The steps needed for a resilient cyber posture in government

By Splunk

GovInsider speaks with Robert Pizzari, Vice President of Security at Splunk, about the recently published State of Security 2023 report.

Robert Pizzari, Vice President of Security at Splunk, gives recommendations on how public sector agencies can adopt a more resilient cyber posture. Image: Splunk

Security teams today are struggling, according to Splunk’s State of Security 2023 report. Over 80 per cent of the 1,520 security and IT leaders interviewed highlighted that critical staff members have left the organisation due to burnout, and nearly 90 per cent highlighted talent challenges of various kinds (including a lack of key skills or staff shortage).


This, combined with increasingly sophisticated cyber threats, disparate security tools and data silos and persistent workload demands, are leaving IT teams in a constant fire-fighting state.


“If you're highly fragmented, and there's a major issue impacting any organisation, getting to the root cause [of a cyber incident] can become very inefficient and quite challenging and problematic,” explains Robert Pizzari, Vice President of Security, Asia Pacific, at Splunk.


What can organisations do to bolster their resilience amidst this challenging landscape? GovInsider sits down with Pizzari to hear his recommendations on how public sector agencies can level up their people, processes and technology to meet the rising cyber challenges.


Mobilising the people


Organisations need to think about how to connect with the hearts and minds of people such that they take personal ownership of cybersecurity, Pizzari says. While organisations can implement policies and security protocols, such plans are only as good as the discipline of the staff to execute, he explains.


Pizzari points to the 2018 SingHealth hack, which saw the data of 1.5 million patients stolen, including that of government leaders. A Committee of Inquiry (COI) which was formed to investigate the attack later found that the breach occurred as a result of human lapses. Employees then failed to take timely action despite suspicious activities being detected, according to the COI.


Today, the role of the CISO is expanding beyond simply information security. They are now also responsible for improving resilience as a whole by mobilising the entire organisation. Cyber is everyone’s responsibility, Pizzari says. And for people to actively participate in cybersecurity practices, they need to understand why they are doing so, he adds.


To do so, he suggests making cybersecurity more fun and personalised. Webinars and formal training programmes have limited effectiveness, he points out. Oftentimes, staff would skim through the training without properly paying attention to it.


Integrating cybersecurity practices into team meetings and personalising training could help engage employees and increase awareness of best practices in cybersecurity. One way organisations can do so is to share stories of cyber incidents that have occurred in the organisation or to others, to drive home the reality of such threats.


Beyond increasing awareness, Pizzari also encourages organisations to run regular cyber phishing campaigns to ensure that every individual is cognisant of how to identify such threats.


Creating rigorous processes


Over two-thirds (68 per cent) of the public sector report struggling to keep up with the risk landscape today, according to Splunk’s State of Security 2023 report. This is why it is vital for public sector agencies to implement rigorous procedures and processes that promote resilience and test them through tabletop exercises.


Today’s organisations need to focus on shifting away from a compliance-driven mantra. While most countries have legislations surrounding data protection and cybersecurity, organisations cannot simply focus on “ticking the compliance checkbox”, Pizzari says. Oftentimes, this results in organisations being lulled into a false sense of security.


Despite the compliance requirements many countries have implemented, Splunk’s report finds that threat actors who succeed in infiltrating organisations dwell within their systems for about nine weeks.


One way to bolster their cybersecurity posture is through zero trust, which calls for IT teams to implement security protocols and verification into every layer of their organisation.


For instance, in application development, security protocols such as code reviews can be built into the developmental pipeline.


“If code is released into production and there are vulnerabilities that have not been picked up through that development and testing life cycle, then potentially we're exposing an organisation, or an organisation is exposing themselves to vulnerabilities and threats,” Pizzari explains.


Additionally, an organisation’s security is only as good as the next connection in its supply chain, he says. This is why it is vital for them to not only have oversight internally, but also to manage its suppliers and vendors - all of which are an extension of an organisation’s risk.


He points to the example of a Japanese car manufacturer, which was forced to temporarily pause production in late 2022 after one of their suppliers fell victim to a cyber breach.


Organisations need to think about how cyber requirements can be included in the contracts with their suppliers and vendors, he adds. Cyber teams also need to actively inspect these organisations to ensure that they are keeping up to date with their security protocols and are operationally resilient. They need to ensure that any consequence of a breach will be isolated and not impact their own agency, he says.


Levelling up the tech: Automation and simplification


When processes are in place, technology then serves as the boost that IT teams need to manage and execute these processes. This is particularly vital for the public sector, who have reported that they often struggle with tool complexity and staffing shortages, according to the State of Security report.


For instance, Splunk helped the Townsville City Council in Australia update their security tech stack to improve their cyber resilience. The city council had realised that their threat detection and response time was not up to par, with many legacy systems and a complex IT environment hindering efficiency.


Starting with threat modelling exercises, Splunk was able to work with them to identify the main areas of improvement. For one, Pizzari shared that the city council had many data sources that were previously inaccessible, which hindered their overview of the threat landscape. Without which, they would not be able to determine the type of tools, techniques or procedures that threat actors might use to gain entry.


Splunk first helped them to address this by introducing the Splunk platform which consolidates all the telemetry from their security across its digital environment.


With the foundational data platform in place, Splunk then layered on top of it a SIEM (security information and event management) solution, Splunk Enterprise Security. With this, the city council’s security team is able to tune and configure their policies and practices to address their particular threat landscape.


Finally, Splunk introduced automation into the city council’s cybersecurity practices to help reduce the phenomenon of alert fatigue. Alert fatigue often occurs as a result of detection systems not being properly tuned, resulting in excessive alerts caused by false positives.


By adopting Splunk’s automation platform called SOAR (Security, Orchestration, Automation and Response), the town council was able to improve alert accuracy, with automation helping IT teams detect anomalies and respond accordingly, Pizzari explains.


“These three key elements that made up that solution then enabled them to consolidate within their environment and simplify their operation,” he says.


The result? A 24/7 holistic security with clear visibility across their IT environment. This is on top of accelerating their monitoring and threat hunting capability, allowing them to more quickly detect threats or indicators of a breach across different systems.