To the average citizen sat in front of their TV watching the evening news, the idea of digital transformation in government must seem yawningly obvious.
Government services must be connected and digitally available around the clock they are told … just like their online banking or shopping. They can be forgiven for shrugging, because it seems like a no-brainer. Except, of course, it isn’t.
Within the four walls of every agency, department or government office, the reality of delivering on the seemingly straightforward transformation vision is pressing down harder than ever thanks to mandates across all jurisdictions.
Yet too often — as consecutive high profile incidents have illustrated — delivering digital government can be fraught with perils ranging from accidental exposure of personal data to crippling cyber assaults that damage public confidence and trust.
Digital first means cyber first
Exposing government systems, services and transactions to the wilds of the web isn’t just a new cyber security ball game, it’s one where threats and risks are constantly evolving and shifting.
But so are citizen expectations.
The ‘digital first’ footing is one that departments have been committed to for the long-haul and it’s a top-line shift where everyone must get up-to-speed with new roles and rules. Quickly.
It means that now, more than ever before, cyber security must be baked into the very foundation of digital strategies to preserve confidence and resilience — rather than applied in retrospect or hindsight.
To meet the public demand for modern, convenient and robust service delivery, cyber security and risk management must be front-of-house for agencies and front of mind for the executive.
It’s no small ask, but when executed in a strategic and purposeful manner, cyber security actually empowers citizens and their services alike.
Risk aware, incident ready
While the spectre of unexpected and increasingly public cyber security breaches and incidents now looms larger than ever, seasoned experts and analysts are well and truly on the case.
But they have to speak a common language.
It’s true that risks can no longer be under-played, but organisations are beginning to work out what really works (and doesn’t) in order to minimise the risks.
Writing in a new report Cyber Security for Digital Government Leaders, Kevin Noonan, the lead government technology analyst for respected analysis and advisory house Ovum, asserts that a successful digital strategy must begin with cyber security at its core.
When services are going ‘digital first’ at the operational and delivery levels, digital risk management has to rise to the very top of the agenda right from the start.
Having studied and advised on dozens of programs of public sector work, Noonan observes that digital strategies are much more likely to fail if security is simply grafted on at the end of the process as an after thought.
“Government digital initiatives have moved on from early implementations that focused on simple apps and website consolidation,” Noonan says.
“It has become an increasingly complex journey and requires a stronger focus on new governance arrangements and whole-of-enterprise cultural change.”
Delegation isn’t a strategy
In interviews with more than 400 government executives to compile its report, Ovum found that 20% now view cyber security as the top issue in delivering real outcomes from a digital government initiative.
Just as importantly, more than half of the executives interviewed rank it as one of their top three challenges. The bottom line is that the needle has moved on the urgency of cyber security and it’s now in the executive red zone.
Significantly, Ovum’s research finds that it is no longer appropriate for organisations to seek to tackle cyber security as a technology challenge alone.
Only an holistic and practical approach to cyber security, ranging across public sector executives is sufficient for the necessary principles to permeate the whole process.
It’s a shift that not only reaches deep into executive and organisational culture but extends well into service design, organisational strategy and ongoing governance.
Noonan cautions that there is still some way to go in government fronting-up to the complexity of the challenge now at hand.
“The tough realities of digital government have not yet been fully accepted at a leadership level, Noonan says. He adds that “government executives tend to rate their digital preparedness very optimistically when comparing themselves against other government enterprises.”
Noonan notes that Ovum’s research on cyber security in government found that only 15% of public sector executives “admitted to being less prepared than other departments and agencies, while 51% believed they were doing better than everyone else.”
Meanwhile, some 32% of those surveyed thought they were “on par with others.”
“Of course, it is statistically impossible for everybody to be better than everybody else,” Noonan pointedly observes. “There is therefore a significant gap between perceptions of management preparedness and reality.”
Cyber foundations run deep
As one of the foundational technology developers of the web as we know today, Cisco’s views are pertinent because the company has always been at the coalface of cyber security and network resilience, well before they became top order issues.
A key contributor to cyber security research for more than three decades, Cisco’s enduring commitment has resulted in a body of considered, plain-spoken research that sits head and shoulders above more shouty, tactical and occasionally alarmist IT security marketing.
In a recent report looking at the challenges involved in securing digital healthcare organisations, Cisco highlighted the importance of executive leadership in the overall development and implementation of effective cyber security strategies.
Cisco found that in successful organisations, executives avoided the temptation to delegate responsibility to their tech specialists, and the tech teams undertook to improve their abilities to articulate risk in a non-technical way and seek strong business guidance to prioritise investment.
“Executive leadership must offer clear guidance to the IT team, indicating the most critical clinical and business applications. This enables IT to put appropriate controls in place, ensuring the best possible risk mitigation,” the report says.
“Given the importance of executive participation, executive teams must have a clear understanding of the potential impact of a cyber security breach. A breach can result in a loss of confidentiality, integrity or availability for critical clinical or business systems, leading to a damaged reputation, a decrease in public trust, and – in extreme cases – an increase to patient risk.”
That is not to say that cyber risk management is solely down to organisational cooperation. Technology itself remains a crucial pillar, and Ovum’s report recommends organisations make a rethink of their security architecture a key pillar of digitisation.
“The industrialisation of hacking requires a much more integrated security response, as older point solutions are fast becoming ineffective,” the Ovum report says.
In other words, old-style perimeter fencing-like solutions are out, and security baked into every layer of the infrastructure stack is in.
Ovum warns that while amateur hackers still exist, there are now many professional cyber crooks, looking to breach systems at an industrial scale. State actors are also active in the game.
As such, government organisations need to make sure that their corporate governance includes being as up-to-date as possible about the evolving threats.
Coherent view, coordinated response
While it is important to have a level of expertise within any organisation, the emerging consensus in both corporate and government circles globally is that a coordinated approach to cyber threat mitigation is the only effective defence.
Organisations must lean on the expertise of their peers in other organisations and importantly recognise the crucial up-to-date knowledge that is on offer from commercial partners in the technology vendor community.
The companies that sell technology to large enterprises are more concerned than anyone about defending their systems against intrusion, and conduct some of the most in-depth research available in the field to share ideas.
Put simply, it’s a symbiotic relationship.
Cisco’s 2017 Annual Cyber Security Report provides a detailed breakdown on the changing behaviour of would-be hackers and expands on an array of strategies to meet the expanding threats.
These companies work on the front-line of cyber security, and should be expected to provide more than just a solution in a box.
From a product perspective, Ovum suggests that anyone charged with the responsibility of selecting solutions from vendors keep three criteria in mind.
Firstly that the system is simple from their perspective … any complexity in the underlying network should be managed and understood by the vendor.
Secondly the system should be open in the way it is designed, so that it can be adjusted and expanded to reflect evolving threats.
Finally a solution should have a level of automation that allows it to respond to suspicious activity without the need for staff at the organisation to manually approve it.
Of course there is no single solution or step that can guarantee safety in an online environment.
But approaching digital transformation with cyber security baked-in right from the start means innovative ideas stand the best chance of becoming reality and going on to delight customers.
Want to learn more about how to harness cyber security to power your organisation’s digital transformation? Download the report Cyber Security for Digital Government Leaders from Cisco and Ovum.