23 March 2023

Cybersecurity: Public versus Private Sector

RICH HEIMANN

Straddling the private and public sectors creates intrigue. We are often asked about the differences in each sector. However, questions about differences between sectors are always tricky to answer and depend on how we analyze the properties for comparison. In many obvious ways, no differences exist between the public and private sectors. Cyber is cyber, and cybersecurity goals are the same for government and private organizations that must manage risk and protect themselves from evolving threats.

Moreover, any question about what is happening in another sector (or industry) is a partial distraction because sector threats are unknown. Organizations can be overwhelmed if they rely too much on aggregate data and trends. What happens in the aggregate will happen only to some organizations. Government and private organizations must start with local knowledge. Cybersecurity leadership begins by understanding an organization’s personnel, infrastructure, assets, and threats, which means understanding local information and signals and acting locally. When local knowledge is acquired, work toward understanding global signals can begin. For example, threat intelligence offers organizations external information about and between sectors and industries that can be assimilated into those organizations’ continuous security lifecycles.

On the other hand, the government and private sectors deviate in different ways. The authors have helped many private sector cybersecurity leaders analyze return on investment to justify the cost of security products and services to management teams and corporate boards, despite the effort containing no value. One cannot know a priori the threat an organization faces, its consequences, or its cost. These calculations are guesswork, and no one should take them too seriously. Despite this, the private sector needs help to consider anything that fails to generate revenue as valuable, including cybersecurity. This misfortune is not a problem in government due to no revenue or profit-and-loss statements. Instead, the government has public funds, executive orders, and other directives that mandate security. The public sector utilizes mandates instead of building support organically and discovering new and unique ways security can support business functions. The over-reliance on directives can create a false sense that security has been accomplished with the stroke of a pen instead of seeing cybersecurity as a human and technological response to a constantly evolving digital threat.

Aspects of the government sector consider facets of the security problem that no company would consider. For example, the National Security Agency (NSA) protects natural security systems. Organizations like Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and CYBERCOM protect critical infrastructure and identify best security practices to mitigate global risk, hidden interdependencies, single points of failure, and cascading failures that no single company would contemplate. An alternate way of thinking about the differences is that portions of the federal government dedicate serious thought and action to long and global vulnerabilities and risks. In contrast, a private company almost exclusively thinks and acts short and locally.

The private sector must protect corporate secrets, intellectual property, and personal information, and of course, protect against extortion. The government sector protects national secrets, which tend to attract the attention of sophisticated state actors. What organizations are protecting is different but so is the “why.” The private sector must protect its brand, customers, and shareholders, while the government sector protects citizens, critical infrastructure, and national security. We could go twelve rounds analyzing each aspect of cybersecurity in each sector. However, we would arrive where we started. Cybersecurity (and risk) is the same everywhere you go but in different ways.

No comments: