Public sector organizations have been focused on ‘"incrementally better’ solutions for too long. The cybersecurity industry has a $10.5 trillion problem. Getting there by inches won’t solve this crisis.
In 2019, the U.S. Senate Permanent Subcommittee on Investigations issued a report that highlighted systemic failures of eight key Federal agencies to comply with Federal cybersecurity standards. This week, the U.S. Senate Homeland Security and Government Affairs Committee issued a follow-up report entitled, “Federal Cybersecurity: America’s Data Still At Risk,” that shows seven out of eight federal agencies still have not met basic cybersecurity standards necessary to protect American’s sensitive data.
The report gave the federal agencies’ overall information security maturity an average grade of C-.
Unfortunately, these findings are not surprising for a number of reasons. First, today’s adversaries have adapted to the changing threat landscape – they are more skilled, faster, and better funded.
Second, according to the report, seven out of the eight agencies used “legacy systems or applications no longer supported by the vendor with security updates.” Based on my career experience in the Public Sector, I can attest that a large number of these important institutions have incurred a huge amount of technical debt that can’t be kept secure just by patching alone.
In our new blog series on legacy systems entitled, “Essential Protection for Legacy Applications – Part I” published earlier this week ahead of the report, we noted:
“The trouble arises when the application has been ingrained in an infrastructure for a long time but fails to keep up with patching and updates because it is tied to a particular service or function. Typically, the older the application, the harder it is to upgrade or replace and it is often part of complex custom deployments.”
Yet while legacy systems will always remain an attractive adversarial target, they don’t have to be a successful target. However, it’s our belief that public sector organizations have been focused on ‘incrementally better’ solutions for too long. As a cybersecurity industry, we have a $10.5 trillion problem to solve. Getting there by inches won’t solve this crisis. Software has become the black hole, as evidenced by the multitude of recent supply chain poisoning and ransomware attacks, so a radically different approach is needed to protect all software as it runs—in real time—in a completely automated fashion. That means zero dwell time for adversaries and much better grades for federal agencies.
Kevin Jones is Virsec’s VP Public Sector and Corporate Development and has deep experience in the cybersecurity and government market. Prior to joining Virsec, he led Public Sector and government strategies in senior positions with CrowdStrike, SkyHigh Networks, Symantec, and Clearwell.