Share with Your Network
Threat actors are gaining momentum in the public sector worldwide. Ukraine’s government-military sector saw a debilitating 196% increase in cyber-attacks within just a few days of Russia’s invasion in February. A malware attack in August forced Italy’s energy agency, Gestore dei Servizi Energetici, to shut down its IT systems to protect its data. And an Iranian hacker gang has been attacking the Albanian government for months in a sobering saga. In July, the threat actors launched ransomware and disk-wiping malware on key government servers and destroyed data, 14 months after they accessed the systems. By September, they leaked sensitive police data and targeted immigration systems, forcing cumbersome manual border operations. The incident has had far-reaching implications, affecting even Albania’s diplomatic ties with Iran.
U.S. public sector hit hard
In the United States, government agencies and other public sector institutions aren’t safe from cybercrime either. At least 2,323 local governments, schools and healthcare providers were impacted by ransomware in 2021. Adding to the challenge is the number and diversity of local governments: More than 90,000 different local governments operate in the U.S. alone, making it harder to establish a unified, nationwide security strategy.
Because citizens rely so heavily on government, education and healthcare, the cyberthreats aimed at them have prompted public agencies’ security leaders to look for more effective ways to combat them. A year ago, for instance, the Cybersecurity Infrastructure and Security Agency (CISA) issued Binding Directive 22-01, requiring public organizations to focus remediation efforts on active exploits listed in the agency’s catalog. Though this prescriptive strategy doesn’t quite accommodate every organization’s unique environmental makeup, the directive reflects a much-needed shift among security organizations toward risk-based vulnerability management. Public and private security leaders are now facing the challenge of implementing big changes to future-proof operations against the most alarming threats on the horizon.
A CIO with a big fix list
Collin Boyce is one such leader. Security Science podcast host Dan Mellinger sat down with Boyce, former Chief Information Officer (CIO) for the City of Tucson in Arizona to discuss what it takes to turn impossible ideas into meaningful results. In the episode How CIOs Get Things Done, Boyce brings a unique perspective after having successfully launched extensive projects with Kenna Security’s risk-based technology and shares practical tips that make a daunting future seem much more manageable.
Boyce turned up in Tucson with his own kind of fix list–one that called for new initiatives and the determination to get them done. It was a winning combination. During the COVID pandemic, his team planned to connect citizens to wireless internet and jumpstart a smart city initiative. Within three and a half months, they provided reliable internet connectivity that could support up to 32,000 households— a daunting process that could have taken two years. Among other feats, Boyce’s team leveraged the $5 million dollar budget to cover 150% of the plotted square miles. With smart city funding, this network could connect traffic signals, buses, air quality sensors, cell phone services, and even live-streaming body cams.
How security leaders can marshal big changes
With risks and stakes rising on the cybersecurity battlefront, maintaining resilience while adapting to new industry demands like the CISA directive can feel overwhelming. In this episode, Boyce breaks down his top tips for approaching big projects that can help industry leaders prioritize and align their teams around securing the future. Here’s a quick breakdown:
Point to the big picture. Boyce’s efforts in Tucson built a foundation for future innovations. He chose to work with contractors, vendors, and a team who believed in the impossible project and shared a vision for a connected future. Building security resilience in today’s age of unpredictability means corralling efforts around changes that future-proof our most vital sectors.
Break it down. Rather than going straight for a smart city takeover, Boyce started with the smaller goal of city-wide wireless connectivity that could later be built upon. Leaders can break down major projects into specific and measurable goals that their teams can achieve.
Start with success. Like a warm-up before a workout, ease your team into big changes by creating momentum with small, easy wins right out the gate. Wins that are attainable often build on familiar systems that enable progress. And one way to achieve success early on is to…
Work with what you have before jumping to reinvent the wheel. For the Tucson team to get 70 to 80 percent of the network up and running, they took advantage of existing infrastructure and utilized its full capacity. In the future, smart city features can be integrated into the city’s wireless connectivity, giving taxpayers more bang for their buck.
Unite stakeholders and teams with a shared vision
We’ve got heart eyes from how poignantly Dan Mellinger reflects this advice on Kenna Security’s (and now Cisco’s) risk-based vulnerability management solution. CIOs get things done by looking at the big picture with a top-down view, breaking projects into measurable and achievable chunks, and building momentum with what works. A risk-based approach also starts with a top-down view. An optimized, unified platform views assets and risks with granular visibility and breaks risk down into clear metrics that teams can use to prioritize efforts and achieve meaningful wins in security resilience. An open, integrated platform eases the transition and works with what you have by utilizing existing investments and fitting right into any environment. And with better measurement and communication of progress, stakeholders outside security can mobilize around a shared understanding of risk and make the kind of informed decisions the public needs.
To discover more about how Collin Boyce worked his way up through the ranks from engineer to CIO and launched Tucson’s wireless project, check out Security Science’s episode, How CIOs Get Things Done.
Explore more public agency security resources
With government agency threats on the rise, public sector security leaders are searching for more effective and efficient ways to manage (and lower) risk. We’ve gathered together some expert insight and key resources to help lay the groundwork for a more resilient and secure future. Explore these resources, designed specifically for public agencies.
And be sure to check out the most recent webinar featuring Jerry Gamblin, Director of Security Research at Cisco, as he unpacks Why Risk-Based Vulnerability Management Brings Clarity to Public Sector Security Chaos.
