Far too many government entities simply lack the resources and expertise needed to keep pace with the velocity of cybersecurity threats.
It is safe to say that public- and private-sector enterprises will see their cybersecurity risks and exposures continue to increase in the foreseeable future.
More organizations are interlinking their mission and business performance to the internet through digital services, transactions and websites. According to research from Accenture, 90% of business leaders say that internet-enabled initiatives are among their top three priorities.
Contributing to this concern is the internet of things phenomenon, in which everything from medical devices to air fresheners are becoming “smart” and internet-enabled. Accelerated by the transition to 5G cellular wireless networks, the fast-growing IoT market will dramatically increase our collective exposure to cyber threats. Industry analyst Gartner projects there to be more than 20 billion installed IoT devices in 2020—more than three times the number of devices installed in 2016.
The growth of these initiatives, combined with the aggressiveness and improved tradecraft of hackers, is creating new and persistent cybersecurity challenges for public- and private-sector organizations alike around the globe.
Our research shows that while the layers of protection designed to keep cyber intruders out are working, they are no longer enough to dodge the increasing and multifaceted threat of cyberattacks. So, in a world where everything—including critical infrastructure —is connected, how do we think about and approach cybersecurity differently?
We can start by examining the source of the cybersecurity challenges that many agencies have today. Many agency chief information security officers have cited financial constraints, the lack of enough staff, challenges in recruiting and retaining security personnel, and inadequate expertise in the security staffs that they do have as key issues. In other words, far too many government entities—especially those that are small and budget-constrained—simply lack the resources and expertise needed to keep pace with the velocity of cybersecurity threats. Even larger, well-funded agencies struggle to stretch cybersecurity budgets across the demands of compliance, basic cyber hygiene and cyberdefense. For example, a Senate investigation concluded that eight large agencies, despite a combined security budget of over 8 billion dollars, are still “coming up short to protect their core assets”
We can see the results of this in a 2018 report by the Office of Management and Budget and Homeland Security Department, which found that three out of four federal government agencies have cybersecurity programs considered either at risk or high risk. And a 2018 Government Accountability Office report found that federal agencies have not yet implemented roughly a thousand recommendations it has made, dating back to 2010, to improve federal cybersecurity.
For these agencies, there must be a viable path forward to obtain robust cybersecurity protection and services. From our perspective, successfully securing government systems means addressing the cyber poverty line: the gap between the cybersecurity haves and have-nots. The haves are those organizations with the financial resources and talent to invest and secure their systems. The have-nots are often small- and medium-sized agencies that support government and industry but do not have the resources necessary to fully address threats. Given that we are only as secure as our weakest link, how can we erase the cyber poverty line in government and set an example for the commercial sector to follow?
One option is managed cybersecurity services, which can help dramatically advance cybersecurity objectives in a cost-effective manner. With managed cybersecurity services, organizations can access robust cyber threat detection and response services that effectively address current and future cyber threats.
Managed cybersecurity services enable agencies to harness the latest threat intelligence, automation, orchestration, artificial intelligence technologies and expertise to architect and operate those capabilities, in a cost-effective manner to deliver dramatically improved security postures, incident response times and resiliency.
As with federal adoption of commercial cloud services, government organizations will need to gain trust in the model of managed cybersecurity services by following a "crawl-walk-run" approach. This will allow them to develop at their own pace, with a clear understanding of how the model delivers value to meet their specific risk-management needs. We believe this trend is inevitable, for many of the same reasons that agencies moved to the cloud—for its modern, elastic and secure features.
Traditional methods for establishing robust cybersecurity services across all corners of government are simply not keeping pace with the increasing complexity and speed of the threat landscape. Given the resource constraints many agencies face today, it will take innovative thinking and cutting-edge capabilities to help ensure that government organizations are not left vulnerable.
Gus Hunt is a cybersecurity strategy lead for Accenture Federal Services