A recent paper by Cynergy Partners titled Cybersecurity Opportunities for the Public and Private Sectors highlights some of the key cybersecurity accomplishments and investments of the Biden administration in the U.S., and lays out recommendations for how to modernize and improve cybersecurity for government agencies, suppliers, as well as private companies that participate in this supply chain.
While the paper addresses the near-term challenges highlighted by recent breaches like SolarWinds Orion, Hafnium, and DarkSide ransomware, it focuses primarily on the opportunities to enact the transformational technology and organizational changes necessary to harden the nation’s infrastructure and protect against future attacks.
The research is timely given that a recent Sophos-commissioned survey by Vanson Bourne indicates that 74% of central government organizations experienced an increase in the number of cyberattacks last year, and 40% were hit by ransomware.
Interesting findings in the paper including summaries of major milestones including the Executive Order initiating a cybersecurity review of the nation’s supply chain, as well as the approval of $2B in IT and security modernization and personnel funding for GSA by the US Congress, CISA, and the Digital Service through the American Rescue Plan Act of 2021.
The report also includes insights and actionable recommendations across a number of key areas:
More Secure Supply Chains
- The paper dives in the supply chain issues apparent in all business and government operations today and the breaches that take advantage of holes in that chain. The authors suggest tighter management of the supply chain including potential government regulations and auditing that would make sure vendors develop and supply secure code as well as their own secure supply chain.
- This suggests and supports the need for Sophos’ recently announced Adaptive Cybersecurity Ecosystem which enables secure integration between products, between products and the cloud, and between products and 3rd party integrations. An integrated system that secures integrated systems.
Innovation and Modernization
- The US government plans to modernize technology and cybersecurity through additional funding from the $1B investment in the Technology Modernization Fund (TMF) and the $650M investment in the Cybersecurity and Infrastructure Security Agency (CISA). The paper suggests innovation investment in context-based visibility, secure cloud implementations, data analytics, and scalable operational enablement and prevention. Visibility and analytics have been a challenge in the cybersecurity space, but with the advent of shared data lakes that collect valuable insight from security controls, analyze that data and enable adaptive threat response, Sophos and its partners can offer innovative synchronized security solutions to these issues.
- The research also recommends accelerating the migration of applications, data and services to SaaS and other cloud models in order to enable today’s new remote working models and to modernize infrastructure and technology which further reduces risk. This includes the proposal of the government and its private sector suppliers moving to a Zero Trust Network Access (ZTNA) model as quickly as possible.
- Lack of cybersecurity expertise is a major challenge for government organizations with 62% of IT managers saying cyberattacks are now too advanced for their organization’s IT team to deal with on their own (source: Sophos). The authors recommend filling open cybersecurity leadership and operational positions in the government with entrepreneurs and operational technology experts from the private sector. This excellent idea is somewhat challenged by the current lack of IT cybersecurity expertise as indicated by the 33,000 currently open IT positions in the government and 470,000 IT positions open in the private sector. This is a challenge that is not going away and a great opportunity for MSP and MSSP service providers to deliver managed threat detection and response services to government and private industry that doesn’t otherwise have the skills.
- This is also supported by the paper’s recommendation that the government needs to enhance its cybersecurity capabilities to better monitor, detect, and respond to threats utilizing innovative cybersecurity technologies across agencies and it’s suppliers.
Compliance and Certification
- The paper recommends requiring government and private sector adherence to clear cybersecurity standards, compliance regimens, and product certifications, especially for government suppliers. This suggests that cybersecurity vendors, partners, and their supplies should focus on getting compliant now with key initiatives like FedRamp, NIST, ISO, and CMMC.
To learn more, read Cybersecurity Opportunities for the Public and Private Sectors.