Overall, Moyles adds, the most important takeaway from the survey data is agencies’ emphasis on continuous monitoring.
"The fact that it’s not just about checking the box so you can say you’re doing it. The point is to get to some kind of awareness of risk," he says. "The people I spoke to ... we’re pretty adamant about the fact that just monitoring something just because you can isn’t valuable. It’s about tying it back to the risk."
Moyle says he reached out to professionals working in the private sector regarding useful metrics for continuous monitoring, and he found a willingness in the private sector to work closely with public sector counterparts to carve out a solution for government agencies.
"Folks on the federal side that might not be used to working with people in the private sector that can really drive some value from what’s going on in the private sector metrics community," he notes. "That was news to me. I think a lot of folks in the federal space might not necessarily realize this."
In other words, in the near term, there are a lot of federal IT managers who are wasting their energy spending time seeing what data they can gather, though it isn’t tied to any clear and present danger.
"As a general call to action across the federal space, maybe it makes sense to spend some time gauging where agencies are from a risk standpoint before they really go too far down the continuous monitoring road," says Moyle. "The pressure [from above] is for the opposite, however."
Learn more about Research: Federal Government Cybersecurity Survey by subscribing to Network Computing Pro Reports (free, registration required).
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
