Cloud and mobile technologies have made it easier and more cost-effective for federal agencies to quickly deliver on critical missions. Yet, because these solutions are being used with greater frequency, they are broadening the attack surface and giving adversaries more potential targets.
For example, federal agencies are increasingly being pursued by bad actors seeking to attack or exploit the valuable, sensitive data they store. In fact, in the latest M-Trends report, government is now ranked as the third most-targeted industry, up from the seventh position in 2017.
A data breach or cyber attack can have a far-reaching impact on a federal agency’s operational performance. It could affect citizen data, causing loss of public trust, and may also result in agency leaders having to testify and defend their cyber procedures to Congress. There is also the risk of poor FITARA scores, causing tarnished reputations.
The Need to Validate Security Effectiveness
The simple truth is that good cyber governance is a “must have,” and that means federal agencies need tools that can measure and validate security effectiveness to help pinpoint risks.
Measuring cyber security is difficult; IT environments have become increasingly complex. Traditional operational metrics—such as cost and ROI—don’t translate to security goals. And focusing on KPIs such as incident numbers can lead to overlooking gaps.
Federal agencies must prove that their security investments are working the way they’re supposed to, including being able to:
- Continuously monitor and measure to ensure that security tools are working
- Leverage frameworks like the NIST Cybersecurity Framework to avoid overlaps and gaps in security infrastructure
- Validate cyber resiliency with data
For instance, many organizations believe their security investments are delivering expected value by protecting critical assets, but the reality is that they have already experienced a breach without knowing it. And did you know that on average, 80% of tools are misconfigured, leaving them underutilized at default settings?
That’s why federal agencies require empiric evidence of how effective their security controls are at protecting them against an attack. And with this type of evidence, there can be better alignment between CISOs and department leaders so they can better quantify cyber risk.
The good news is that there is a path forward to optimized security effectiveness. Good cyber hygiene starts with creating more alignment between CISOs and other agency leaders, coupled with ongoing, quantified measurement and monitoring of security.
Continuous validation of security effectiveness ensures ongoing cyber resiliency, no matter how the IT environment or attack landscape changes.
Learn more about quantifying security effectiveness by downloading our 2020 Security Effectiveness Report.