Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move their culture, processes and technology to a mission-centered cyber response.
What is a mission-centered cyber response?
Each government agency exists to give citizens access to critical services, such as Medicare claims or Veterans Affairs services. These agencies must focus not only on serving their stated mission but also on protecting their ability to meet their mission in the future.
Many citizens get services through online channels, which makes it imperative to reduce the risk of cyberattacks and create a response plan to reduce delays in services. Additionally, federal employees use digital tools to serve citizens in person. To make sure that they continue to serve their missions without disruption, agencies must protect key infrastructure and take all precautions, including practicing cyber incident response.
“Cyber is not simply a technical issue. When there is a cybersecurity incident, that can negatively impact the lives of the people who you are trying to help,” says Claire Nuñez, content and design lead at IBM X-Force Cyber Range. “In a commercial organization, cybersecurity attacks are a business problem, while in federal agencies, cybersecurity actually becomes a mission problem.”
When a crisis like a cyberattack arises, agencies can use their mission to set priorities. For example, many agencies have human life as their first priority and operational impact as their second. The goal is to first provide necessary services at an acceptable level where people’s lives aren’t impeded and then move to a full recovery of services.
Preparing the whole organization for a cybersecurity response
By involving the entire organization in cybersecurity preparation and response, federal agencies can put a mission-driven response into action. A key part of reducing cybersecurity risk starts with team members with the right skills to prevent and respond to a cybersecurity attack effectively. This includes not only IT but also multiple departments within the agency to address different facets of both processes.
Legal and general counsel
Because a cybersecurity attack and response bring many legal ramifications, the agency’s general counsel often acts as the right hand to the security department and must be involved throughout the process. Federal agencies must comply with regulatory standards for cybersecurity along with any state standards, such as California’s privacy laws.
Labor and human resources
One of the chief roles of labor or HR departments in a crisis is planning and providing surge support. To swiftly respond to a crisis, organizations often need more hands on deck than usual. This support can range from technical employees to citizen-facing representatives. Employees can burn out quickly in a crisis and surge support can lessen the workload.
Employee communication
It’s imperative that employees and citizens maintain their trust in the agency throughout the response. Labor and communications teams can work to create a plan for employee communications during a cyberattack to make sure everyone has the key information needed to continue upholding the organization’s mission throughout the crisis and response.
External communication
Keeping all critical parties informed during the response to a cybersecurity incident is a vital part of a mission-driven response. Citizens, other federal agencies and law enforcement all need to receive regular communication from the affected agency. Because each group needs different information, creating a plan in advance with responsible parties helps reduce the chances of a breakdown when clear and frequent communication is most needed: in the middle of the response.
“Everyone in the agency needs to work together to keep the response moving together,” says Nuñez. “Labor and HR and communications have to work together to get messaging out, while legal approves all communications. The workstreams happen independently but must also have capillaries between them.”
Explore the X-Force Cyber Range
Shifting the culture to a mission-centered response
While it’s easy to focus on processes and roles, having an effective response depends highly on the security culture of the agency. Nuñez says that every organization has a security culture, whether the agency actively works on that culture or not. The goal is to create a security culture where every employee sees cybersecurity as a key part of their role and understands that a cybersecurity breach makes it challenging, if not impossible, for the agency to fulfill its mission.
“You need all your employees engaged to be ultra-secure and to kind of take your risk level down. And it’s not just an effort from a cybersecurity team; it’s an effort from everyone. Security culture can’t really exist without leadership support,” says Nuñez. “Security must be fully embedded throughout the organization. Once a leader brings cybersecurity into conversations all of the time, the conversations naturally happen both laterally and from the top down.”
Providing training to all employees
Training for a whole organization’s cybersecurity response involves cybersecurity training for all employees. The type of training needed is twofold: technical and practical. The technical team should engage employees in tabletop training, such as capture the flag or war games. All employees need to be trained to know how to spot cybersecurity concerns, such as recognizing phishing emails. They also need training on the process of reporting security concerns promptly.
Leadership teams also need to schedule practice events. This should include testing emergency communications to make sure they work as planned and that employees know their roles and tasks. Additionally, training should consist of large-scale training practices, such as walking through agency-specific playbooks and immersive experiences at cyber ranges.
“Training should range from the small things, such [as] making sure all documents are updated with the right contacts, to actually sitting down to practice and validate all of your plans and processes,” says Nuñez.
Moving forward with a mission-driven response
By moving to a mission-driven response now, government agencies can begin to proactively prepare for a cyberattack. With the newly released guidelines on cybersecurity, a mission-driven approach provides the framework and culture to meet requirements.
Ready to learn how IBM can help your government agency create a mission-driven response? Click here to book a meeting.