Adaptive Segmentationmicro-segmentation September 27, 2022

3 Challenges Federal Agencies Face When Implementing Modern Cybersecurity

Gary Barlet, Field CTO, Federal

Cybersecurity for the public sector matters because of the information it keeps.  

The U.S. federal government collects the personal information of almost every citizen. And federal agencies hold valuable data, some of which could put the country in danger if it was released. 

The federal government has many initiatives competing for resources, but it is vital that cybersecurity is prioritized to protect the citizens they serve. 

Federal agencies must prioritize modern cybersecurity strategies 

Agencies like the IRS or Social Security Administration keep information on nearly every citizen of the United States. That's information that they are obligated to protect.  

And with that personal information, a bad actor can imitate anybody they want. This makes identity theft a major concern. 

In today's age, where so few things are done in person and we live much of our lives online, it's easy for hackers to cause significant harm to an individual. You hear stories of people having their mortgages taken over and their bank accounts cleaned out. These are life-altering actions that can occur just based on the information the federal government keeps.  

Beyond the people they serve, there are serious cyber risks that can impact agencies directly.  

If a federal law enforcement agency’s tactics, techniques, and procedures get uncovered, a bad actor can work to circumvent them. This impacts these agencies’ missions by allowing fraud, waste, abuse, and crime to continue – and weakens the United States’ defenses. 

3 challenges federal agencies have in updating cybersecurity strategies 

It’s easy to acknowledge that cybersecurity is a vital concern for the public sector, but implementing new initiatives can be difficult. The federal government faces unique challenges when doing anything new, and this includes cybersecurity.  

Money

Federal agencies frequently struggle to get the budgets they ask for. This leaves them with few funds to maintain their current initiatives, much less new ones. 

And new technology can be expensive. Agencies know that cybersecurity is important, but the technology it takes to accomplish their needs is often out of reach. This is made worse by the costs of hiring additional staff or recruiting security experts who could help drive security initiatives forward. 

Resources 

The cybersecurity industry is facing a talent gap: The number of those with cybersecurity skills is far less than the number of open security jobs.  

It’s already difficult for the federal government to compete with private industry for limited resources. Filling cybersecurity roles is no different. The public sector is losing the race for cyber talent because it can rarely compete with the pay, benefits, and career advantages offered by private sector organizations. 

Because the talent pool for the public sector is so small, agencies hold on to the employees they do have. This means agencies are often understaffed with little time for skills training or tech innovation.  

Employees' attention is solely focused on maintaining legacy security systems, and agencies lag in modern security strategies. It’s tough for agencies to break this cycle – even with unlimited funding, they would still compete with private industry for new hires.  

Mindset 

This cyclical challenge leads to a lag in the public sector's mindset about cybersecurity.  

Low turnover, few skills training opportunities, and a small hiring pool for federal jobs makes it easy for a traditional – and outdated – understanding of cybersecurity to stick around. Decades-old security technology that only protects a network’s perimeter hasn’t evolved to match today’s dispersed, hyper-connected networks.  

Every security professional must have an “assume breach” mindset. It’s inevitable that a cyberattack will breach the perimeter, and security teams must have a plan in place to stop an attack from devastating an entire network. 

However, even the strategic leaders in federal agencies struggle to update to modern cybersecurity needs. They have insight into the rapid pace of private industry’s security initiatives but are simply unable to execute them due to the public sector’s inherent constraints. 

Without new security strategies entering the federal government via robust hiring or better funding, legacy approaches and systems remain in place as a necessity. Antiquated security is better than no security at all, but major shifts in the public sector’s mindset on cybersecurity must take place. 

Federal security mandates can help agencies evolve  

Mandates like Executive Order 14028 and the new CISA Strategic Plan 2023-2025 do have a positive impact on changing mindsets and getting updated cybersecurity initiatives in place.   

Security teams in federal agencies can use these mandates as backup in the fight for security funding and resources. With a mandate to point to, the request for a new security initiative isn’t simply best practice or the security teams’ opinion. The request has teeth, a solid foundation to justify its need, and can be used as budget justification to Congress.  

The public sector is moving towards Zero Trust security 

The good news? It's hard to find someone who works in cybersecurity in a federal agency who hasn't at least heard of Zero Trust and knows it’s important. That’s the first battle – and it’s largely been won.  

Zero Trust is becoming common vernacular and the direction most agencies are taking on their path towards modern, updated security. They’re finding that Zero Trust security strategies like Zero Trust Segmentation are much less cost and time prohibitive than they once thought.  

Illumio can help lead this transition towards a more robust, modern security posture in the federal government. With the Illumio Zero Trust Segmentation platform, federal agencies can prepare for inevitable breaches and protect citizen’s data proactively.   

Learn more on our Federal Government Cybersecurity page.

Adaptive Segmentationmicro-segmentation
Share this post: