Citizens have real concerns over the security of their personal data. We know that’s true. Whether it’s through reported reactions to the latest malware attack, or via our own research (Accenture Public Service Pulse Survey), citizens’ cyber insecurities are a live issue for Public Sector at large and State Agencies have to take action.
My previous two posts looked at the nature of these insecurities, as well as five investments for improving government information security. In this blog, I want to focus on some of the initiatives that we’re seeing in our work with state agencies.
First, there’s a lot of activity around security strategy and risk assessments. The goal is to get a baseline assessment against the various security regulations with primary standard being the NIST cyber security framework. But depending on each agency’s field of activity, they’ll also need to check capacity to meet other regulations like HIPAA (covering protected health information), IRS 1075 (IRS data), CJIS (Criminal Justice data) and PCI DSS (financial data).
With so many overlapping regulations, it’s challenging to get a coherent view across across all. But that’s the priority. Ahead of developing a roadmap and getting funding, agencies need to gauge their organization’s security maturity and understand where the gaps are.
We see huge variations. But whatever stage an agency has reached, one of these security assessments will be a vital first stage in its security journey. And what about challenges? Starting at the foundational level, just interpreting the various statutes and working out which ones apply can be hard enough.
It’s such a huge area, no agency can hope to do everything. Once they’ve understood the gaps, then how should they prioritize their initiatives? What’s the best way to invest their dollars? What are their top-three actions? What assets should they protect first? It’s essential to answer all these questions.
Moving on, our research shows that citizens want to see state and local government investing in protecting their digital identities. Agencies know this. We found that 73 percent of them are implementing new services including digital identity protection.
That makes sound operational sense. Practically all the agencies we work with are focused on enabling citizen-focused e-services. With so many services being offered through digital channels, ensuring a single, secure point of access for each citizen is vital to providing that necessary reassurance to citizens.
Cyber defense is another top priority. It’s a broad area spanning network and infrastructure security. Agencies are asking how they can protect against malware attacks and, more broadly, how they can up their security game when threat levels are so high.
The biggest challenges we see are legacy infrastructures, lack of funding, and lack of skilled people. All these factors come into play. Agencies have so much going on here. They’re trying to protect systems that were set up 10 or 20 years ago. They’re planning their journeys into the cloud. How can they safeguard all this against the multiple parties trying to exploit vulnerabilities and find ways in?
Then there’s application security. Most organizations have packaged ERP software for Finance, HR and other functions. How can they protect these and secure access to their core systems? Extended enterprise security is another key issue, particularly so with agencies seeking to take advantage of technologies like social, mobile and IoT.
Most states are experimenting in these areas, but its early days and leaders are in the process of understanding the power of new technologies.
This lack of security resources is a common challenge that some agencies are addressing by outsourcing their security requirements. It’s a way to get access to specialized talent, and the latest technologies, at a fraction of the cost of developing these resources themselves.
With so much going on, it’s enormously exciting to be working with agencies in the current environment.
For more information on the work we’re doing, take a look at the following links: