Validating Security Tools and Practices for a Whole-of-State Cybersecurity Strategy
In our final blog post in this series on developing a whole-of-state cybersecurity strategy, we cover the validation phase, which follows the governance and implementation phases
A whole-of-state cybersecurity strategy brings together all the government entities in a state to collaborate on improving their cybersecurity capabilities collectively. The strategy, often initiated by the governor’s office and the legislature, enables all government entities in a state — even the smallest school district or municipality — to benefit from improved security training, more timely threat intelligence, and newer, more effective toolsets.
A whole-of-state cybersecurity strategy consists of three phases:
- Governance and policymaking
In the governance and policymaking phase, IT and security leaders from across the state come together to adopt security frameworks and define policies and best practices. In the implementation phase, they provide training and deploy toolsets so that government entities of any size can implement those policies.
I discussed those two phases in earlier blog posts. In today’s blog post, I’m going to focus on the validation stage, in which whole-of-state teams analyze and validate their cybersecurity work at any point in time. In this phase, teams across the state address questions such as:
- How do we know that the security tools and practices we have put in place are really improving our cybersecurity defenses?
- Which parts of our cybersecurity program are working well, and which are not?
- Which activities and investments should be prioritized next?
- Are there particular organizations that urgently need help? If so, how can other organizations help them out?
Here are some recommendations for making the validation phase a success.
Take a deep dive into whole-of-state cybersecurity.
Collaboration still matters
The first thing to know about the validation phase of a whole-of-state strategy is that the relationships and trust that teams built up in the earlier phases of the whole-of-state strategy still matter here. In fact, they’re essential.
Validation is about sharing information and helping the state overall prioritize what needs extra attention. This work requires collaboration, both within individual government entities and across all the entities participating in the whole-of-state program. And in this phase, the fruits of that collaboration become visible, because it’s through validation that you can really tell that the overall team is making progress.
Focus on goals and results
To validate the whole-of-state cybersecurity program overall, leaders need to determine which goals and metrics they care about and ensure those goals and metrics are being tracked. Chances are, they’ve already identified these goals in the policymaking and implementation phases. In fact, these goals probably shaped decisions about budget requirements, tool selection, and more.
In my blog post about the implementation phase, I recommended picking a “top twenty” list of metrics or goals for entities to focus on, especially in the first year or two of the whole-of-state initiative. You certainly want to track those “top twenty” metrics or goals in the validation phase.
Ideally, the goals and metrics you select should provide a meaningful measure of progress over time. By tracking these metrics, leaders and stakeholders should be able to determine whether the cybersecurity posture of the state overall is improving or weakening. If the metrics you’re tracking show improvement, but government entities are succumbing to more cyberattacks than ever before, it’s time to review your data and select more meaningful metrics.
Once you select metrics and goals, you’ll need to establish baselines, especially at the beginning of the project. Ask:
- How do these metrics typically perform across organizations participating in the whole-of-state program?
- What’s the baseline we want to establish as the ground floor for improvements?
Cumulatively, all the IT and security teams across the state are working with a vast amount of data, everything from network addresses, device inventories, patch statuses, and AV scans, to security frameworks, lists of vulnerabilities, and threat intelligence feeds. To track and validate goals and metrics, you need to figure out what data you’re going to collect and how you’re going to collect it.
And once you’ve collected this data, you’ll have to figure out how to report it. Let’s take a look at reporting next.
Establish three levels of reporting
To validate the implementation of the tools and practices adopted for a whole-of-state cybersecurity policy, from the work of IT technicians in organizations across the state all the way up to team leaders working most likely with the governor’s office and the legislature, you need three levels of reporting:
- Technical reporting
- Executive-level reporting
- Enterprise-level reporting
This is the lowest level of reporting, delivering insights about what’s happening on networks and devices. Security Operations Center (SOC) analysts, network managers, system administrators, and other technical specialists rely on this reporting every day to understand the state of their networks and IT assets and to determine if anything needs prompt attention.
Insights from this level of reporting should be actionable. For example, it should be able to report on device inventories, patch status, threat status, and so on. If something needs to be fixed, it should show up in this level of reporting. And once it is fixed, that change in status should show up here, too.
Technical reporting should provide data useful for measuring the state of every major security objective in the whole-of-state strategy. If a security objective can’t be measured, then new tools and instrumentation are needed.
The next level up is executive-level reporting. This report shows the big picture of how a particular government entity is doing when it comes to IT security. This level summarizes the details from the technical reporting level. It delivers concise insights about the state of security overall in ways that both technical and non-technical leaders can understand.
