Organizations across the public and private sectors on any digital transformation journey need to balance innovation, risk, opportunities, and desired outcomes. In our next installment of this series on the resilience journey, we’ll discuss why whole-of-state cyber resilience tactics require service-based approaches. This can not only help dramatically improve cyber posture but also overall business continuity and service delivery to constituents.
Resilience in the public sector involves focusing on a holistic, outcomes-based approach to overall operational resilience. This approach includes an organization’s people, processes, and partners. Consequently, cyber resilience will serve as a critical foundational layer to any organization’s mission and overall strategy.
In a webinar with Government Technology, cybersecurity experts from Iron Bow and GuardSight discussed how governments can build resilience through whole-of-state cyber tactics and what this method looks like in practice. Speakers included Kevin Finch, Senior Director of the Global Security Practice at Iron Bow, Nelson Moe, sales Strategy Principal for SLED at Iron Bow, and former CIO of the Commonwealth of Virginia, and John McGloughlin, Founder of GuardSight, Inc., an Iron Bow company that specializes in cybersecurity-as-a-service.
Pairing Whole-of-State Tactics with Resilience
Likening Resilience to Martial Arts
What does whole-of-state resilience look like when put into practice? Overall, it can be likened to martial arts: the ability to survive even in the face of an attack and prepare for the next. Agencies must adequately prepare for the worst from cyber adversaries and know how they’re going to keep services online regardless of an attack.
“When I think about resilience, I think about adequate posture,” said McGloughlin. “It’s the ability to terminate threat actors when they hit, your environment, and the speed at which you can do that. It’s also identifying your critical assets and how you monitor and protect those effectively. Likening it to martial arts, you need to be able to survive. Determine what it takes for survival and then you go on the attack.”
The Pillars of Resilience
According to Finch, agencies should understand the following resilience pillars and their operational impact by having in place:
- Disaster Recovery Plan
- Business Continuity Plan
- Crisis Management Plan
- Cyber Resilience Plan
- Supply Chain Security
- Physical Security Plan
“The first thing is to think about a broad cybersecurity plan,” said Finch. “From the engineering perspective, there are multiple aspects to resilience including disaster recovery, business continuity, crisis management, and so on. Cyber is pervasive across all those fields. Whole of state comes in by offering a common security baseline among these different entities. With this baseline, you have to evolve it into a life cycle approach where it’s happening continuously, like patching and penetration testing.”
You Can’t Go It Alone
Resilience and whole-of-state pair well together also because of their emphasis on partnership and comprehensive approaches. “Whole-of-state resilience enables state agencies to scale visibility and protect their assets,” Moe said. “Whole-of-state also emphasizes partnerships at different levels along with private and public sector partnerships to mitigate security threats.”
Ultimately, the end goal of the resilience journey is an organization being able to recover its services rapidly and seamlessly after an event. “That’s why whole-of-state is so popular,” said Moe. “It addresses multiple needs across the spectrum. These needs include increasing demand for digital government services, limited funding in cyber, workforce retention challenges, etc.
A successful resilience journey means you have reporting and compliance in place and a deep understanding of processes and people it takes to recover. It also takes a deep commitment from suppliers and third-party vendors who are ready to help in your time of need. You can’t go it alone.”
Moving Towards a Services-Based Approach
By starting with services, agencies can better ensure secure and reliable services using an outcome-based cyber resilience mindset. This approach includes the following benefits, according to Moe:
- Breaking down the silos between security, technology, and business sectors
- Addressing and aligning various sector incentives to achieve mission and business outcomes
- Optimizing technology and security investments for the biggest bang for buck
The current public demand for new services means agencies must move away from a traditional gap analysis by starting with the outcomes. “From an outcome perspective, leadership at the top is usually focused on education outcomes, hiring outcomes, tax outcomes, “said Moe. “Start with the end in mind. Don’t just worry about individual technology investments but worry also about your people and supply chain too.” Drive to eliminate any single points of failure.
How can agencies start making the move towards a more services-based approach?
- Start with the desired organizational outcomes.
- Identify where partnering with a service provider can help you realize immediate benefits, I.e., cost effectively augmenting internal staff skills and filling technology gaps or accelerating digital transformation.
- Determine if it’s a comfortable investment (8-10% return) compared to what you stand to lose. This makes it easier to gain approval of funding.
- Think about “Plan B” contingencies and have an exit strategy.
Stay tuned for our last part of this blog series where we’ll tie it up with best practices to get started on implementing whole-of-state cyber resilience.
Ready to take the next step on your cyber resilience journey? Reach out to our team of cyber experts at guardsightcyber@ironbow.com.
COMMENTS