Maturing Your Local Government Cybersecurity Program

I enjoy taking part in conferences and seminars that include IT and cybersecurity staff from diverse backgrounds, skills, and operating environments. By engaging and listening to different perspectives, insights on current and emerging issues critical to the delivery of an effective local government cybersecurity program can be evaluated, challenged, and addressed. This was particularly true for me during a recent semester long cybersecurity leadership course I took part in that included lively discussions on the challenges facing local government cybersecurity teams.

Let us start with one of the most frequently mentioned challenges - lack of funding. The rapid increase in attacks against local government agencies in recent years has raised the importance of cybersecurity to the board level. Increased attacks, along with rapidly escalating insurance costs and compliance requirements demand that organizations mature their cybersecurity program, and this requires ongoing funding and support. 

To gain an edge, instead of focusing on lack of funding, focus on developing a program that is in direct alignment with your agency’s risk profile. With the right program in place, spending becomes an investment decision well-supported by a framework, architecture, and strategic plan.

Complexity is another often cited challenge - after all, complexity is the enemy of security. But it does not have to be. 

The business functions and services local government IT portfolios provide are vast, often resembling that of a multinational conglomerate. Disparate systems supporting diverse business functions increases complexity. Sandwich complexity with modern issues like smart cities, hybrid cloud, Internet of Things, AI and machine learning, and the attack surfaces grow exponentially. 

Since the risk of a security breach in general accelerates at the same rate as complexity, it is not surprising to hear that complexity continues to be a major challenge. But complexity is all around us– if we can measure it, we can manage it. Leverage and apply enterprise security architecture principles and reference architectures that are in alignment with the goals and risk profile of your agency. This process does not have to be costly, difficult, or time consuming, but it does require commitment. 

Staff shortages are another problem often cited and understood among agency IT leaders. Your cybersecurity staff must have a broad range of enterprise domain, technical, analytical, and communication skills, and this often requires years of experience and training to develop. Cybersecurity staff in general work in a high-pressure environment where the stakes are high. A successful cyberattack can be severe, and this constant pressure can lead to stress and burnout. Most cybersecurity professionals love what they do, but, as a group, we are stressed, making it a strategic imperative leadership support efforts to mature the overall cybersecurity program. 

" Complexity is all around us– if we can measure it, we can manage it "

Lack of funding, complexity, staff shortages, and stress are not the only challenges cited, but as the “digitalization of everything” evolves, so too does the imperative to mature your cybersecurity program so that it can withstand current and emerging challenges. 

To start, assess your current maturity level with your agency’s goals and objectives. Focus on your weaknesses. This may seem overwhelming at first, but without this step you will not have a solid foundation for a successful program. 

Leveraging a risk-based cybersecurity framework like the well-known National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) can help. There are other frameworks like ISO 27001 and the CIS; however, the NIST CSF is quickly gaining favor in government agencies. Choosing to implement a Framework like the NIST CSF will allow your agency to:

● Assess and describe the current and targeted cybersecurity posture.
● Identify gaps in your current programs and processes.
● Identify and prioritize improvement opportunities using continuous and repeatable processes.
● Assess progress toward reaching your target cybersecurity posture.
● Demonstrate your organization’s alignment with nationally recognized best practices.
● Communicate cybersecurity posture in a common language to stakeholders.

It is important to remember that the NIST CSF is a framework, not a prescriptive standard, so leverage it to mature your program in steps that directly align with your agency’s unique goals, objectives, and compliance requirements. By standardizing at the organizational level on the NIST CSF, you will set your agency up to better address and manage challenges. Added benefits include better cybersecurity insurance rates and more opportunities for grant funding. Increasing numbers of government grants now require a NCSR survey, directly modeled from the NIST CSF. 

If you have not begun examining the NIST CSF and how it can help mature your cybersecurity program, now is the perfect time to do so. 

With your assessment in hand, you can then develop a cybersecurity strategy and roadmap that includes the people, process, and technology needed to achieve your goals. Building and supporting a highly functioning cybersecurity program is like building a three-legged stool. It requires an ongoing commitment to people, processes, and technology, and all three must be in alignment to support the weight of the program. If one leg of the stool is lacking, the other two will not be able to support the weight, often leading to less than perfect outcomes. 

With the right architecture, framework, strategy, and a strong organizational commitment to support it, you will be well on your way to addressing current and emerging challenges and ever-changing threat landscape.