Public sector agencies need smarter ways to improve their cybersecurity posture and meet the increase in cyber risk from mass telework.
But building a stronger cybersecurity framework — and aligning resources more effectively — requires greater security awareness and engagement between both IT security teams and leaders across major lines of business, says Sajed Naseem, chief information security officer for New Jersey Courts, in a new report.
The report discusses the shift of the CISO’s role to focus more on business risks and the need to find the right balance between mitigating risk against completely securing systems. Finding that balance depends on the business case and will require better data-driven insights.
In Naseem’s experience, security leaders who are able to define a metric for cyber risk are often more effective at demonstrating the ongoing value of security to agency executives. For example, by establishing a baseline to define risk or focusing on the speed of incident closure, not just the incident count, he says.
Why agencies need a cybersecurity framework
Agencies that struggle to build a holistic cybersecurity framework can probably trace problems back to not being able to clearly communicate the business risk of security to decision-makers within the organization, Naseem says.
Among the many priorities of an agency, organization leaders need to be able to address areas of risk that are most important. Those risk areas are the ones that support the continuity of the mission, support the security of critical assets, support positive growth and reduce liabilities.
By building a framework with stakeholders outside the security team, CISOs are able to both ensure buy-in from agency executives and also clearly understand the organization’s most vulnerable systems as it relates to those leaders, Naseem says.
Agencies should lean on guidance from resources like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). NIST CSF creates a common, quantified risk measurement for all government agencies. This removes subjectivity to help an organization manage cybersecurity risk more systemically.
Taking actionable steps
The effort to establish better risk management practices requires a framework that clearly defines language across the organization and involves key stakeholders. The report explores five areas that that leaders can focus on through this process:
- Step 1: Evaluate risks across the lines of business.
- Step 2: Ask the fundamental questions of key stakeholders.
- Step 3: Be ready to pivot to address new risks as needed.
- Step 4: Tap into leadership.
- Step 5: Move cybersecurity forward.
The COVID-19 pandemic tested the limits of many agencies’ cybersecurity posture. For Naseem and his team, the the challenges they faced during this time have reinforced why executive buy-in is critical for the success of their security program. When the crisis hit, New Jersey Courts quickly shifted priorities to address the surge in employees working from home because his team had laid a meaningful foundation with executives prior to the crisis.
In addition to a solid framework and leadership buy-in, agencies should look for modern governance, risk and compliance platforms to help drive decisions. Tools that provide a single, unified dashboard and update key metrics in real time are the best data-linked approach to help articulate the organization’s current cybersecurity posture, says the report.
Read more about stepping into a stronger cybersecurity posture and improving data analytics.
This article was produced by StateScoop and sponsored by Galvanize.