When I worked with the State of Arizona on their whole-of-state cybersecurity strategy, we found it useful to provide green/yellow/red visuals for this type of reporting. An executive should be able to glance at this type of report and be able to tell right away what areas are on track (green), which are potentially concerning because of some sort of shortfall (yellow), and which need to be addressed right away (red).
IT and executive leaders can use this level of reporting to:
- Direct the IT team to address issues that need more attention.
- Ensure that resources are allocated appropriately.
- Share their insights and experiences with peers in other government entities.
- Contribute this reporting to help the whole-of-state team generate the highest level of reporting — enterprise-level reporting.
Enterprise-level reporting aggregates and summarizes the executive-level reports of all the government entities across the state. This reporting enables the governor, the legislature, and all team members across the whole-of-state initiative to understand the cyber-readiness of the state overall. It rolls up all the executive-level reports generated from entities across the state and summarizes them in a useful way.
Like executive-level reporting, enterprise-level reporting should make use of hard numbers without getting lost in the details. It should convey important information simply and clearly to ensure it’s understandable by government executives who are responsible for a vast number of government issues, not just cybersecurity.
I recommend continuing the traffic-light scheme of reporting I described above, using green/yellow/red graphics to convey quickly what is going well and what needs attention, perhaps even urgent attention.
Through this level of reporting, leaders should be able to understand the risk readiness of each government entity. This reporting may reveal risk areas that have been previously overlooked.
This reporting serves several important functions:
- Comprehensive insights
It provides government leaders with a comprehensive view of the state’s cybersecurity posture (the overall resilience of its cybersecurity tools and practices). Most likely, these leaders have never had such comprehensive reporting before.
- Actionable insights
It enables leaders to see which efforts are going well and which might need extra attention. These efforts could relate to certain types of threats affecting all organizations, or they could relate to problems specific organizations are experiencing. For example, the reporting might show that K-12 schools are struggling to put threat detection measures in place. The cross-organizational team can then decide how best to address this issue.
- Justification for funding
The benchmarking and demonstration of progress should help whole-of-state participants justify funding from the state and potentially from federal resources.
Implement continuous reporting, not one-time audits
You might think of reporting and validation as being like an audit. But an audit represents the status of your cybersecurity posture at a single point in time. That status might change in the next minute, when an infected device connects to the network or when a new security vulnerability is announced, or a new type of zero-day attack is seen in the wild.
To provide a truly accurate picture of the cybersecurity posture of any government entity, you need continuous, real-time monitoring and analysis. That kind of analysis becomes possible only with automation. IT security tools should be able to collect and report data continually and automatically, rather than requiring time-consuming, manual intervention by IT technicians.
With continuous monitoring and reporting, teams at every level can see the latest data without requiring a special task force to collect weekly or monthly metrics. The data might be shared weekly or monthly, but whenever it’s shared, the data is up to date, providing an accurate picture of current cybersecurity strengths and weaknesses.
The whole-of-state cybersecurity team might want to consider gamifying the reporting, encouraging a spirit of friendly competition among various government entities as they pursue their cybersecurity goals. Team leaders might award badges or some other token for achievements, such as achieving a certain set of goals or leading in a category like patch coverage.
Gamification has been shown to improve employee motivation and engagement in cybersecurity training. It can probably help states with their whole-of-state cybersecurity programs as well.
The importance of visibility for reducing risks
Visibility is everything in cybersecurity. You can’t protect something if you can’t see it. You can’t fix a problem if you don’t know it’s there.
As the whole-of-state team’s reporting capabilities become more established and you have more visibility into your security posture and operations, a few things will become obvious. You’ll discover which products are working effectively and which aren’t. You might also discover some products that are redundant or barely used.
Reporting provides the visibility you need to fine-tune your tool selection and purchasing strategy. By helping you pick the right tools, reporting helps make your cybersecurity investments overall more effective.
At the end of the day, a whole-of-state cybersecurity program is about risk reduction. Reporting lets you see the risks, take corrective action, and demonstrate the value of that work to everyone who has a stake in it.
Cybersecurity threats continue to increase in frequency and sophistication. Fortunately, even small government entities can improve their security hygiene by participating in a whole-of-state cybersecurity strategy. By implementing these broad, inclusive strategies, states can ensure that every government entity within their borders has the best training, tools, and insights available to protect their data and infrastructure and to pursue their missions.
To learn how the Tanium Converged Endpoint Management platform can help your organization or state develop a mature cybersecurity strategy, please contact us.