The Four Pillars of Cybersecurity: How Does the Government Measure Up?

From personal data on millions of individuals to national security secrets, state and federal government agencies have suffered significant data breaches over the past few years. A recent Dark Reading article reported on these breaches, noting that while these agencies had fewer breaches and exposed fewer records than the private sector, the type of information lost posed greater risks for victims.

With so much at stake, how well is the government protecting vital data? Eighty-five percent of respondents in a MeriTalk survey of 150 federal IT executives said that in the past two years the urgency to prevent cyber threats has grown. Approximately 80 percent said that the sophistication and frequency of these threats have also increased. Despite the sense of urgency, only one in three IT managers gave themselves an “A” regarding their agency’s cybersecurity posture.

ID Experts Proven Response: Federal Government Capabilities Statement

The Four Pillars of Cybersecurity

MeriTalk identified four key areas—so-called “pillars”—of a good cyber strategy: governance, training, budgets, and innovation. Only 24 percent of respondents said their agency includes all of these in their cyber strategy.

1. Governance – Do Your IT Objectives Support Your Cybersecurity Goals?

An IBM’s SecurityIntelligence article on creating a cybersecurity governance framework noted that governance is critical for addressing both the current and future security needs of an organization. Among other things, a governance framework should include improving security policies and implementing technical controls as well as continually focusing on emerging threat factors and the rapidly evolving “technology landscape.”

Respondents in the MeriTalk survey said that internal governance efforts were more successful than government-wide mandates. For example, only 37 percent believe that the Cybersecurity National Action Plan (CNAP) was very effective. However, 78 percent of the agencies that rated their cybersecurity posture as an “A,” said their governance efforts are very effective.

2. Training – Employees: Your Weakest Link or Strongest Defense?

Federal IT managers said that training is the number-one cybersecurity component that agency leadership should prioritize. In fact, they estimate that 43 percent of cyber breaches could be prevented with better employee training. This problem is mirrored in the private sector; half of all healthcare data breaches were caused by internal problems, such as unintentional employee actions, according to the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.

A recent ITProPortal article outlines three factors of successful awareness campaigns ^[1] :

• Establish a benchmark for measuring the current level of awareness, the desired outcome, and the best delivery mechanism based on a company’s culture.
• Continuously engage users and focus on interactions.
• Present the material in an engaging way, perhaps using content created by marketing and design experts.

“Regardless of the approach taken, the only certainty is that the attacks will keep coming, and users, far from being a lost cause, will continue to find themselves on the security front lines and must remain ever-vigilant against adversaries who are looking to exploit their mistakes,” the article concluded.

3. Operationalizing Budgets – Where Does Your Money Go?

Despite an increased budget in 2017, only 53 percent of agencies surveyed have a cyber scorecard to help them “prioritize and evaluate areas for additional investments.” Michael Johnson, CIO of the Department of Energy, said his agency uses its DOE Cyber Strategy to decide where investments are needed. “If we get one more dollar, we already know where we need to invest that,” he said at MeriTalk’s Cyber Security Brainstorm in Washington, D.C. in September.

4. Innovation – Are You Thinking Outside the Box?

Only 29 percent of feds rated their “agency’s push to incorporate more innovation within their cybersecurity strategy in the past two years as ‘very effective.’” Agencies that graded their cybersecurity posture as an “A” were three times more likely to rate their innovation efforts as very effective, noting improvements in cybersecurity analytics, risk assessments, governance, training, operationalizing budgets, and more. Survey respondents said that increased employee feedback, budget, and collaboration would drive cybersecurity innovation.

Training: The Most Important of the Four Pillars

Survey respondents noted that employee training was the weakest link in their cybersecurity programs. It’s no surprise, then, that 57 percent of federal IT managers cited training as a most critical step for improving their agency’s cybersecurity in the next two years—more than 20 percent ahead of other important steps.

Threats from without and vulnerabilities from within make cybersecurity a critical priority for both government agencies and the private sector. As the MeriTalk report points out, training is key; at the same time, security experts should implement cyber scorecards to help with budgets and provide a collaborative environment in which innovation can flourish.

ID Experts Proven Response: Federal Government Capabilities Statement