When it comes to cybersecurity, there’s a perception across government that we must prevent everything. This can be a dangerous perception and an impossible goal to achieve.
In this cyber landscape, it’s impossible to prevent ALL future cyberattacks. For example, in 2021, nearly four in 10 public sector organizations globally said they had experienced a ransomware attack within the past year, according to a Sophos cybersecurity survey. And attacks on government agencies are often more likely to succeed. At least 69% of local governments hit by an attack reported that cybercriminals had successfully encrypted their data, a success rate that’s 15 percentage points higher than the average for all organizations.
Not only must governments address evolving cyber threats, modernize vulnerable legacy systems, and meet growing expectations around digital services, they must do this amid budgeting and staffing shortages. With budget cycles in government, it is impossible to keep spending as the attack vectors evolve.
Given that reality, how can state and local governments be better prepared for when a cyberattack occurs? The answer lies in building cyber resilience through a holistic approach to assessing and addressing single potential points of failure including people, processes, and technologies. Not only is this a more outcomes-based approach but because it focuses on business continuity and financial priorities, the benefits are much broader than acute disaster recovery or even preventative cyber strategies.
Cyber Resilience Is Not Disaster Recovery
Cyber Resilience requires a new mindset and a higher level of thinking than Disaster Recovery. While disaster recovery focuses on mitigating the impact of an event like a natural disaster, overall business and operational resilience ensure government can operate under all circumstances. Cyber resilience is a subset to make sure our controls operate and can recover in the event of a cyberattack.
Think of the outcomes that government leaders want to drive, regardless of the cyber threats or disruptions that take place:
- Ensuring uninterrupted constituent services
- Keeping services online
- Little to no impact on staff or citizens
- Utmost security and protection of data
However, governments are more at risk not because of security issues and lack of prevention or disaster recovery strategies in place, but because of resilience issues. Think about anytime you’ve read a story about a successful ransomware attack. The problem not only boils down to a control issue, but it also represents a compromised data source that was critical in delivering services. Essentially, this data source was a single point of failure that should have been protected and resilient. Now is the time for governments to think more broadly about ensuring their resilience of operations and business outcomes.
Can your government encounter a wide range of scenarios (i.e., the COVID-19 pandemic or a ransomware attack) and be able to continue delivering services to constituents with little to no interruption? How scalable and adaptable are your government operations considering cyber and non-cyber challenges? Or to put it more simply, can you take a hit in the mouth and keep going?
How to Shift to Proactive Cyber Resilience
Ensuring resilience in the public sector involves shifting away from traditional myopic controls-based security measures and instead focusing on holistic, outcomes-based approaches to overall operational resilience. Ultimately, cyber resilience will serve as a critical foundational layer to that strategy.
Here are three steps to get started:
- Conduct a comprehensive resilience assessment. Identify your technical and non-technical points of failure. Start with business outcomes and work backward to identify the essential people, processes, and technology involved in each one. Then, identify potential single points of failure, such as a network vulnerability, security control issue, or a staff member with tacit knowledge of a key legacy system. This is where you may need to work closely with business counterparts to have an objective, holistic assessment to fully understand your enterprise and potential threats to operational continuity. From there, create a comprehensive organizational risk baseline and a documented policy of your organization’s risk tolerance.
- Create a cross-functional team. Given that cybersecurity is becoming more foundational to business and operational resilience, CISOs of today are expected to be more well-rounded, with the CISOs of tomorrow having a deep understanding of the business. They’re brought in to ensure business continuity and other outcomes that cybersecurity can affect. When assembling your cross-functional team, include the CISO, CIO, and any other financial or business stakeholders to help prioritize the impact of gaps or potential points of failure.
- Roll out a time-phased roadmap. Think of your government’s primary outcomes. What critical services must remain ongoing? Is it online services, critical infrastructure, public safety, etc.? Identify those critical business outcomes and work from there to identify points of failure. Then, create a time-phased roadmap that will reflect the reality of any budgetary constraints by addressing the most critical items first and progressing down the list. Which high-impact points of failure will you address first? This will help you build a more sustainable resilience strategy and strengthen your environment over time.
The benefits of focusing on comprehensive resilience are immense, including:
- Breaking down the silos between security, technology, and business sectors
- Addressing and aligning various sector incentivization to achieve outcomes
- Optimizing technology and security investments to get the biggest bang for the buck
- Deeper understanding of the organizational business model to drive greater value by facilitating future optimization and re-engineering
Battle Tested: How VITA Kept Services Online During a Ransomware Attack
Significant parts of this methodology have been battle-tested. During my time at the Virginia Information Technologies Agency (VITA), here’s how we effectively leveraged cyber resilience to help the executive branch of the commonwealth of Virginia withstand many sophisticated attacks, including ransomware attempts.
First, we were willing to embrace a new and different approach. Our team brought in objective technology business and cybersecurity experts to identify single points of failure that were critical for business outcomes and to proactively mitigate them ahead of time. We also identified cybersecurity control gaps that were tied to delivering those critical business outcomes and addressed them. These included business weak spots like knowledge management gaps, outdated processes, and data sources that were single points of failure.
Secondly, at VITA, we focused on outcomes like critical constituent services, first. This helped us to keep services online even in the face of many attacks. The irony is because we focused less on prevention and more broadly on cyber and non-cyber points of failure in delivering the critical services, we were able to take a hit and keep going.
This is the first of a three-part series focused on cyber resilience. Tune in next week to learn more about courage and what it means to an enterprise risk strategy. In the meantime, you can read more about building a cyber resilience strategy here.
Jonathan Xavier Ozovek was the Chief Operating Officer (COO) of the Virginia Information Technologies Agency (VITA) and Deputy CIO for Virginia. Under his leadership, the state dramatically improved time to market for new services, scaled best-in-class cyber security defenses, launched first-in-the-nation services, and achieved record customer satisfaction while simultaneously saving the Commonwealth over $200 million. In addition, Jonathan specializes in research, development, and innovation with focus in artificial intelligence, predictive analytics, and machine learning and holds patents across multiple industries. As an expert in Cyber Resilience, he invented the first Resilience as a Service (RaaS) Methodology. Additionally, he has designed systems ranging from a predictive commodity trading system to a medical device research and development Enterprise Program Management (EPM) system.
Leave a Reply
You must be logged in to post a comment.