When a government entity sets its cybersecurity policy, it faces challenges that the private sector need not worry about.
“Your typical public sector CISO is as capable as their private sector counterparts,” says Rob Sheldon, CrowdStrike’s Head of Technology Strategy, Public Sector. “But they often lack the resources or freedom of action necessary” to make the kinds of nimble changes that private sector professionals can make to ensure cybersecurity.
Unique challenges like these, combined with the fact that government agencies are focused on serving constituents and accomplishing their mission – not cybersecurity – make them not only prime targets, but highly susceptible to cyberattack.
Working together across government and with the private sector is essential for government agencies to identify new cyberthreats and learn best practices for defending their networks and data. This is why events like Fal.Con for Public Sector are important opportunities for those in the government cybersecurity space. It’s an opportunity to learn, network and share best practices with the leading cybersecurity professionals in the public sector and private industry experts.
With years of experience across the globe helping governments set their cybersecurity policies, Rob Sheldon, who will be leading a panel on ensuring election security on June 24th, is just one of the many thought leaders that attendees can learn from during the Fal.Con for Public Sector virtual event.
To get a sense of what best practices he has picked up working with governments around the world and to preview what attendees can expect to learn at the conference, we sat down with Mr. Sheldon for the following conversation:
GCH: What do you think are the most pressing cybersecurity issues that are facing the public sector today? How are they different than what is facing the private sector?
Rob Sheldon: Public sector cybersecurity outcomes are severely affected by broader constraints on IT budget, procurement, and workforce training and retention. Your typical public sector CISO is as capable as their private sector counterparts of comparably-sized entities. But they often lack the resources or freedom of action necessary to modernize or depreciate legacy systems, implement emerging security technologies and controls, hire for new skillsets, or cut losses from nonperforming technology deployments or vendors. So every technology decision in the public sector is high-stakes—and highly scrutinized.
In the meantime, the threat environment is at least as severe for public sector entities as it is for those in the private sector – and frequently more severe. While the threats are incredibly diverse, ransomware has emerged as the central threat to state and local and health care entities over the last 18 months or so.
GCH: Throughout your career, you have had substantial international experience. How does that color your insights when you look at cyber issues in the U.S?
Rob Sheldon: I have had the opportunity to work with a number of U.S. partners and allies on domestic cybersecurity policy matters and bilateral cooperation. One major takeaway is the extent to which decidedly non-cybersecurity matters bear on cybersecurity priorities and outcomes.
Have an existential geopolitical foe? How about a vibrant startup culture? Have a centralized Department of Technology? Can they get appropriations over a multiyear time horizon? What are the prevailing social attitudes on privacy? What’s the tone of public sector/private sector relationship? Is the concept of “loose lips sink ships” or similar in your cultural memory?
These sorts of topics are upstream of countries’ cybersecurity strengths and deficiencies, and often frame needs and priorities around security investments, standards, controls, and so on.
The lesson here is, if I’m talking with a U.S. federal or state/local government entity, I try to understand the specific context in which they operate. As a practical matter, that usually means doing research beforehand, asking a lot of questions, and accepting that entities will arrive at different conclusions about how to address similar problems.
GCH: What can domestic government organizations, from state and local all the way to federal, learn by absorbing international best practices? Why is it important for them to do so?
Rob Sheldon: The U.S. is fortunate in that it leads in many cybersecurity-related areas, but lessons can absolutely be drawn from elsewhere.
For example, the recent Cyber Solarium Commission report cites the UK’s National Cybersecurity Center as a promising model for public-private collaboration. Other countries have found creative solutions for things like assessing foreign investments, e-government programs, or attracting technical talent. Few international policies can or should be directly emulated, but some offer helpful insights.
GCH: What are you planning to discuss during your session at the upcoming Fal.Con Public Sector virtual event?
Rob Sheldon: The panel I’ll moderate will focus on election security—an issue of critical importance this year. We’ll focus on key cybersecurity issues, including changes in the cyber threat landscape for elections-relevant entities. We’ll also discuss steps organizations can take to strengthen their defenses before November. We have some exceptional panelists lined up, so we’re anticipating an insightful conversation.
GCH: Who do you think would benefit from attending Fal.Con this year? Why is now an important time to hold this event and why is it important to bring this community together – even virtually?
Rob Sheldon: In keeping with tradition, this year’s Fal.Con is designed to appeal to a broad range of the IT, cybersecurity, and cyber policy community. Everyone from Security Operations Center operators to cyber threat intelligence analysts to IT leadership will find the program engaging. We have different tracks to appeal to people with different specializations, but we do hope that participants take the opportunity to join presentations from speakers in other areas.
Most cybersecurity practitioners are comfortable convening virtually—so our community is more resilient than most to COVID-19-related shifts away from in-person gatherings. And there’s a great deal of value in gathering at a prescribed time, rather than attendees absorbing discussions and events asynchronously. This is essentially the appeal of discussing real-time events on social media, or streaming a popular TV series soon after its release.
We anticipate that Fal.Con for Public Sector will be a significant event for the cybersecurity field—and like previous years, drive the conversation going forward.
To learn more about Fal.Con for Public Sector and to register online, click HERE.