In our final installment of this series, we conclude the government resilience journey with best practices to get started.
This blog series is based on a webinar with Government Technology, where cybersecurity experts from Iron Bow and GuardSight discussed how governments can build resilience through whole-of-state cyber tactics and what this method looks like in practice. Speakers included Kevin Finch, Senior Director of the Global Security Practice at Iron Bow, Nelson Moe, sales Strategy Principal for SLED at Iron Bow and former CIO of the Commonwealth of Virginia, and John McGloughlin, Founder of GuardSight, Inc., an Iron Bow company that specializes in cybersecurity-as-a-service.
Overall, there are four critical best practices to a get started on a whole-of-state cyber resilience journey:1. Find a guide to help you on the journey
2. Conduct a comprehensive cyber resilience assessment
3. Create a cross-functional team across the right domains and government levels
4. Roll out a time-phased roadmap and think of your government’s primary outcomes
Find a Guide
The first step is to find a trusted guide whether it’s the right cybersecurity framework, state counterpart, or third-party vendor to help you get started.
NIST Cybersecurity Framework
When starting with a risk-based approach, you need to understand what your agency’s risk is and how grave the impact would be. These fall into the “identify” step under the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
“This goes back to understanding your unique risk at your unique government level,” said Finch. “You must be able to imagine if you’re vulnerable how will somebody exploit you? Take what is already working and expand that. Then make sure you’re accounting for and addressing the vulnerabilities that exposed you in the first place.”
Conduct a Comprehensive Cyber Resilience Assessment
Identify your technical and non-technical (i.e., workforce) points of failure. Again, start with the business outcomes of your agency and work backwards to identify the essential people, processes, and technologies involved in each outcome.
One of the most effective tools here can be a vulnerability assessment to identify, evaluate, and gain a report on flaws and weaknesses. This is where leveraging a guide or team of experts, like GuardSight, can help in conducting the threat assessment and reporting on key risk indicators and vulnerabilities.
Coming to terms with your agency’s flaws and vulnerabilities not only requires getting real and honest but also a strong desire to take cyber adversaries head on. “You’ve got to want to engage and attack the enemy,” McGloughlin said. “The SECOPs business is an always-on business. You need to rise to the level of aggression to combat those threat actors. Speed and attitude will be your friends.”
Create a Cross-Functional Team
Given that cybersecurity is becoming more foundational to business and operational resilience, CISOs and cyber leaders of today are expected to be more well-rounded, with CISOs of the future having a deep understanding of the business outcomes of their respective agencies. Likewise, security itself is a shared responsibility between users, administrators and technical professionals. Getting a cross-functional team of stakeholders across the organization will help to ensure every vital business outcome and perspective is considered.
From there, conduct a Tabletop Exercise (TTX) with real scenarios. TTXs provide opportunities for stakeholders to work through various scenarios to demonstrate and assess capabilities in cybersecurity risk management. They're designed to help cross departmental teams examine capacities and capabilities to plan for, respond to, and recover from a cybersecurity incident as well as help clarify organizational roles and responsibilities.
“With tabletops, it’s not just the tactical teams you need to consider in terms of taking the enemy out,” McGloughlin said. “It’s all the other entities too, like legal. A TTX will help you flesh out every scenario and how you can work through an attack.”
Agencies should also consider the technical component as well. “From an engineering perspective, true resilience can start with a TTX to get stakeholders aligned, but it will also require end to end technical testing to ensure organizations can recover,” said Finch. “This includes patching, penetration testing, etc.”
Roll Out a Time-Phased Roadmap
Once you found guidance, have identified your agency’s vulnerabilities, assembled a cross-functional team complete with TTXs, it’s time to roll out your roadmap to resilience. To start, begin with your government or agency’s primary outcomes. What are the most critical services that must remain ongoing, I.e., critical infrastructure, public safety, online citizen portals, etc.? Identify those business outcomes and work from there to identify the points of failure. From there, create a time-phased roadmap that will reflect budgetary constraints so you know what high-impact failures you should address first.
“Maintaining confidentiality, integrity, and resilience is integral from every point of view including the reputation of government itself,” Moe said. “You need to ensure your services are available at the speed and access of modern retail because time and tide of technology wait for no one.”
The Journey Completion
Ultimately, resilience is comprehensive, and it is achievable when governments work together through whole-of-state cyber approaches. Despite the resource constraints and many hurdles facing governments, it can be done.
Find your trusted guide to help you with the path and process and from there, you can achieve government resilience through whole-of-state cyber tactics.
Ready to take the next step on your cyber resilience journey? Reach out to our team of cyber experts at firstname.lastname@example.org.