Government agencies, like all organizations, face significant challenges when it comes to cybersecurity. Yet they are at a greater disadvantage than the public sector. Generally, government budgets are tighter, departments are smaller, and security is more likely to be an afterthought than business. In addition, the severe shortage of security skills throughout the industry hits government particularly hard; people with such a hot skillset are hard to attract and even harder to retain with government’s lower wages.
Despite these challenges, expectations are high; people expect government to run. Most agencies and municipalities have their hands full just keeping the lights on and the phones running so they can provide health and safety services, manage the 911 system, provide permits and meet other basic needs of their communities.
Unfortunately, the bad guys are getting more effective at causing harm, by leveraging machine learning to automate their attacks so they can easily do more damage with fewer people—and they know the government sector is an easy target. The recent infiltration of more than 20 government agencies in the state of Texas, leveraging a vendor that was breached, is just one chilling example of the dangers we are currently facing.
The fact is, government has not been able to effectively keep up with the attackers. The G2G Marketplace is an online procurement center that helps government agencies, including states, counties, cities, townships, courts, schools, libraries, police departments and fire departments, utilize technology solutions and services more quickly to serve their citizens better. This unique online store experience, created by Oakland County, Michigan, is helping governments take a huge leap forward in their cybersecurity efforts.
G2G Helps Government Agencies Save, Scale and Serve
On G2G Marketplace, government agencies can research and purchase tried and tested technology solutions selected through a standard procurement process using generally accepted purchasing practice and guidelines and receive pre-negotiated blanket purchase agreements. This simplifies the process of finding solutions, shortening the timeframe and reducing cost and resource requirements. In addition, it enables agencies to share resources and best practices, which also reduces cost, improves service and improves scalability and resiliency.
When I was CISO for Oakland County, Michigan, we ran about 8 security projects a year (not all of which required a technology solution), and at least three RFPs. Each RFP received 10-15 responses, which we normally boiled down to three, requiring greater detail and on-site discussions, before making our final selection. The RFP process could take 500 man hours, equating to a considerable amount of dollars just for labor. By the time we actually chose the solution, it had been six months or more.
The problem with this is that once the security team realizes there is a problem, it takes 6 to 9 months to get to a solution. When the bad guys find a vulnerability, on the other hand, they can attack right away. Obviously, you need to have a solution available when the need arises, not 6 months later.
G2G Marketplace shortens that process significantly, saving money, time and resources, and undoubtedly providing better outcomes. You can leverage it to understand your gaps and vulnerabilities; design your program; monitor; and remediate issues.
How Government Agencies Can Improve Cybersecurity Leveraging G2G
G2G Marketplace provides numerous solutions and services to help you assess your situation, develop your strategy, integrate solutions and manage your cybersecurity efforts going forward.
Assess Your Current Situation
Government organizations need to first understand where they are vulnerable. You can use G2G’s approved solutions and services to help design a program; identify and address vulnerabilities on your website, hardware or software; understand where you have gaps; and improve your organization’s cyber security maturity level.
There are two basic ways to find and tackle issues. One is to take a programmatic approach; the other is to focus on technology. Both are important to do.
The programmatic approach involves using a common framework, such as NIST, to drive toward a framework maturity level by identifying gaps, determining which are the most pressing, and building a roadmap to get your cybersecurity program where you need it to be. Using the CMMI capability maturity model as an example, you determine which level each control within your organization currently is, as follows:
Most government organizations are level 1 or 2, and I typically recommend they strive to become level 3, as that is the highest level most government organizations can reasonably hope to achieve given the support and resources they are usually provided.
You can find a variety of solutions on the G2G Marketplace to help you determine and improve your maturity level. One of these available frameworks is CYSAFE, which we built in Oakland County in 2014 by taking parts of three other frameworks (CIS20, NIST and ISO 27000) and molding them into one specifically designed for government agencies. CYSAFE was built on three variables: cost to implement, time to implement, and current risk of not having a solution in place via an algorithm based on current maturity. It has been downloaded in all 50 states, more than 1000 times.
The second way for you to understand your current situation is to find solutions or services that assess your technology footprint. While this is not as comprehensive as the programmatic approach, it is quick and practical. Once you find out where your vulnerabilities are, you can take immediate steps to remediate those. If you find that you have an unpatched server, you can patch it that day. If you find a web server with an open port, you can close it. You can reduce risk significantly, right away.
