A large majority (87%) of security leaders say their organizations are not sufficiently addressing cyber risks, according to the CSO 2020 Security Priorities Study.

That’s not necessarily surprising given the sophistication of threats today. The attack landscape is quickly expanding, with nation-state attacks such as SolarWinds and HAFNIUM causing challenges for many public sector CISOs and CSOs.

The U.S. government has taken notice and has just approved the funding to dramatically improve federal executive branch cyber security capabilities and the capacity for the federal government to work with state, local, tribal, territorial, and critical infrastructure organizations. The recently enacted American Rescue Plan allocates $1 billion to the Technology Modernization Fund and $650 million to expand the capabilities of the Cybersecurity and Infrastructure Security Agency.

With an opportunity to make transformational changes, many leaders are asking:

• How do we know that the proposed changes will address the most risk?
• How will we measure the impact of the proposed changes?
• How will we be sure that we are realizing the benefits once the changes are implemented?

Before agencies use those funds—and especially prior to making significant transformation changes—it’s important to select the right elements. For example, choosing a technology just because it has been on the security team’s wish list for a long time doesn’t mean that solution is better at addressing cyber risk than other potential investments.

In other words, how can you know that your investments are the right ones?

Optimizing Your Cyber Investments

There are many elements—processes, software, hardware, skill capabilities—to consider when planning for cyber defense. Agencies should seek to understand what’s currently working, ways to align capabilities with mission requirements, the current threat environment, and ways to operate at full skills capabilities despite personnel shortages.

Focus on What’s Working

Before spending on new capabilities, it’s critical to know how well existing security investments are working. That requires accurately and frequently measuring the effectiveness of existing security tools.

One way many public sector organizations are achieving this is with Mandiant Security Validation. Mandiant Security Validation puts security posture to the test—literally—by safely running relevant cyber attacks against production environments. Organizations come away knowing exactly:

• How effective their existing security systems and processes are at identifying and responding to relevant threat activity.
• The areas that present the most risk to the organization.
• Where subsequent investments will mitigate the most risk.

Conduct Periodic Assessments

Every organization evolves. Missions are added, changed or retired. Updated projects may require different levels of data, application or infrastructure protection. That’s why it’s important to periodically assess the cyber security program to ensure that it remains optimally organized, prepared, capable, and aligned with overall mission requirements.

Many public sector organizations utilize Mandiant Consulting services to conduct a variety of annual assessments that range from red teaming and tabletop exercises to full security program reviews. Periodic assessments ensure that cyber defenses are mitigating risks and meeting operating objectives.

Focus on Relevant Threats

Most threat actors have a modus operandi, meaning they focus on victims with similar profiles and tend to use the same tactics, techniques, and procedures across multiple attacks. For example, Mandiant-identified FIN actors are financially motivated and have historically focused their attacks on organizations in the financial industry. If organizations want to stay ahead of today’s sophisticated threats, it is imperative that they align their cyber capabilities to rapidly detect potential attack activity by their most likely attackers.

Mandiant Advantage: Threat Intelligence helps organizations protect against targeted attacks more effectively by enabling them to:

• Understand the attackers they are most likely to face
• Understand which capabilities must be in place to detect those threat actors rapidly and consistently within their environment
• More effectively hunt for threat actor activity within their environments
• Anticipate attacks by understanding industry attack events and trends

Operate at Full Capability

Survey after survey shows that the talent gap remains a top challenge facing security leaders. Undertrained teams struggle to effectively manage risk, and the problems compound when cyber operations teams are understaffed and overworked.

Many public sector organizations are operating at full skills capability despite being understaffed. FireEye is helping to fill these consequential skills gaps by enabling customers to call upon Mandiant experts on an as-needed basis. Mandiant Expertise On Demand provides a flexible set of on-demand expert capabilities that enable security teams to call upon the specific expertise they need, when they need it. Cyber leaders find that the ability to rapidly engage experts, as needed, is delivering many positive benefits, including a more effective security operation, happier employees, lower turnover, improved response times, and reduced overall risk.

Tying It All Together

Cyber security leaders are finding today that the actions outlined in this post are providing the information and capabilities they need to determine where each future investment dollar will mitigate the most risk. They do this by knowing themselves (Mandiant Security Validation and periodic assessments), knowing their enemy (Mandiant Advantage: Threat Intelligence), and filling their ranks with experts as needed (Mandiant Expertise On Demand). It’s a winning strategy.