By Kayla Matthews
The cybersecurity landscape is ever-changing, and staying on top of developments often requires promptness. Unfortunately, government bodies typically aren’t known for taking quick action. That’s because they can’t.
Making any update in government requires the proposed alteration to go through a long process of agreement and approval that involves numerous government authorities.
Input From Multiple People or Organizations May Slow the Decision-Making Process
The Government Accountability Office (GAO) is a watchdog organization that monitors the evolution of federal buildings to ensure they are adequate reflections of taxpayers’ dollars.
The GAO recently released recommendations, some of which involve cybersecurity. The body advised partnering with several federal authorities to make critical improvements to cybersecurity infrastructure by adopting a national framework. That sounds good, in theory, and such collaboration could lead to more accurate and relevant insights.
However, as multiple organizations decide when and how to make cybersecurity improvements, the back-and-forth communications could mean it’s virtually impossible to make rapid changes.
A Lack of Accountability Could Delay the Necessary Changes
What’s more, these issues of outdated cybersecurity plans and the updates not happening fast enough are not merely problematic for governments in the U.S. A recent report about the cybersecurity readiness of the Australian government drew some worrisome conclusions. It showed that nearly 40% of government agencies had yet to implement mandatory information security measures rolled out in 2017-2018.
In Australia, one of the likely problems is that cybersecurity strategies for the government are mandated, but they are not enforced. Moreover, a 2017 cybersecurity audit found that some agencies self-reported being compliant in some areas, even though they still did not meet minimum standards.
However, these problems could affect any nation if a person does not know if they are the responsible party for raising awareness about the need for newer cybersecurity measures. For example, an individual may notice a cybersecurity weak point and report it to an immediate supervisor.
But, if that person fails to take action because they don’t agree that the problem is as severe as the person who initially reported it indicated, they may fail to keep the matter flowing along the chain of command.
Governments Often Lack the Budgets Necessary to Make Improvements
Both physical security and cybersecurity are extremely important in government settings. Domestic and international security risks continue to rise at an alarming rate, which means members of the government with decision-making authority face constant challenges. They have to decide how much money to devote to each aspect of security, and that often means the budget gets stretched thin.
Margaret Byrnes, Executive Director of the New Hampshire Municipal Association, recently took part in an interview where she explained why hackers often target municipal governments. Byrnes clarified that one of the reasons municipalities are seen as an easy target is because they often have budget constraints that prevent them from bolstering their security infrastructure. Hackers know this, and they know these municipalities may not be as well protected.
It’s not difficult to envision a scenario where some members of a town or local government’s approval chain heartily agree to expand the budget for cybersecurity, and others are not as eager to spend money that way. Then, the reluctant parties need more convincing, and crafting a more compelling argument could take a lot of precious time.
Strong Leadership Helps Cybersecurity Changes Happen
It might seem that if the GAO consistently makes recommendations for cybersecurity improvements, such feedback would make them occur. However, the Department of Veterans Affairs proves that assumption wrong. The GAO has, for the last 17 years, cited cybersecurity issues with that agency’s financial systems. The majority of the GAO’s concerns mentioned most recently also came up previously.
If leaders are willing to take responsibility for facilitating progress with government-related cybersecurity, that could help. However, a 2018 Accenture study of government leadership showed that’s more difficult than some people may think.
Only 39 percent of respondents gave themselves high-performance ratings for both the ability to relate mission and business requirements to reasons for making new IT investments and to collaborate with stakeholders to agree on IT priorities. Those findings could mean that even if people intend to act as cybersecurity leaders that drive decision-making, success is harder to achieve than expected.
A Complex Problem
Slow government processes are largely to blame for cybersecurity downfalls. However, remedying the problem will not come quickly, and many bodies must collaborate to make progress occur.
About the Author
Kayla Matthews, a cybersecurity journalist, has written for sites like Security Boulevard, the National Cyber Security Alliance, Information Age and more. Matthews can be reached via Twitter @KayleEMatthews or on ProductivityBytes.com.