The challenges faced by both public and private sector Chief Information Security Officers (CISOs) are very similar, both wrestle with the difficulties of skills shortages, the impending economic downturn and a growing threat vista – but public sector face the enhanced scrutiny of spending reviews and looming budgetary cuts. So how can public sector security leaders fortify their environments in the most cost effective way whilst fending off increasingly sophisticated attacks?
At a recent Telstra Purple public sector CISO roundtable event, security leaders shared their challenges, concerns and plans for overcoming adversity. This blog is informed by these discussion points and shares some of the attendee’s suggestions and successes. All contributors and their organisations are anonymised.
The evenings discussion covered a variety of burning challenges. Topics ranged from seeking the most cost effective cyber security tools without compromising on protection, to suggestions on the most appropriate frameworks and how best to manage identified risks. This blog will collate all thoughts and guidance offered by attendees, hopefully providing insight for the cyber security community, both public and private.
Effectively managing a shrinking (and scrutinised) budget
With it widely acknowledged that the economy is heading for what is now expected to be the longest recession on record, public spending is going to be under an even greater spotlight. If the last few years haven’t been challenging enough for public sector spending, a new wave of spending scrutiny is on its way!
So how can CISOs get more for their money? And where should they be drawing the line of compromise when it comes to cost verses protection. A number of the attendees felt that they, in contrary to general views, be able to get money for specific initiatives. However, tips such as ensuring that business cases articulated the real benefits and that there was a clear view on the outcome of the investment and what this would mean to the risk exposure of the business were some areas that were shared amongst the group.
There were mixed views on this topic from the table and whilst some attendees agreed that a consolidation of vendors where possible was advantageous, for example Microsoft E5 licensing and using the tools that could be purchased as part of a packaging of services, others felt that was too great of a compromise, i.e., that some of the tools might not meet the requirements of the business.
Attendees agreed that although it isn’t always the best practice to have all your tools and services in a single service from a business continuity perspective, executives would not be willing to pay a higher price for technology and environment diversification. The view was that a good case was needed to be made by a CISO to management to dissuade them from a consolidated vendor and environment approach. This view varied across the table, and it was evident that the decision taken by a public sector organisation could vary depending on the risk and exposure that an incident posed.
A potential solution to this challenge was for some attendees to look at adopting more managed security services, particularly when it came to technology such as SIEM.
Relying on a third party that they trusted and brought a service vs specific tools meant that reliance on a single set of vendors or tools in a single environment could be diversified.
As is the case for both private and public sector organisations, when taking a decision such as this, the full costs, risks and benefits need to be called into question. Arguably this is something that the public sector does well with the mandate of an open RFP process.
‘A great relationship trumps all’
The topic of great relationships spanned across a few different areas during this discussion, from the importance of strong internal relationships within your organisation, through to supplier relationships and the value that these can unlock.
When it came to internal relationships, CISO attendees felt that presenting clear concise information was often aided using Cyber Security frameworks. Attendees felt that these frameworks enabled them to present decision makers with key metrics to get buy-in from peers, teams and executives, and identifying and bringing key influencers onboard. It was debated about which frameworks would be the best to use and it was eventually decided that the framework had to be appropriate for the business, but the translation of the framework really was where the value was.
When talking about supplier relationships, one attendee was quoted as saying ‘a great relationship trumps all’.
It was a common view that organisations spent a long time formulating a crafting RFP document for suppliers to respond to, and frustration was often felt by attendees when respondents had failed to provide compliant or adequate responses. When suppliers listened and reviewed (in detail) the requirements of the organisation, CISOs felt they were able to build a trusted relationship that was delivering against their objectives and vision for the security of their organisation.
It was also discussed that the business requesting respondents to respond to an RFP needed to ensure that they really understand their outcomes and taking the time to clearly articulate these will mean that the business is likely to get the services that meet their requirements.
One attendee mentioned that supplier relationships with its cyber security provider could (arguably) be one of the most important supplier relationships in the organisation, given the possible reliance that could be placed on them if the worst were to happen. We should all be working with trusted people that we can rely on in our hour of need! The group discussed that these relationships had to be integrated into their businesses and these are where the best relationships flourish, i.e., more of a partnership model vs a supplier / customer model.
How are the public sector dealing with skills shortages?
Attracting and (arguably more important) retaining talent was a key area of differentiator between public and private sector for attendees. It’s worth noting that whilst all our attendees were from public sector organisations, many have experience of working in the private sector as well, so are well positioned to make an informed comparison.
All participants agreed that it was extremely difficult to compete with the private sector for competitive salaries. Despite campaigns around graduate and apprentice programs, it was noted by one CISO that approximately 80% of candidates would receive training through these public sector programs and then move (with the newly developed skills) to the private sector to access higher financial rewards. It was debated and recognised that maybe this is just something that the public sector must consider in its recruitment, that recruitment might be easier, however retention might not be as easy to maintain.
One way of overcoming this was for some participants to begin looking at a more experienced pool of candidates, who were towards the end of their careers. Rather than seeking to employ young and rising talent, it was suggested that more seasoned professionals might be driven by challenges more than money. It was discussed that these individuals might not be driven by money and would like to give something back to those public sector organisations or businesses that are aiming to make a difference to individuals lives. Other benefits such as flexible working or allowing employees to get more involved in charitable initiatives might be a good way to bring experienced individuals into the public sector.
Public sector organisations need to find their unique ‘hook’ that will excite and engage talent in a way that the private sector can only match with financial reward. Whilst many will be persuaded by a larger paycheck, there will be many who are seeking new skills, new challenges and new prospects that aren’t open to them in any other organisation. Public sector organisations should continue to focus on this as their unique advantage.