Public Sector Security: Making the Case for Going Risk-Based

Even in the wake of catastrophic security breaches, mounting risks, and increasing unpredictability, public sector entities remain slow to evolve. Keeping pace with this elevated threat landscape means moving quickly and modernizing traditional IT environments, something the public sector isn’t too well known for. But as the risks rise in severity and sophistication, streamlining and strengthening security operations is becoming less of an option and more of an inevitable. 

ESG survey reveals a risk-based movement 

Late last year, the Enterprise Strategy Group (ESG) released some illuminating survey findings which shed light on how the current cybersecurity climate is impacting real security and IT professionals in the wild. Senior Principal Analyst & ESG Fellow Jon Oltsik shared these findings in Security Posture and Hygiene Management.  

According to the report, nearly 70% of respondents said maintaining a healthy security posture has become more difficult in the last two years thanks to expanding attack surfaces and environmental complexity. And with an overwhelming set of challenges plaguing vulnerability management programs (keeping up with the volume of open vulns, automating key processes, and syncing disparate data from different tools topped the survey charts), security leaders are eager to find ways to stem the tide.  

But there’s an emerging faction of professionals (29%) who depend on risk-based vulnerability management tools for data-driven vulnerability prioritization, workflow automation, and increased efficiency between Security and IT teams. This data supports a larger shift in the cybersecurity space towards a risk-based approach. CISA’s Binding Directive 22-01 is the latest indicator of a broad push for smarter, more efficient vulnerability prioritization and remediation. 

But even with a risk-based evolution on the rise, public sector security leaders are often faced with possibly their biggest challenge: getting organizational buy-in. 

Making the business case for risk-based vulnerability management 

As security leaders work to champion their initiatives, those at the helm of public organizations are forced to craft an airtight argument for risk-based vulnerability management that beats back any cumbersome red tape or nay-sayers competing for resources. To help with this effort, we’ve put together our top recommendations for pitching a risk-based approach to public sector stakeholders. 

Know what you’re working with. Having an honest and in-depth understanding of your security posture is the first step to meaningful improvement. Speak with department leaders, boots-on-the-ground team members, and cross-departmental employees involved in key security operation workflows to unearth vulnerability management inefficiencies and opportunities for improvement. But it doesn’t all have to be negative; identifying strengths paints a balanced picture of your security posture.  

Once you’ve exhausted an internal review, attempt to get a lay of the competitive landscape. Find out how your peers are performing within their vulnerability management efforts. Take the first step by completing the Benchmark Survey, a four-minute questionnaire designed to shed light on how your cybersecurity practices stack up against your competitors focusing on maturity, structure, process, and budget.  

Build risk-aligned allies. Finding influential people that are interested in building organizational resilience will help drive your risk-based agenda. Future-focused individuals will understand the mission-critical capability needed to navigate future threats and will advocate for the steps and funding to achieve it.  

Recent data may help boost your search efforts. Gartner recently released a handful of cybersecurity predictions, and one of the more stark statements forecasted that by 2025, 70% of all CEOs will develop a culture of organizational resilience to weather future threats including climate change, global and political unrest, and increased cybercrime.   

Outline a winning approach. While each public sector entity is unique with differing budgets, priorities, and employee talent, the core principles of a successful pitch for risk-based vulnerability management remain the same.  

• Keep it simple and research-backed. Draw clear connections to overarching goals and department objectives. Include qualitative and quantifiable data to back up your proposal (the recent ESG survey is a good start). And use clear, universal language free of jargon so that anyone can understand it, regardless of their background. This is not the time to flex your expert vocabulary. 
• Consider business, economic, and stakeholder risks. Going risk-based means understanding even the risks of embracing a new approach to vulnerability and risk management. Call out risks, dependencies, and mitigating controls for the business, the economic impact, and the stakeholders involved. Ensure these align with the organization’s appetite for risk. 
• Include alternative approaches. Winning arguments acknowledge other strategies so the imperative for action can be easily emphasized and any concerns assuaged. Craft alternative options according to tiered budget constraints or limitations (including a “do nothing” option).  

Ready your organization for whatever comes next 

If it feels like public sector security is under more scrutiny than ever before, it’s because it is. ESG reported that the public sector is one of the top targets for ransomware attacks, along with education, financial services, and healthcare. And this bullseye doesn’t come cheap. Just last year, the cost of a public sector data breach rose 79%, averaging $1.93 million.  

One of Gartner’s more disturbing predictions indicates that the cost of future attacks may not be limited to dollars or data. Within the next three years we can expect to see human casualties as well, underscoring the rising ruthlessness threat actors are exhibiting. Use this not as a fear tactic, but a reality check. Threats are in fact becoming more threatening. 

The future success of your organization depends on your ability to make data-driven decisions swiftly and confidently, especially when the stakes are high. Ensure your organization is aligned around risk and able to prioritize the vulnerabilities that pose the greatest danger.  

For more data to help make your risk-based case, watch check out the Security Posture and Hygiene Management report.

This blog was originally written for Kenna Security, which has been acquired by Cisco Systems. Learn more about Cisco Vulnerability Management.