Industry Perspective
How to Climb Your Agency’s Cybersecurity Mountain An interview with Katie Hanahan, Vice President, Cybersecurity, ITsavvy In the public sector, overthinking cybersecurity is almost as bad as not considering it enough. For
many agencies, cybersecurity is like standing at the foot of a mountain without any idea how to scale it. But the only way over a peak is one step at a time,
and the same is true for cybersecurity. For agencies
unsure about how to approach it, the answer is basic cyber hygiene.
Cyber hygiene covers the steps that computer users
can take to protect their organization’s online security and system health. By mastering fundamental cyber hygiene, agencies can enable their employees to defend resources like data.
2. Avoid alert fatigue Alert fatigue is when the amount of cybersecurity alerts exhausts the people addressing them. At agencies, alert fatigue can overwhelm
cybersecurity teams that may already have small budgets or workforces.
Fortunately, agencies can reduce alert fatigue
using security operation centers (SOCs). SOCs are centralized units that deal with security issues like cybersecurity on organizational and technical levels. After partnering with an external SOC
or starting their own, agencies can shift some cybersecurity burdens away from their staff.
“The mission is not insurmountable, but it can
“The benefit is that you’re outsourcing this piece
President, Cybersecurity at ITsavvy, an IT solutions
your organization can focus on the work at hand,”
feel that way sometimes,” Katie Hanahan, Vice provider, said of cyber hygiene.
Hanahan shared three ways that agencies
can elevate their cybersecurity by refining their cyber hygiene:
to someone else so that the IT people you have in Hanahan said.
3. Test cyberdefenses The best armor is battle-tested often, and
cyberdefenses are no exception. To avoid painful
1. Transform training
cybersecurity incidents, agencies can perform tests
Too often, agencies treat cybersecurity training as check-the-box training. When it comes to
cybersecurity, however, the more practice workers
have, the better. For example, agencies can conduct agencywide lessons quarterly rather than annually. “We have to make sure we are doing this training with every level of employee,” Hanahan said.
Take email security. Hanahan recommended
that agencies instruct everyone from leaders to HR employees about why suspicious email
attachments should be avoided. The reason? Some suspicious email attachments may download malicious software onto agencies’ networks.
that detect security gaps without any lasting damage. Take penetration tests evaluate IT security by
letting researchers safely expose vulnerabilities.
Another option is simulated cyberattacks, which let agencies practice how they might respond to real security incidents.
Although cybersecurity might seem daunting,
providers like ITsavvy can give agencies the security assessments, assistance and training they need for mission wins.
“We have the right ecosystem of partnerships to help them achieve their goals,” Hanahan said of ITsavvy. “We can get through this and do this together.”
Unpacking the President’s Cybersecurity Executive Order
39
