March - April - 20188GOVERNMENT CIO OUTLOOKIN MYOPINIONImplementing an Effective Public Sector Cyber Security ProgramPeter Ambs, CIO, City of AlbuquerqueByt's not easy being today's CIO or CISO in a government organization. While budgets shrink, we are tasked with being ever more relevant and innovative all while ensuring we have dependable technology services that provide optimized public services--all online and mobile. Central to this is digital and infrastructure asset protection. Our first priority is to ensure we have deliberately and pragmatically secured digital assets through a comprehensive cyber security program. Each day we learn of successful cyber-attacks and organizational data breaches. The need to stay vigilant and follow best practice cyber process and policies that mitigate the dynamic threat landscape has never been more important. The `new normal' is cyber security first, ever thing else is secondary. Cyber planning, budgets, resources, and executive sponsorship all have to be in place to make a difference in what boils down to persistent and evolving cyber warfare scenarios.You are not alone if you inherited an imbroglio of disparate, legacy systems that were not built with security as a primary design criteria. It's not feasible to immediately forklift and upgrade enterprise, legacy systems and rewire them with cyber defenses. To compound matters, perhaps your network is expansive, flat, and designed with ease of use instead of being partitioned by function and hardened with physical air gaps and micro-segmentation. Given that we are all just one incident away from being the target of a cyber-attack, whether it's DDOS, phishing/spear-phishing/whaling, ransomware, cross-site scripting, remote control execution (RCE), or a data breach event, what can we do?Begin by assessing where your organization currently is on the Cyber Security program maturity model continuum. For example, you can use the NIST Cybersecurity assessment tool to measure the effectiveness of your Cyber Security program. From there, plan to fill the gaps in the People, Process, and Tools triangle. Plan the remediation roadmap to a mature and robust program that is effective. Now is always the best time to strengthen and build upon appropriate security measures. Perform that organizational Cyber Security Posture assessment to determine the risk and vulnerability posture. Prioritize the vulnerabilities by impact and create a remediation plan. Shore up your environment.You cannot wait for an event to occur to determine what to do. Have an incident response plan in place. Practicing good cyber hygiene and being prepared (incident response, vendor SLAs and partnerships in place), is key to asset protection before, during, and after an event. Disaster Recovery/Business Continuity planning and capabilities go hand-in-hand IIt's not if a cyber event will occur, but when and how significant will it be?
< Page 7 | Page 9 >