It’s important to conduct a vulnerability scan to find high, medium and low issues. My rule of thumb is to resolve high vulnerabilities as soon as possible – within 48 hours. Medium vulnerabilities could become a project; as you work toward resolving those, one change can fix 500 vulnerabilities. Address the low vulnerabilities as time permits. It typically takes a year to work through those.
When you introduce new processes and software, or change your configuration in any way, you introduce new vulnerabilities, so it is important to continuously scan your new applications and technologies. In fact, it is important to do an external penetration test and a vulnerability test once a year. Once again, G2G offers many options to address your current situation in terms of your technical vulnerabilities.
Develop Your Strategy and Plan
Once you have a clear picture of your organization’s situation, you need to determine what your priorities are in terms of remediating gaps, where you want to focus your resources and how you want to spend your time. If you have 3 different endpoint security solutions, you may consider reducing the solution to one. To develop an effective strategy, you must look at your organization as a whole, understand the controls you have, consider what your business needs and how you can best achieve that. It is helpful to know what your peers are doing, what works well to achieve the outcomes you desire, and what existing options are ideal for you.
When you don’t have resources, you need to get creative. And you have to be extremely practical. Here’s a tip, courtesy of my time at Oakland County: Make sure you fully understand the features of the solutions you already own before you buy something new. Most people buy tech and only use a portion of the feature set, never realizing what they have. For example, a company may have Check Point firewalls but has not configured an intrusion prevention system. Check Point has an easy add-on to current firewalls to give you that capability. Buying that is clearly a better financial option than buying a whole new suite of solutions and needing to integrate it. In short, consider finding a partner of G2G who can look at your technology footprint and figure out how to leverage your current investments for significant improvements. You can spend a little to get a lot.
Integrate Your Solutions
Integrating solutions is often viewed as a “to do,” something you can just check off your list. However, integrating solutions is an important step that is often overlooked. In my time at CBI helping numerous companies improve their cybersecurity, I have realized just how often the importance of integration is underestimated, at great cost.
You can buy tech, but if you don’t turn on the right settings, you’ve wasted your money and perhaps created more risk. At best, you haven’t solved your problem. Worst case scenario, you’ve created a far worse situation. Just owning the technology often gives people a false sense of security; they don’t realize it hasn’t been integrated into the environment correctly. Tuning is critical for new products—it only costs time and materials for a security engineer.
For a small cost, you can have a G2G peer-recommended partner that is well-versed in various technologies handle the integration, or at the very least come in and tune it. They can help ensure you effectively integrate what your detection and prevention controls into more of a platform type of security. They can help integrate endpoint protections with perimeter preventions. They can help you improve/build your security program. You may do these types of integrations occasionally; experts like us do them all the time, and we know exactly how to help you get the most from your investments.
Manage Your Security Efforts
Most solutions are not “set it and forget it.” They have to be monitored and upgraded. When they set off alarms, and you need to take action on those alarms – quickly. Someone needs to be dedicated to making sure the solutions work. Someone must constantly monitor and respond to alerts and alarms. Both detection and prevention tools need to be tuned. Someone needs to know, among all the noise, which alerts indicate real problems.
For example, if you are monitoring credit card data within the organization. Credit cards have 16-digit numbers, so any email with a 16-digit number will cause an alert. It could be an account number, not a credit card. Someone must determine which alerts are false alarms. Someone needs to monitor logs, filter out the noise, analyze the data, find false positives, and take action based on service levels, including notifying you when something is truly awry. Many government agencies simply do not have the resources to do the necessary analytical work themselves.
Managed services may be just the ticket for government agencies. G2G Marketplace offers many capable managed service providers to help you monitor your ongoing operations.
Respond to Incidents
Responding to incidents requires a variety of skills, some of which government organizations may not possess. For example, if you want to prosecute an attacker, you have to conduct proper forensics. Government agencies may not have the resources or the experience with prosecution to do that themselves. The state of Michigan has an IT forensics shop, but not many other organizations can justify their own forensics practice. Other municipalities may leverage forensics through a sheriff’s department, but they are busy working criminal cases in their jurisdiction.
G2G Marketplace offers services from partners with the deep knowledge necessary to:
As G2G Grows, Government Gets Stronger
G2G Marketplace continues to grow. It currently serves almost 1000 government organizations in the U.S. and beyond, helping them serve their citizens more cost-effectively.