technologies, government tech pros must speak the “language of the business” and present proof points, such as facts and figures, to gain senior buy-in. They must also pinpoint the impacts should the game of risk not go in the organization’s favor. Bringing consequences and mission impacts to life for those not in the IT trenches can drive strategic conversations between IT and organizational leaders.
- Normalize risk aversion
Risk exposure is never OK. Yet, the SolarWinds survey found 47% of respondents said their organization had medium exposure to enterprise IT risk over the past 12 months. Security breaches were the top macro trend impacting risk (71%), followed by the accelerated shift to remote working (69%).
Although respondents feel their existing risk mitigation and management policies/procedures are sufficient, agencies must adopt a mentality in which even small levels of risk are unacceptable.
Tech pros and the IT community at large must normalize a sense of risk aversion.
This starts with understanding that security compromises will happen. Agencies should also implement the right technology and engage in tabletop exercises to measure effectiveness. These principles will help them more fully prepare to defend against risk as the threat landscape expands.
Ultimately, to minimize risk exposure, technology and business leaders must collaborate to ensure policies and risk procedures are continually updated and enhanced in lockstep with the evolving threat landscape.
- Prioritize skills development
IT professionals are no strangers to certifications — but only if these qualifications support larger strategies and initiatives, such as cloud computing and cybersecurity. Tech pros should feel empowered to push back, when appropriate, and ask how specific certifications or training map back to the organization’s priorities. This also underscores the importance of IT teams learning the “language of the business.” Tech teams need to communicate what form of training can bring value to the organization, so senior leaders can prioritize skills development more strategically.
- Improve employee engagement
To combat security apathy among non-technical employees, agencies must go beyond tactical methods like regularly training them to change their passwords. Organization leaders should point out the business impact of a cyberattack, particularly the disruption employees will experience at work as the agency works to manage the crisis. Cyberattacks can also impact them personally. If personal data such as Social Security numbers or bank information is breached, the consequences can be severe. Agencies must engage their employees and highlight these risks —then follow through with security guidelines and recommendations.
Brandon Shopp, Group Vice President of Product, SolarWinds.
Leave a Reply
You must be logged in to post a comment.