Executive Summary: ISG Provider Lens™ Cybersecurity – Solutions and Services - U.S. Public Sector 2024
The individual quadrant reports are available at:
U.S. public sector agencies must fight increasingly sophisticated attacks on a constant basis
Data breaches are costly. The average U.S. cybersecurity breach cost across the public and private sectors is $9.5 million per breach. U.S. government agencies are not exempt from this, despite the government spending substantial sums on cybersecurity. At the federal level, the budget for 2024 is projected at $12.7 billion. The largest allocation is for the Department of Homeland Security (DHS), with a budget of over $3 billion. The federal government funds the State and Local Cybersecurity Grant Program (SLCGP), which allocates funds to states. The budget for this program was $400 million in 2023. This amount is typically matched by state funding for cybersecurity projects, reflecting the high degree of spending required to allow agencies to stand still from a cybersecurity perspective.
Research shows that cyberattacks impact approximately two-thirds of U.S. citizens.
Downtime for one breach in the local government was five months. When examining the attack targets, the top five states are Texas, Georgia, California, Florida and Pennsylvania.
This should be a concern for anyone closely monitoring the U.S. government, cybersecurity and geopolitics. Globally, across public and private sectors, cybersecurity represents a fundamental issue that can challenge the viability of organizations, regardless of their culture, safeguards and capabilities. The positive sign is that the U.S. government’s focus on managing cybersecurity issues is improving; however, legislative and regulatory responses must be accelerated to keep pace. It is also evident that there is a significant divergence across government agencies regarding preparedness quality, vulnerability level, staff training and the successful defense and response to attacks. Small local agencies can be incredibly vulnerable and provide an entry point for hostile actors to more lucrative data-rich agencies and those that manage the critical infrastructure and data properties of the U.S. local, state and federal governments.
New potential threats arising from emerging technologies: Technology and innovation are essential for government agencies to build their capabilities and solutions for stakeholders. At the same time, new technology presents new opportunities for exploitation. GenAI is the latest example of this. GenAI will provide substantial benefits for agencies by optimizing service delivery for stakeholders, engaging in new technology, and maximizing the value of the data generated. At the same time, GenAI represents the latest end-to-end threat to government cybersecurity. This is going to be particularly true for those agencies that still lack a strong capacity for investing in robust systems from a cybersecurity perspective. GenAI could quickly turn from a value driver to a risk crisis point if an ill-considered investment is made.
Furthermore, the deployment of GenAI-based tools and large language models will drive the exploitation of government agencies. It is a compelling arms race; the more innovation occurs, the more the risks and threats increase for both the public and private sectors, and the more that can be done to help mitigate threats. One of the challenges for government agencies in this environment is that they are forced constantly to look in their rear-view mirror. It is not easy to get ahead of the market, particularly at a time of frugality in a large proportion of government agencies at all levels of government.
Investment in skills will be accelerated. Over the next five years, a growing number of new jobs are needed to support the rising demand for cybersecurity services in the U.S. public sector. In addition, any government employee with any connection or contact with data and technology will need increasing training in cyber awareness and basic governance requirements. This is an expensive undertaking and one that will challenge many agencies. Any shortcomings in this will ensure that aggressive parties identify and exploit vulnerabilities.
Significance of education in addressing internal threats: External ransomware attacks, state-based hacking and other high-profile issues often gain attention. However, the always underrated security threat is from within. In some cases, this activity is nefarious, and in other instances, it is merely a result of user error stemming from ignorance, poor training or simple carelessness. Such issues still present significant challenges, underscoring the increased role of training, access control development and consistency alongside monitoring capabilities. It is worth noting the connection between technology security and physical security. Agencies that leave doors unlocked and fail to manage access passes are likely to be more vulnerable in their technology security. This is due to the simple fact that attitude toward security is critical; any lax approaches in either domain will inevitably spill over.
Fundamentals of zero trust: Many agencies in the U.S. public sector and key regulators require a zero trust approach to cybersecurity. This approach requires mandates to protect critical infrastructure. Additionally, there is an increasing demand for simplicity and flexibility to be aligned with effective security solutions. Cybersecurity providers must develop more comprehensive offerings that target an increasingly diverse customer base across the breadth of the sector while also adapting to their rapidly changing needs.
Accelerating vendor consolidation: Unsurprisingly, vendor consolidation is accelerating, driven by several related factors. It represents a natural shift where larger vendors acquire smaller firms to fill critical offering gaps, acquire skills or enter new markets. At the same time, this trend is also being driven by demand in both the public and private sectors. It is evident that proactive cyber management is becoming more challenging with each passing day. Integration issues are rampant, sometimes even within a single provider’s set and across the many platforms required to manage a secure agency successfully. The increased cost of service delivery and managing a range of security providers has enabled consolidation to make management more accessible for clients and achieve the long-held goal of an integrated capacity for security.
More sophisticated U.S. government agencies are proactively looking to increase investments in incidence response automation to reduce their level of investment and skills required for attack containment and remediation. As highlighted, AI has been a hot topic of discussion for both offensive and defensive actions in the U.S. public sector; automation represents a means of reducing human interaction on recurring tasks. Increasingly, there is a requirement for effective validation and analysis to accompany threat-hunting exercises.
Challenges of security ownership in government agencies: Each agency has a different structure depending on its services, location, size and scale. However, the bottom line is that the head of the agency or university has to take investments and outcomes of cybersecurity within their scope of responsibilities. A chief information security officer (CISO), if one exists, cannot operate in isolation. Data is data; some agencies, and their private sector counterparts, risk delineating data between internal and external (or customer) data. Cybersecurity risks are too high to adopt this fragmented approach. Training requirements must be more explicitly prioritized across all levels of the organization, as humans are the source of error on many occasions.
Access to the full report requires a subscription to ISG Research. Please contact us for subscription inquiries.