As cyberattacks targeting the public sector continue to grow in ferocity, Paul Heath, Regional Director, UK&I Public Sector, McAfee outlines why more agile and effective purchasing structures are required
Every component of an organisation’s IT infrastructure, and every new digital process it introduces, can represent a risk to its security. Whether enabling secure application development, network management to spot malicious activity, or threat intelligence feeds on the latest evolution in malware, each of the solutions offered by the many hundreds of security technology companies in the market plays a role in securing organisations against an increasingly diverse threat landscape.
Even with the best security solutions available, however, organisations may still find themselves vulnerable to attack, a fact which has led many IT and organisation decision-makers to consider that technology itself isn’t necessarily the solution. When purchased as a tactical resource to meet a specific requirement, without strategic planning and senior sponsorship, technology won’t deliver the business outcomes the organisation needs.
It’s becoming increasingly clear though, with the cyber attacks targeting the public sector continuing to grow in ferocity, that the safety and privacy of all citizens is dependent on implementing greater cyber security.
Many public sector organisations struggle with strategic planning for IT and security resources.
Despite operating on very tight budgets, for example, many organisations are being encouraged by the Government to invest in digital to provide end-users with a more seamless experience. However, as the public sector faces a climate of cuts and increased costs, IT purchasing will often happen when something is needed, as opposed to being part of a long-term, strategic process.
What’s more, a number of public sector organisations have very formulaic purchasing structures, which only allow for tactical purchases, prohibiting IT leaders from delivering the strategic cyber security solutions needed to provide the defences their organisation needs.
By only reviewing elements of its cyber security on a point-by-point basis, for example, when the respective contracts come up for renewal, an organisation will be unable to deliver a holistic plan to secure against modern, evolving threats. Neither will it be able to take advantage of the changing supplier landscape, and the greater vendor integrations and partnerships allowing fewer gaps in coverage.
With no silver bullet available for mitigating the numerous diverse threats faced by organisations today, IT teams are required to purchase a series of separate solutions which, while an essential and natural part of security, means new technologies will often be bolted on to existing solutions as when the need arises. Such an approach can leave gaps between technologies, however, which could be exploited by a determined cyber criminal.
In a bid to address this, many cyber security vendors are now forming partnerships that enable the integration of disparate solutions to provide the widest cover possible. When building defences piecemeal, however, it is difficult for IT teams to take advantage of this collaboration and purchase a package that offers such comprehensive cover.
It also takes a great deal of time and effort to manage a number of disparate solutions and, with limited resources available to do so, it is essential that organisations deploy those employees with cybersecurity skills to deal with the more complicated threats. With seamless security in place, however, this talent can be freed up to spend more time on work that will add greater value to the business.
Furthermore, the immense drive across the public sector to “go digital” isn’t always accompanied by a holistic review of the new challenges to securing organisations and their data that might be introduced as a result of this digital transformation.
A number of central and local Government departments, for example, are moving towards cloud-based services, investing in Office 365, Microsoft Azure and Amazon Web Services. In many cases, however, the rush to adopt a cloud-first model isn’t being accompanied by an overarching company-wide strategy that considers the new security and privacy risks being introduced by this approach.
At the same time, NHS Trusts are preparing to move entirely to electronic patient records, while the boom in connected medical devices, many of which have been shown to contain serious security flaws, is introducing a vast number of vulnerable endpoints to hospital networks.
It is crucial therefore that, alongside such significant digital disruption to their core processes and operations, organisations throughout the public sector consider whether similar disruption to their cyber security strategies and procurement structures is necessary for greater security. It’s important for them to acknowledge, however, that to achieve this, their IT team cannot act alone.
Given the structural challenges faced by IT teams when purchasing technology, there is a crucial need for senior business leaders to review existing processes and sponsor a more strategic approach to an organisation’s cyber security.
A significant investment may be required to bring an organisation’s defences into line with what’s needed to face today’s evolving threat landscape. As well as purchasing new solutions, time will be required to plan and implement any changes from both a technical and a cultural perspective. This can only be achieved with the support of an organisation’s senior leaders, however. When resources are tight, and with services undergoing considerable digital disruption, convincing the board of the need for structural changes and investment won’t be easy, even with the backing of a senior sponsor.
IT leaders need to work closely with their senior sponsor to demonstrate the risks to the organisation, as well as the benefits of taking a more strategic approach to the purchase of cybersecurity solutions. Making the board aware of the key strategic, financial and organisational benefits they will enjoy by taking responsibility for their company’s cyber hygiene will give IT leaders the opportunity to show the value of a clear strategy in today’s cyber threat environment.
Take the step
It’s time to stop thinking of cyber security technologies as the sole solution to modern cyber threats. Even the best technology on the market can only become an effective solution when it’s strategically planned and deployed, following buy-in from the entire business. For this to happen, however, requires business leaders to make sure that it’s on their own and their board’s agenda.
It’s important for business leaders to understand that, not only must they ensure technology purchasing is as productive and cost-effective as possible, but that the security team is able to purchase and deliver defence solutions that will assure the security of their organisation’s sensitive information and the undisrupted delivery of its essential services.
While many business leaders may not feel qualified to lead on shifting the cybersecurity strategy in their organisation, the National Cyber Security Centre (NCSC) provides guidance on improving cyber hygiene and taking a more strategic approach to cyber security. This resource delivers learnings and practical counsel sourced from NCSC partners, including McAfee.
As the threat landscape continues to evolve and grow in sophistication, cyber security can’t afford to carry on as “business as usual”. Public sector organisations must take a step toward rejecting legacy purchasing models in favour of more agile and effective purchasing structures. Only by doing so can they equip themselves with the comprehensive defences they need to take arms against an ongoing onslaught of cyber threats.