By Michael Brown, VP Analyst at Gartner
Data security has become a major concern for every organization, especially for government agencies. Government CIOs must adapt to the new threats and familiarize themselves with the concept of adaptive security in order to better protect their agencies.
Adaptive security is a powerful approach that government CIOs can use to protect their critical assets from cyber threats.
Gartner predicts that by 2025, 75% of government CIOs will be directly responsible for security outside of IT, including operational and mission-critical technology environments.
What Is Adaptive Security?
The adaptive security model is one in which cybersecurity tools, techniques and talent merge to operate more like an autonomic biological immune system and continually adjust to the evolving threat landscape.
The traditional security measures often rely on static protocols that are not always effective against emerging cyber risks. Adaptive security takes a different approach by continuously monitoring the system for threats and adapting its defenses accordingly.
An adaptive security approach must address risk not only from IT vectors, but also across other domains, such as supply chains and cyber-physical systems (CPS). By adopting an adaptive security strategy, government CIOs can ensure their systems remain secure even in the face of constantly evolving cyber risks.
Importance of Adaptive Security for Government CIOs
Government agencies are among the top targets for cyberattacks. Nation-state conflicts, such as the Russian invasion of Ukraine, can place some governments more directly under siege than others, but cyberattacks on government institutions at national, regional and local levels are a global condition.
The trend toward an adaptive model for cybersecurity necessarily follows the relentless and rapidly evolving assaults on government IT systems. Government CIOs and cybersecurity teams must pursue technology refresh and renewal at a pace that may exceed that of other parts of the IT enterprise. In this accelerated refresh cycle, government CIOs must be mindful of their capacity to execute effectively and justify it in risk terms that the business will understand.
Shift from Compliance-Based to Risk-Based Approach
Historically, government organizations addressed cybersecurity in terms of compliance with volumes of written artifacts that are periodically reviewed and updated. This is changing with risk management frameworks that require continuous monitoring and ongoing or even continuous authorization. Government CIOs are today attempting to shift from compliance-based to risk-based approaches as the complexity of threats and vulnerabilities increases.
Adaptive Security Challenges and CIO Actions
Government agencies face evolving threats, rapid advances in tools, updated compliance frameworks and updated strategies, cumulatively pressuring them to evaluate their cybersecurity capabilities and embrace adaptive security. However, there are some key challenges in employing adaptive security which government agencies must contend. The challenges include:
- Sustained funding – A robust cybersecurity program requires continuous investment. The high cost of tools and services to establish or reinvigorate and sustain a security program may come at the expense of other capabilities and services that business unit leaders expect. In the eyes of business unit leaders who might get less of what they desire from IT teams, investments in cybersecurity may appear as unnecessary. The inability to differentiate adaptive security from document-based compliance activities may limit support for necessary budget resources.
- Talent – Government agencies are challenged to compete with the private sector for staff with necessary skills. This can aggravate the budget issue by requiring more dependence on outsourced labor.
Implementing adaptive security in the face of budget and staffing challenges, requires leadership and creativity. Government CIOs need to prioritize and justify cybersecurity budgets by clearly tying investments to mission outcomes and organizational resilience. To address the talent shortages, they need to work simultaneously across the three dimensions of service contracts, reskilling existing staff and recruiting new staff.