Cyber modernization too complex for quick fixes, in-house solutions, report says
State and local agencies feel pressure to quickly overhaul their technologies and processes to stay ahead of adversaries and meet growing IT demands, but they first need an in-depth assessment of strategic costs and other implications.
State and local government agencies rushing to improve cybersecurity operations and reduce costs through technology and management changes may be opting for immediate improvements without developing a strategic vision, a new report says.
Five factors are driving agencies’ push for rapid progress, according to the “2022 ISG Provider Lens Cybersecurity — Solutions and Services” report, customized by Atos. One is cost and constituent pressures. “The public sector has reached a tipping point where a critical mass of citizens, suppliers and other constituencies increasingly expect digital experience and engagement with elected officials and governmental institutions,” the report states. “Cybersecurity, a critical enabler and element of this digital demand, has struggled to keep pace.”
Another is that many IT systems and solutions are reaching the end of their useful life, paving the way for agencies to replace them with modern, cloud-based options.
“Underlying much of U.S. public-sector IT disruption right now is a broadening and accelerating shift to cloud-based software platforms and infrastructure services as agencies push to digitally modernize organizations, operations and IT,” Nathan Frey, head of ISG’s public-sector business, wrote in an email to GCN. “The shift from legacy to next-gen is fundamental. That suggests that a core, strategic cybersecurity re-examination is the most valuable immediate investment.”
A third driver is the stabilization of remote or digital operational environments. Now that the shift to hybrid or remote work is evening out after the COVID-fueled rush to digitize, agencies can “better conceive and develop suitable strategies and solutions,” the report states. “As the workforce and workplace become clearer, public agencies are looking to engage with providers for effective implementation and management of cybersecurity services and tools.”
Fourth, agencies want to be able to use data better – and to protect it. “As older systems were continually patched and as more users were connected from more locations in different ways, risk and inefficiencies grew, further pushing the need for newer, more capable, more secure and less operationally expensive options,” according to the report.
Lastly, agencies are looking to technology to attract workers and to offset a shortage of skilled labor after the public sector saw a sharp increase in job vacancies in 2021.
“With the pace of digital adoption accelerating and a serious skills gap in the market, it is difficult if not impossible for a single organization to scale people, processes and technology to stay ahead of motivated adversaries,” Frey said.
“In today’s environment, it is unlikely an in-house organization will be able to scale and pivot as needed in a cost-efficient manner,” he said. In the public sector, by the time an agency identifies the threat and desired solution and conducts a traditional procurement, the threat has usually already been addressed by the private sector, he explained. “Strong partner ecosystems with flexible contracts will provide more robust and resilient cyber protections at an accelerated pace,” he said.
This environment is ripe for software vendors and service providers, especially those that have “dedicated resources, robust partnerships and solutions tailored to sector requirements,” the report states. That’s because despite the urgency to improve, both sides face challenges such as budget cycles, regulatory processes and outdated procurement processes.
“Public agency change tends to be slow, and often requires political and legislative change to allow, then enable and enforce, the needed organizational and cultural changes,” Frey said. “Agencies working with service providers and software vendors that have proven public-sector experience and expertise combining political savvy and organizational change management with core, cloud-first IT are the most likely to enable and adapt to new IT and ways of working – and therefore improve the IT and organizational climate for cybersecurity effectiveness.”
The report looks at five quadrants of cyber software solutions and services. The first is identity and access management, which it notes is expanding in need and use, although today remains largely in the form of multifactor authentication and single sign-on.
The second is data leakage and loss prevention and data security, which are influenced by the growth in cloud use and privacy regulations. The most effective solutions, the report states, enable classifying data by content and context, classifying risk by context and location, monitoring data behavior, and developing controls, training, adapting and communicating.
Third is technical security services, which the report defines as “integration, maintenance and support for IT security products or solutions.” It predicts demand for these services to grow rapidly along with the expectation of solution and platform adoption.
The fourth quadrant is strategic security services, which the report calls “the most important cybersecurity-related services over the long term,” and suggests public-sector agencies are looking for partners that “demonstrate in-depth technical expertise, backed by dedicated internal cybersecurity resources and an extensive network of technology partners.”
The fifth is managed security services, or the outsourcing of IT security management – currently an uncommon public-sector practice that the report states is changing out of “economic necessity.” The result will be agencies that need help transforming IT security management, and providers must be able to offer services that can scale along with agencies’ needs.
ISG expects four main conditions to influence the state and local cybersecurity market in 2023. Two are the leapfrogging from legacy to next-generation technology and an increase in integrative platforms. Third is a slow but steady move toward outsourcing business processes, “a sensitive concept, especially for those in municipal governments,” the report notes.
The final area is about a new tactical approach.
“Selecting neutral third parties with expertise in assessments and [cyber risk quantification] gives the public-sector agency an unbiased view into realistic options to protect critical assets,” Frey said. “The resulting roadmap from this process will identify services and partners that can quickly close major gaps while positioning the organization for long-term cyber resiliency. This approach also provides a clear view on the ROI of Build vs. Buy based on realistic market conditions and constant evolution of threats.”
As a result, the report states, the market in 2024 will likely see a surge in demand for systems, services, and data integration and management in addition to strategic consulting and training.
Stephanie Kanowitz is a freelance writer based in northern Virginia.