Strategies to drive better outcomes from existing security programs
Last year, modernization initiatives for state and local agencies could be largely categorized as fast, reactive decisions to keep operations running during the pandemic. However, today CIOs and CISOs need to take a step back to consider larger questions around the security implications of those decisions.
But some security practices deliver more measurable security outcomes than others, says Wendy Nather, head of advisory CISOs for Cisco’s Duo Security, citing new research findings.
“A lot of agencies are having to go back to basics… Sometimes the basics mean just having an inventory, knowing what your processes are, knowing who your custodians are or redoing your incident response plans in light of what you’ve learned in the last year,” says Nather, in a new podcast. “It’s not simple, and it’s not easy, but it’s very much worthwhile doing.”
Nather says findings from a recent security survey can help organizations, regardless of their budget situations, identify which practices are likely to deliver the greatest security improvements. The Security Outcomes Study surveyed nearly 5,000 IT, security and privacy leaders from 25 countries, to gain a clearer picture about which practices correlate to statistically better outcomes for organization.
“By that I mean, not just avoiding getting hacked, but other good outcomes like minimizing unplanned work, recruiting and retaining talent, working well with your peers and meeting compliance regulations,” explains Nather, in this podcast, produced by StateScoop and underwritten by Duo Security.
Among other findings, the survey found that IT leaders which proactively refreshed their technology as a practice, and worked to integrate their technology, showed the highest corresponding levels of security outcomes.
When agencies can’t afford to refresh their technology stack?
Nather acknowledges that budget constraints can still leave leaders struggling to determine the best security strategy for their organization. That’s particularly true for those in the public sector, where “being a good steward of taxpayer dollars means using something for as long as you can until it stops working until it falls over. And then you go to the legislature, and you ask for more money because it is broken.”
There are still many practices agencies can put in place that will lead to statistically significant outcomes, she says. She suggested, for example, establishing deadlines for vulnerability remediation and setting policy controls around the health of devices in order to access government resources.
“Now that people are working from home, you can’t necessarily scan endpoints in the way that you used to,” explains Nather. But there are security solutions that set dynamic policies around parameters to establish device trust.
“You can set a policy that says, ‘Hey, look, you’re behind on your software patching, please update your software; or please use a lock screen; or please encrypt your disk. If you want to access our resources, we have certain requirements that you have to meet,’” quips Nather.
Creative security strategies from other public sector organizations
Nather also points to creative security strategies she has seen enacted at the state and local level. For instance, she cited how one agency that outsourced its security operations center opted to also retain a dedicated contractor, who reported to the agency, “to deal with the fact that there are so many security requirements that are very hard to specify.”
“If you can re-architect things to make them more flexible, easier to continually refresh and less dependent on stacks…that can be a great help,” she says.
But if you really can’t do anything else, Nather says sometimes taking certain projects, such as a multi-factor authentication implementation, and rolling it across the enterprise can deliver big outcomes for not a lot of investment.
Listen to the podcast for the full conversation on how state and local agencies can get more out of their existing security practices. You can hear more coverage of “IT Security in Government” on our StateScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by StateScoop and underwritten by Duo Security.
Wendy has over 30 years’ experience in IT operations and security. Before joining Duo Security, she served in a number leadership positions in both the public and private sectors, including IT security roles at UBS and the Texas Education Agency and as a research director at 451 Research.