Why 'good enough' isn't good enough for IT security and compliance in the public sector

The public sector is becoming increasingly reliant on technology; electronic records, digital identities, document digitization - the list goes on. More and more data is being stored and exchanged digitally and due to the nature of the services provided by the public sector, much of this data is sensitive and personal information. 

Data breaches can have a major impact, not only on the organizations and the individuals affected, but also on the trust and confidence of the public in the services provided. Unfortunately, there are thousands of data breaches in the public sector every month.

It’s clear that something needs to change. Yet in a recent global study, we learned that a huge 91% of IT decision makers indicated that they could be more progressive with how they manage risk. This collective self-reflection begs the question, what does progressive and compliant IT security actually look like for the public sector?

Frequently reviewing security practices

A frequent review of security practices must be the starting point of any progressive approach to IT security. Cyberthreats are constantly evolving, new technologies are introduced, and our behavior changes over time. With such a rapidly changing landscape, security practices must be  continuously reviewed to stay relevant. Indeed, 51% of IT leaders in central and local government agree that a more frequent review of security practices is key in implementing a more progressive approach to IT security.

However, more than half (55%) of the same IT leaders indicate that their last security review was over a year ago, while just 28% indicate that their approach is under constant review. 

Proactive risk management

Although frequent review of security practices is key, it won’t do much good unless combined with a proactive approach to risk management. This means not simply responding to incidents and data breaches when they occur, but actively identifying potential risks and implementing countermeasures.

Almost half (42%) of IT decision makers in central and local government agree that progressive risk management should be more proactive than reactive. That means that more than half (58%) seemingly do not consider proactive risk management a part of progressive IT security. However, if we are to have any hope for a reduction in the number of data breaches and IT security incidents, proactive risk management needs to become the norm.

In adopting proactive risk management, IT leaders and security specialists must also take a true risk-based approach tailored to their organizations. In the same way a sailboat heading for an ocean crossing must take different safety precautions from a dinghy out for the afternoon, each organization must evaluate the risks they face and put the necessary measures in place to mitigate them. IT leaders in central and local government agree: the most frequently mentioned attribute for CISOs and security specialists in the next two years is their flexibility to change approach as the landscape shifts (53%), followed by analytical skills in assessing threats (47%).

Compliance is a minimum requirement

While it is key for organizations to be compliant,  it is impossible for laws and regulations to keep pace with the rapidly changing landscape. Compliance can therefore only be seen as a bare minimum. A proactive approach also means that organizations must take matters into their own hands, going beyond the compliance requirements depending on their own risk assessment. At the same time, given their governmental nature, central and local government organizations are in a prime position to help shape future regulations and security standards to benefit not just themselves, but other sectors too.

Smart technology: The key to progressive IT security

This brings us to the third and most important factor in progressive IT security: increased use of smart technologies. Whether a data breach is intentional or accidental, almost all data breaches involve a human element, and here lies the opportunity of modern technology. 

Smart technology can detect sensitive information in our digital communications and ensure it is appropriately secured. Machine learning powered solutions can spot potential incidents caused by human error, as well as suspicious or unusual activity. They can even detect technical anomalies that would go unnoticed by a human.  And these opportunities are not unrecognised; when asked what progressive risk management looks like, the majority (53%) of IT leaders in the public sector indicated that it involves more use of smart technologies.

Beyond directly protecting against data incidents, it’s not a far throw to see how smart technology can also assist IT leaders in frequently reviewing their security practices and taking a proactive approach to risk management. Insights and suggestions can assist them in reviewing the effectiveness of their current security measures, evaluating their exposure to risk and proactively identifying improvements.

Smart technology is the key that unlocks a whole new world of possibilities when it comes to progressive IT security - and this is just the beginning.

Find out how we're supporting over 6,000 organizations globally to ensure compliance and drive better IT security.