Cybersecurity awareness month is here, shining light on the ever-critical importance of cybersecurity. There’s no better time than now for state and local governments to reflect on their posture and devise strategies to remain proactive, not just reactive, when it comes to their cyberdefenses.
After all, cyberattacks are becoming more frequent and getting easier to miss, which means that agencies need to understand whether they’re able to fend off the latest threats from bad actors. However, you can’t plug holes in defenses if you don’t even know those holes exist. Such is the critical importance of security assessments. The road to cybersecurity maturity begins with effective security assessments.
Security assessments are critical but often underfunded, says Anthony J. O’Neill, commonwealth CISO and chief risk officer at Massachusetts’s Executive Office of Technology Services and Security. O’Neill spoke with StateTech about the importance of security assessments, assessment types and best practices when evaluating security posture.
Click the banner below for more on how to improve your cybersecurity posture.
STATETECH: How important are security assessments for state and local governments?
O’NEILL: Think of it like when you go to your primary care physician, and they draw your blood, take a look at your vitals and conduct a physical exam. Security assessments are similar, in a sense, because they tell you where you might need to improve or change. You can’t diagnose the patient unless you perform tests.
STATETECH: Are security assessments the first step to improving security posture?
O’NEILL: They are to me, because I don’t think you can fully appreciate the work that any organization has done or the investments they’ve made until you get a good glimpse through an assessment. They just give you better visibility.
STATETECH: What does today’s threat landscape look like?
O’NEILL: What we see a lot today are DDoS attacks, ransomware and social engineering. Threat actors are becoming more creative and aggressive in their approaches. Threats are growing exponentially because the tools that threat actors use are becoming more accessible and available in marketplaces, whether that’s the dark web or elsewhere.
There are nation-state actors funded through nation-state resources, which makes it a very difficult battle for local governments. If they don’t have the adequate resources to defend themselves, they’re going to be vulnerable.
STATETECH: In the threat landscape you describe, what are some best practices for conducting security assessments?
O’NEILL: We like looking at the 18 Critical Security Controls from the Center for Internet Security and at NIST 800-53 compliance. You can do a high-level maturity assessment by mapping to the CIS top 18, which I think is a good way for small and medium-sized agencies to approach it.
STATETECH: What goes into conducting an effective security assessment?
O’NEILL: You need to have the right people in the room. Cybersecurity starts at the top, so if you’re a local government and the mayor is your CEO, you want to have them supporting as an executive sponsor. You also need your technical resources and subject matter experts; CISOs and CIOs need to be heavily involved. If you don’t have a CISO, then involve a technology officer. A legal or general counsel that understands data privacy laws and regulations should also be involved.
It’s a cross-functional approach that will make assessments more effective.
STATETECH: Which types of security assessments do you recommend?
O’NEILL: We have a penetration testing program and members within our security operations center. We make investments in continuous pen testing and some red teaming based on the criticality of the assets. Different situations call for a specific scope of tasks. If you’re trying to figure out where gaps are on an application security issue, then you’re going to do a penetration test to see what controls you might need to implement. There are also reasons to do red teaming, because there are some really creative red teamers out there that can find vulnerabilities. It gives you a good indication of where your blind spots are. You want to have a little bit of both of these investments in your infrastructure.