Beyond compliance: How the public sector can build cybersecurity resilience in the face of rising attacks

Cyber-attacks can happen to any organisation at any time, and the consequences can be severe - lost productivity, reputational damage, and legal liability, as well as the costs of remediation and recovery. A data breach could result in the theft of sensitive data, such as customer information or intellectual property, which can have serious reputational and financial consequences for the affected organisation. 

If you want to strengthen your agency’s IT defences and understand your current state of cyber-preparedness, we recommend the following steps as part of a wider cyber security maturity assessment.

1  Establish a formal security strategy

The level of engagement between the IT security team and the organisation’s wider units can often be inadvertently overlooked and require improvement. Collaboration between your security team and the rest of the agency, as well as alignment between the organisation's strategy and IT strategy must be established so everyone understands the critical role the IT Security team plays in keeping the department safe.

2  Distinguish key roles across IT and security

Having clear differentiation between assigned roles and responsibilities, including establishing new roles when necessary, is important for effective cybersecurity management. It ensures each role is focused on specific obligations and achieves set goals without being bogged down by conflicting priorities. 

For example, if your Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles are performed by the same person it can lead to conflicting priorities. Separating the CTO and CISO roles helps ensure the technology strategy aligns with the agency’s goals while also protecting the organisation's assets and data from security threats. Separating the responsibilities also provides clearer oversight for your executive leadership team, enabling them to focus on areas of weakness, and to assess the team's progress as they work towards improving their maturity.

3  Maintain and implement all key policies and procedures

The agency must develop and implement policies and procedures tailored to your organisation’s IT requirements and provide clear direction in the event of a security breach or disaster. A robust policy establishes the rules needed to help organisations protect against threats to data confidentiality, integrity, and availability.

4  Risk management

Cybersecurity should be viewed as an integral part of risk management rather than a separate issue. By implementing a risk management framework and actively monitoring key risks, you can better manage your cybersecurity profile and prioritise the actions required to minimise the likelihood of cybersecurity threats and operational disruptions. Each risk should be assigned to a dedicated owner to establish accountability, and a risk appetite can be set to ensure a baseline is established for the controls in place. Additionally, having a risk framework improves your executive leadership team’s visibility of key IT security risks and associated mitigation strategies. 

5  Third-party risk management

If you have outsourced all or part of your IT ecosystem to third parties, it’s vital to ensure your risk management processes include the outsourcing risks as well as the IT security risks. Agencies should also define the roles, responsibilities, and monitoring to ensure third-party risk is effectively managed. By ensuring the performance reporting from third parties addresses the identified risks and relied upon assurance processes, the management of both the risks of outsourcing and the underlying cyber security risks becomes far more robust. 

6  Security awareness

Your people are a key strength of the organisation, but they can also be a key weakness when it comes to cybersecurity. Security awareness training for your staff can help improve the overall security culture throughout the organisation. According to CERTNZ, the highest number of reported incidents are social engineering attacks such as phishing and credential harvesting. 

On-going staff training will contribute to improved vigilance, reducing the likelihood of security incidents caused by human error. Training should also emphasise the importance of maintaining the confidentiality and integrity of your agency’s data.

Increasing learning and development opportunities for your IT Security team can also help ensure they have the necessary skills and knowledge to effectively manage security risks and issues. 

7  Implement an incident response plan

Having a well-designed and tested incident response plan can help your organisation respond more effectively to IT security incidents, and to minimise the damage they can cause.

It’s essential to have effective threat and vulnerability assessment capabilities in place, including regular assessments and monitoring of potential threats and vulnerabilities. This can help identify potential security risks and weaknesses before they can be exploited by attackers.

Regular testing of the incident response plan can help identify deficiencies in the plan and improve your organisation's response. This could include conducting tabletop exercises or simulations to test the response plan in a controlled environment, as well as conducting more realistic exercises that simulate actual incidents.

Case study: What gets measured gets managed

Recently, a public sector agency needed a comprehensive picture of their cyber preparedness to help them enhance their security measures. This assessment helped articulate key responsibilities, identify gaps, and key risks, develop mitigation strategies, and demonstrated how to improve their preparedness and reduce their risk.

The agency then implemented their new cybersecurity approach following our initial review, and twelve months later asked us to perform a follow up assessment. After implementing and improving several control areas in the steps listed above, this dual-assessment approach helped our client lift their maturity rating from 2.06 (average) after the first assessment to 3.75 (average) after 12 months. We assessed the organisation against the Forrester Security Maturity Model where a score of 0 represents “non-existent” up to a score of 5 which is considered “optimised and effective.” 

The charts below depict the progress made before and after a cybersecurity maturity assessment review. The assessment included evaluating four main domains for both years: Technology, process, oversight, and people. 

Cybersecurity maturity assessments are critical tools for evaluating an organisation's security capabilities; they can play a key role in enhancing an organisation's cybersecurity. By conducting a maturity assessment, your agency can gain a comprehensive understanding of its current state, identify areas for improvement, and prioritise actions to enhance its overall security maturity and preparedness.