Cybersecurity resilience: Empowering government CISOs

Advancing technologies enable improved citizen communication and resource management for governmental organisations through digital services and digitisation opportunities

However, this surge in the uptake of technological innovation also introduces a significant challenge: increased risk of cybersecurity threats such as ransomware.

Cybersecurity resilience in the digital era

As our reliance on interconnected systems grows, so does cyber-attack vulnerability. Malicious actors exploit weaknesses in government networks, software, and hardware, targeting sensitive data, critical infrastructure, and personal privacy.

In this ever-evolving digital era, it becomes increasingly crucial for chief information security officers (CISOs) working at the heart of governmental organisations to address and mitigate these cybersecurity risks to ensure adequate data protection and cyber resiliency.

The growing threat of hackers for hire

A recent report from the National Cyber Security Centre has predicted that the number of “hackers for hire” is set to grow over the next five years.

This illustrates the increasingly high-level threat cybercrime poses to the UK’s economic and social growth. With the attractiveness of strategic assets from government agency data becoming a growing commodity for cybercriminals, it is vital to ensure that public sector organisations can recover and run smoothly for Britain’s economic and social benefit.

Increasing priority of cybersecurity in the public sector

Furthermore, a government report in 2022 shows 77% of businesses now see cybersecurity as a high priority, an increase of 12% since 2016. The data points to an undisputable need for readiness at the helm to deliver a rugged and robust security posture as ransomware attacks continue to evolve and grow.

Striving for a more secure nation

The UK government is keenly aware of the scale of looming cyber threats. It has already taken steps to clarify and refine UK data protection legislation post-Brexit by reducing EU red tape and introducing the UK Data Protection and Digital Information Bill in March of this year.

Removing red tape should slimline the data protection process for UK government agencies and firms with UK-only operations; however, catching up in the race against perpetrators already taking advantage of network holes is still a real challenge.

Governments and their respective security leaders need to look at how they can best collaborate with the private sector to protect the front door and everything behind it.

The UK 2022-23 budget revealed that a total of £2.6 billion will be invested in cyber and legacy IT, of which cybersecurity is critical. An extra £37.8 million is being allocated to address the cybersecurity obstacles confronting local councils to safeguard crucial local services and data.

While this significant financial investment is a welcome development, it’s only the beginning of endless possibilities to innovate Britain’s cybersecurity ecosystem. The question is, how can the public sector effectively implement these initiatives?

The answer lies in decision-makers’ mindset towards improving Britain’s cybersecurity standard.

Where a CISO sits in the organisation and whether they are adequately resourced are statements on how competently an organisation is identifying and managing cyber risk. Many organisations in the private sector are aware of this, and government agencies can learn from their cross-sector peers.

Reinforcing the defence capabilities of CISOs

CISOs are best placed to provide strategic-level guidance for their organisation’s cybersecurity programme to maintain compliance with cybersecurity policy, standards, regulations, and legislation. However, a hurdle many organisations encounter is hiring senior executives to provide cyber risk management advice and adequately support the CISO role.

Cyber risk is not a problem to be fixed but a condition to be managed. Government agencies must avoid repeating the mistake of dismissing cyber risk management as purely an IT challenge and instead see it as an area of ongoing innovation for the whole organisation.

The keywords in the CISO’s title are ‘Information Security’, but unfortunately, CISOs are generally not responsible for data backup and recovery. To create and maintain holistic cyber protection, CISOs need the same powers as COOs to move throughout a public sector organisation, allowing them complete visibility of how data is transferred and stored.

Security leaders need to be able to answer critical questions such as “Do we know where all of our personally identifiable information is located?”, “Do we know who has access to it?”, “Do we have adequate strategies to manage it?” and “Do we know when someone is accessing it and who shouldn’t be accessing it?”

CISOS need to be given the authority to ensure government agencies have a clear ransomware recovery position and to oversee and maintain an adequate data backup infrastructure while anticipating and understanding emerging threats to cybersecurity as well as taking responsibility for checking that an organisation and its employees are well educated and trained on best-practice cybersecurity.

Implementing such objectives will tighten access and defence for data and create cyber resiliency.

Building a resilient digital security ecosystem

The UK government has made the growing threat cyber-attacks pose to the economic and social stability of the country clear. Britain’s cybersecurity leaders must have the tools to address the increasing and evolving cyber-attack risk.

In the current challenging cloud-first environment, granting CISOs clear visibility into their organisation’s internal data flow can facilitate identifying areas to enhance data protection, security infrastructure, and protocols. This enables them to anticipate threats and implement protective measures before a breach of the system’s boundaries.

 

This piece was written and contributed by Barry Cashman, Regional RVP UKI, Veritas Technologies