12 Dec The new principles of information security in the public sector

One of the key trusts the public puts in the government and pays taxes for is confidence in the availability of secure services which includes everything from the energy grid to drinking water to public infrastructure, all of which are critical to our everyday life and affect indeed enable billions of dollars of economic activity.

Information security in the public sector thus is not something each government entity manages as part of its IT foci. It is a fundamental activity a government must own for two reasons. Firstly the potential economic cost of a successful high profile attack in a connected world is the equivalent of an economic nuclear attack. The Shamoon virus attack on ARAMCO Saudi Arabia’s most valuable company, which controls 10% of world’s oil production, rattled global markets. Secondly any economy that seeks to court foreign investment on a large scale needs to do so supported by a national and citizens services infrastructure that is robustly resilient to cyber warfare. In the competitive world of investment flows a good national cyber security strategy allows you to win.

Any government, which invests intelligently into public sector information security, does not simply protect the government it protects the entire nation. Between actual information security investments and governance and policy it creates the ecosystem that protects not only public sector departments and entities but also supporting interlinked verticals of finance, trade and services.

But this increasingly pivotal central focus for governments arrives at an age where attackers are at their most sophisticated and lethal best. Cyber security on a national scale is so far behind them it is not a problem it is an epidemic. A successful approach to cyber security means not just adopting a series of infrastructure investments but understanding and subscribing to new principles of information security in the public sector.

These new principles of information security in the public sector once understood will help public sector organizations and governments establish the right risk posture by focusing on the right security priorities:

·       Adopt dynamic security lifecycle governance: Security needs to be policy based with annual governance. Establish – Analyze – Decide – Respond – Insight should govern security postures.

o   Establish: Understand where you are now. Understand where the threat landscape is, fully understand the spectrum of solution and their principles and then assess and understand the full range of threats based on your network, server, edge, core and access topologies

o   Analyze: Get a real time view of what is happening. This means gleaning insights in real time from disparate log data, multiple analytics techniques and contextual awareness derived from data as it becomes available. Focus on identifying breaches before they become damaging. Classify incident severity in real time

o   Decide: Decide response based on two things – 1. Business impact 2. Stakeholder collaboration level needed (For example if you need to change network fundamentals you cant take that decision in isolation)

o   Respond: Initiate counter measures. Fix damage. Ascertain success level of attack. Adjust infrastructure, policy and parameters to avoid attack again.

o   Insight: Use predictive analytics to go beyond knowing where you stand, combine with security intelligence from leading providers while contributing your learning with them, add your lessons learned and proactively adopt the safest posture possible. This phase must be calendar year milestone based and it should focus on insights not just tactical information.

·       Compliance is the frontline: There’s a direct relationship between strong but fair regulators enforcing an ecosystem in which governance risk & compliance is a key component of a company’s performance score card, and improved cyber security performance. A healthy compliance culture leads to securer public sector entities.

·       Security via the cloud: The days of staying away from the cloud because of security issues are gone. The trend to moving to cloud because of better security will now begin. Fact is major cloud providers like Amazon, Google and Microsoft simply have the financial, intellectual and deep learning capability needed for context based security that public sector governments even with their vast budgets do not. The cloud is securer then on premise now and public sector companies need to balance data sovereignty concerns and make the move.

·       Real time threat assessment and escalation with 24/7/365 monitoring: A security operations center dedicated to active and continuous data threat monitoring is a best practice for the Public Sector. This must be combined with big data capability so that continuous monitoring, assessment and escalation of threats for human intervention is done in real time or near real time basis.

·       Focus on identity and access: Most enterprise security breaches happen with employees. However Public Sector is showing a contrarian trend. Breaches attributed to current and former employees are down 8% while breaches attributed to contractors and third party consultants/ workers are up 13%. Advanced authentication techniques that are multi factor in nature and a combination of on premise and cloud work best.

·       Mobility is the modern Trojan Horse: Bring Your Own Device has improved satisfaction, productivity and usability. But its made security harder. Some of the most sophisticated malware and hacking techniques focus on mobile. It’s the fastest growing segment targeted for cyber warfare. Advanced authentication delivered from the cloud needs to be combined with physical security, device management, app based security and content security.

Information Security in the public sector is an arms race with extremely sophisticated opponents some with the full power of nation states behind them. Never has been more at stake as everything in the public sector from the energy grid to smart government gets connected. It is critical Public Sector entities understand the new principles around which this fight can be won.