Massimiliano Claps
Max Claps (Research Director, IDC Government Insights)
Rémi Letemple
Rémi Letemple (Senior Research Analyst, Government Insights)

Cybersecurity threats continue to increase. According to ENISA’s 2023 Threat Landscape report, there were around 2,580 observed incidents in the EU between July 2022 and June 2023. In the previous reporting period, there were less than 800. ENISA reported that 19% of events targeted public administrations, by far the largest industry.

Government chief information security officers (CISOs) are not resting on their laurels. They understand that cybersecurity is important.

IDC’s EMEA Cross-Industry Acceleration Survey, conducted in December 2023, found that 91% of government executives were planning to maintain or increase their level of spending in cybersecurity. In the many one-on-one conversations that IDC Government Insights analysts have had with government CIOs, CISOs, and other IT executives, cybersecurity always stands out as a “ring-fenced” item protected from budget cuts.

But given the rising volume, variety and velocity of threats, ring-fencing budgets is not enough — a change of paradigm is in order.

Paradigm Shift: From Protecting the Perimeter to National Survivability

The most forward-looking governments understand that the old mindset focused on protecting the individual government agency, or even the individual system or digital citizen service app, is insufficient. They understand that governments play a key role in national digital and physical services and infrastructure resilience and survivability.

To deliver on this higher purpose, government CISOs need to look beyond their organizational boundaries, take a whole life-cycle approach to cybersecurity, and provide knowledge to non-security experts to enable them to act responsibly.

Looking beyond organizational boundaries means collaborating across public administrations and the private sector to create a resilient ecosystem. Beyond the NIS2 Directive’s mandatory obligations — such as establishing at least one computer security incident response team (CSIRT) in each EU member country — resilience comes through the collective effort of cybersecurity specialists within ministries of defense, police forces, intelligence agencies, and all other public administrations.

In a recent IDC conversation with a regional government institution’s senior IT leader, it was emphasized how important it is for all levels of government to collaborate in the ecosystem to protect against the spike of attacks that usually occurs in the months prior to and during major events like the Olympics, the World Expo, the FIFA World Cup, or a G7 meeting. Participants should include transportation operators, payment and banking service providers, telcos, utilities, and travel and hospitality companies.

Taking a life-cycle approach to cybersecurity means caring for the hygiene of systems, protecting them and responding to events from development through termination. Hygiene starts with security by design, DevSecOps and application security best practices, and vetting hardware and software supply chain bills of material for security and compliance requirements.

Data hygiene is paramount — not only to comply with regulations that protect sensitive data, but also to increase the resilience and visibility of all data sets critical to government operations. Holistic protection requires enhancing the observability of the broader landscape.

CISOs should demand that their cybersecurity solution providers make available AI/ML solutions and AIOps practices that can increase the productivity of observability and detection.

Incident response must be grounded on governance processes and structures that enable timeliness and coordination. Throughout the life cycle, government CISOs should regularly upgrade their team’s skills, not only traditional cybersecurity skills but also legal skills, AI ethics, bias testing, and prompt engineering.

Ensuring that security and non-security experts have the right knowledge to act responsibly is a major people and organizational transformation effort. Investing in programs to raise the cybersecurity awareness of civil servants, other industries, and the general public is critical.

It is also important for CISOs to articulate the value of cybersecurity to the elected and appointed officials who make budget decisions. CISOs and their teams that are able to articulate the value of cybersecurity in terms of business risks will raise their profile internally and be recognized as strategic decision makers.

Technology developments will help CISOs accelerate the paradigm shift. In particular, the automation and orchestration of processes related to security and privacy will help address the skills gap and accelerate the detection of malicious behaviors, threat response, and remediation actions.

European government CIOs and CISOs that combine tool investments with a holistic approach to cybersecurity will boost the resilience of their organizations, of the communities they serve, and increase citizens’ trust in government. Those that focus on siloed system protection and legacy operating models and competencies will not be able to respond to threats and will be relegated to the role of gatekeepers who eventually lose influence and budget.

To learn more, explore the latest IDC research

Spread the love